Analysis Report

Overview

General Information

Analysis ID:54912
Start time:16:27:17
Start date:29/01/2015
Overall analysis duration:0h 7m 5s
Report type:full
Sample file name:downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2003 SP1, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:13
Number of new started drivers analysed:2
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
HCA enabled:true
HCA success:
  • true, ratio: 97%
  • Number of executed functions: 79
  • Number of non-executed functions: 143
Warnings:
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Change of System Appearance:

barindex
Changes the wallpaper pictureShow sources
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_USERS\Control Panel\Desktop TileWallpaper

DDOS:

barindex
Contains functionality to access network services in a loop (often DDOS functionality)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01590762 socket,Sleep,connect,send,recv,send,select,Sleep,closesocket,ioctlsocket,recv,closesocket,closesocket,TerminateThread,1_2_01590762

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015C136D CryptDecrypt,1_2_015C136D

Spam, unwanted Advertisements and Ransom Demands:

barindex
Moves many txt or jpg files (may be a ransomware encrypting documents)Show sources
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT
Source: C:\Windows\System32\svchost.exeFile moved: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.msn[2].txt
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\OFFICE11\NOISEENU.TXT
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\AutoIt3\Include\_ReadMe_.txt
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Windows\System32\svchost.exeFile dropped: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dzwyyul.txt -> your documents, photos, databases and other important files have been encryptedwith strongest encryption and unique key, generated for this computer.private decryption key is stored on a secret internet server and nobody candecrypt your files until you pay and obtain the private key.if you see the main locker window, follow the instructions on the locker.overwise, it's seems that you or your antivirus deleted the locker program.now you have the last chance to decrypt your files.open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. they are public gates to the secret server. if you have problems with gates, use direct connection:1. download tor browser from http://torproject.org2. in the tor browser open the http://w7yue5dc5amppggs.onion/ note that this server is available via tor browser only. retry in 1 hour if site is not reachable.copy and paste the follow
Source: C:\Windows\explorer.exeFile dropped: C:\Users\admin\Documents\Decrypt-All-Files-dzwyyul.txt -> your documents, photos, databases and other important files have been encryptedwith strongest encryption and unique key, generated for this computer.private decryption key is stored on a secret internet server and nobody candecrypt your files until you pay and obtain the private key.if you see the main locker window, follow the instructions on the locker.overwise, it's seems that you or your antivirus deleted the locker program.now you have the last chance to decrypt your files.open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. they are public gates to the secret server. if you have problems with gates, use direct connection:1. download tor browser from http://torproject.org2. in the tor browser open the http://w7yue5dc5amppggs.onion/ note that this server is available via tor browser only. retry in 1 hour if site is not reachable.copy and paste the following public key in the inpu

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshotsShow sources
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E3EB0 CreateFileW,WriteFile,CloseHandle,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,ReleaseDC,SelectObject,CreateSolidBrush,FillRect,CreateFileW,GetDIBits,WriteFile,WriteFile,WriteFile,CloseHandle,5_2_003E3EB0

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: upbbxxl.html.drString found in binary or memory: http://torproject.org
Source: Decrypt-All-Files-dzwyyul.txt.drString found in binary or memory: http://torproject.org
Source: upbbxxl.html.drString found in binary or memory: http://w7yue5dc5amppggs.onion
Source: Decrypt-All-Files-dzwyyul.txt.dr, upbbxxl.html.drString found in binary or memory: http://w7yue5dc5amppggs.onion.cab
Source: Decrypt-All-Files-dzwyyul.txt.drString found in binary or memory: http://w7yue5dc5amppggs.onion/
Source: Decrypt-All-Files-dzwyyul.txt.dr, upbbxxl.html.drString found in binary or memory: http://w7yue5dc5amppggs.tor2web.org
Source: upbbxxl.html.drString found in binary or memory: http://www.torproject.org/download/download-easy.html.en
Contains functionality to download additional files from the internetShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01590762 socket,Sleep,connect,send,recv,send,select,Sleep,closesocket,ioctlsocket,recv,closesocket,closesocket,TerminateThread,1_2_01590762

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015A791B setsockopt,bind,getsockname,1_2_015A791B
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0150E372 htonl,bind,listen,connect,accept,WSAGetLastError,WSASetLastError,WSASetLastError,1_2_0150E372
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_014BE372 htonl,bind,listen,connect,accept,WSAGetLastError,WSASetLastError,WSASetLastError,13_2_014BE372
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_0155791B setsockopt,bind,getsockname,13_2_0155791B

Stealing of Sensitive Information:

barindex
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\svchost.exeDirectory queried: number of queries: 1002
Searches for Windows Mail specific filesShow sources
Source: C:\Windows\System32\svchost.exeDirectory queried: C:\Program Files\Windows Mail *
Source: C:\Windows\System32\svchost.exeDirectory queried: C:\Program Files\Windows Mail\en-US *

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeFile created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe
Terminates after testing mutex exists (may check infected machine status)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0155811C GetModuleHandleW,OpenMutexW,ExitProcess,CreateMutexW,SHGetFolderPathW,GetModuleFileNameW,GetTempPathW,GetTickCount,CreateFileW,WriteFile,CloseHandle,ShellExecuteW,CloseHandle,Sleep,RegCloseKey,RegCloseKey,GetCurrentThread,SetThreadPriority,InitializeSecurityDescriptor,AllocateAndInitializeSid,GetLengthSid,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,CreateDirectoryW,CreateFileW,CloseHandle,CreateThread,Sleep,CreateThread,GetVersion,FindWindowExW,CloseHandle,FindWindowW,SendMessageW,DeleteFileW,1_2_0155811C

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015921ED GetUserGeoID,LoadLibraryA,GetProcAddress,GetDesktopWindow,GetDC,ReleaseDC,CreateIconFromResource,GetLastError,LoadCursorW,RegisterClassExW,1_2_015921ED
PE file contains an invalid checksumShow sources
Source: initial sampleStatic PE information: real checksum: 0x16dd2 should be: 0xb4672

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593BDA FindFirstFileW,CreateFileW,GetFileSize,ReadFile,CloseHandle,FindNextFileW,FindClose,CloseHandle,FindClose,1_2_01593BDA
Contains functionality to query local drivesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593901 GetLogicalDriveStringsW,RtlInitializeCriticalSection,GetDriveTypeW,wsprintfW,GetFileAttributesW,HeapCreate,RtlAllocateHeap,RtlInitializeCriticalSection,WaitForMultipleObjects,CloseHandle,HeapDestroy,CreateFileW,WriteFile,CloseHandle,1_2_01593901
Enumerates the file systemShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Local
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\svchost.exeDirectory queried: number of queries: 1002

System Summary:

barindex
PE file contains a debug data directoryShow sources
Source: initial sampleStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: yuretor.pdb source: downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015941C0 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,CloseHandle,1_2_015941C0
Contains functionality to enum processes or threadsShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593DBC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_01593DBC
Creates files inside the program directoryShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile created: C:\ProgramData\Adobe\hygrtse
Creates files inside the user directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\admin\Documents\Decrypt-All-Files-dzwyyul.txt
Creates temporary filesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeFile created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: initial sampleStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\System32\svchost.exeFile read: C:\$Recycle.Bin\S-1-5-18\desktop.ini
Spawns processesShow sources
Source: unknownProcess created: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe
Source: unknownProcess created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe
Source: unknownProcess created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe
Source: unknownProcess created: C:\Windows\System32\slui.exe
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows all
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe C:\Users\admin\AppData\Local\Temp\inbdgml.exe -u
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\slui.exe C:\Windows\System32\slui.exe -Embedding
Uses an in-process (OLE) Automation serverShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Writes ini filesShow sources
Source: C:\Windows\System32\svchost.exeFile written: C:\$Recycle.Bin\S-1-5-18\desktop.ini
Contains functionality to launch a process as a different userShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0159453A Sleep,DuplicateTokenEx,GetModuleFileNameW,wsprintfW,CreateProcessAsUserW,1_2_0159453A
Creates files inside the system directoryShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012015012920150130\
Creates mutexesShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMutant created: \BaseNamedObjects\riquinfqlgkboi
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMutant created: \Sessions\1\BaseNamedObjects\riquinfqlgkboi
PE file contains strange resourcesShow sources
Source: initial sampleStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0155811C GetModuleHandleW,OpenMutexW,ExitProcess,CreateMutexW,SHGetFolderPathW,GetModuleFileNameW,GetTempPathW,GetTickCount,CreateFileW,WriteFile,CloseHandle,ShellExecuteW,CloseHandle,Sleep,RegCloseKey,RegCloseKey,GetCurrentThread,SetThreadPriority,InitializeSecurityDescriptor,AllocateAndInitializeSid,GetLengthSid,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,CreateDirectoryW,CreateFileW,CloseHandle,CreateThread,Sleep,CreateThread,GetVersion,FindWindowExW,CloseHandle,FindWindowW,SendMessageW,DeleteFileW,1_2_0155811C
Contains functionality to create a new security descriptorShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0155811C GetModuleHandleW,OpenMutexW,ExitProcess,CreateMutexW,SHGetFolderPathW,GetModuleFileNameW,GetTempPathW,GetTickCount,CreateFileW,WriteFile,CloseHandle,ShellExecuteW,CloseHandle,Sleep,RegCloseKey,RegCloseKey,GetCurrentThread,SetThreadPriority,InitializeSecurityDescriptor,AllocateAndInitializeSid,GetLengthSid,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,CreateDirectoryW,CreateFileW,CloseHandle,CreateThread,Sleep,CreateThread,GetVersion,FindWindowExW,CloseHandle,FindWindowW,SendMessageW,DeleteFileW,1_2_0155811C
Allocates memory in foreign processesShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory allocated: C:\Windows\System32\svchost.exe base: 3E0000 protect: page read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory allocated: C:\Windows\explorer.exe base: 1E00000 protect: page read and write
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\System32\svchost.exe base: 3E0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\System32\svchost.exe base: 3E0000 protect: page read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\System32\svchost.exe base: 3E0000 protect: page execute read
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\explorer.exe base: 1E00000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\explorer.exe base: 1E00000 protect: page read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\explorer.exe base: 1E00000 protect: page execute read
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeThreat created: C:\Windows\System32\svchost.exe EIP: 3E57D3
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeThreat created: C:\Windows\explorer.exe EIP: 1E057D3
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory written: PID: 1260 base: 1E00000 value: 70
Writes to foreign memory regionsShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory written: C:\Windows\System32\svchost.exe base: 3E0000
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory written: C:\Windows\explorer.exe base: 1E00000

Anti Debugging and Sandbox Evasion:

barindex
Contains functionality to query system informationShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015A38FB GetSystemInfo,1_2_015A38FB
Contains functionality to register its own exception handlerShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0150A1D3 SetUnhandledExceptionFilter,1_2_0150A1D3
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01531588 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01531588
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015153EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_015153EA
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_014BA1D3 SetUnhandledExceptionFilter,13_2_014BA1D3
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_014C53EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_014C53EA
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_014E1588 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_014E1588
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeSystem information queried: KernelDebuggerInformation
Checks the free space of harddrivesShow sources
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01531588 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01531588
Contains functionality to dynamically determine API callsShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015921ED GetUserGeoID,LoadLibraryA,GetProcAddress,GetDesktopWindow,GetDC,ReleaseDC,CreateIconFromResource,GetLastError,LoadCursorW,RegisterClassExW,1_2_015921ED
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0158E07D GetProcessHeap,RtlAllocateHeap,1_2_0158E07D
Enables debug privilegesShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess token adjusted: Debug
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe TID: 3472Thread sleep time: -180000ms >= -60000ms
Source: C:\Windows\System32\svchost.exe TID: 3824Thread sleep time: -922337203685477ms >= -60000ms
Source: C:\Windows\explorer.exe TID: 1308Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\explorer.exe TID: 3776Thread sleep time: -922337203685477ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exe TID: 2244Thread sleep count: 107 > 100
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exe TID: 2244Thread sleep time: -107000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exe TID: 1016Thread sleep time: -60000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exe TID: 1016Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\slui.exe TID: 432Thread sleep time: -60000ms >= -60000ms

Virtual Machine Detection:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593BDA FindFirstFileW,CreateFileW,GetFileSize,ReadFile,CloseHandle,FindNextFileW,FindClose,CloseHandle,FindClose,1_2_01593BDA
Contains functionality to query local drivesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593901 GetLogicalDriveStringsW,RtlInitializeCriticalSection,GetDriveTypeW,wsprintfW,GetFileAttributesW,HeapCreate,RtlAllocateHeap,RtlInitializeCriticalSection,WaitForMultipleObjects,CloseHandle,HeapDestroy,CreateFileW,WriteFile,CloseHandle,1_2_01593901
Contains functionality to query system informationShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015A38FB GetSystemInfo,1_2_015A38FB
Queries a list of all running processesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeThread delayed: delay time: -180000
Enumerates the file systemShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Local
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E643B LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_003E643B

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01550F55 GetSystemTimeAsFileTime,1_2_01550F55
Contains functionality to query the account / user nameShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01592BA1 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoUninitialize,GetUserNameW,CoUninitialize,1_2_01592BA1
Contains functionality to query time zone informationShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015E0E4D GetTimeZoneInformation,1_2_015E0E4D
Contains functionality to query windows versionShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0158ECC7 GetVersion,1_2_0158ECC7
Queries the cryptographic machine GUIDShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeRegistry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Queries the installation date of WindowsShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\svchost.exeQeruies volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQeruies volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQeruies volume information: C:\ VolumeInformation
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [0040bc10h], bl and CTI: je 003E55E5h5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 003E557Ch5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-02h], 00000001h and CTI: jne 003E557Ch5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 003E55D7h5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-02h], bl and CTI: jne 003E55D7h5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 003E55D7h5_2_003E514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E05142 GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [01e2bc10h], bl and CTI: je 01E055E5h6_2_01E05142
Source: C:\Windows\explorer.exeCode function: 6_2_01E05142 GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [eax], bl and CTI: jne 01E05530h6_2_01E05142
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [01e2bc10h], bl and CTI: je 01E055E5h6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 01E0557Ch6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-02h], 00000001h and CTI: jne 01E0557Ch6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 01E055D7h6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-02h], bl and CTI: jne 01E055D7h6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 01E055D7h6_2_01E0514D

Yara Overview

No Yara matches

Screenshot

windows-stand

Startup

  • system is w7
  • inbdgml.exe (PID: 3220 MD5: 521BD488A5DE44D84E9D145D3EB8A238)
    • svchost.exe (PID: 588 MD5: 54A47F6B5E09A77E61649109C6A08866)
      • slui.exe (PID: 2504 MD5: 8AC6025DF003DA5FE21939D58044C5B3)
    • explorer.exe (PID: 1260 MD5: 2626FC9755BE22F805D3CFA0CE3EE727)
    • vssadmin.exe (PID: 3908 MD5: 6E248A3D528EDE43994457CF417BD665)
    • inbdgml.exe (PID: 2232 MD5: 521BD488A5DE44D84E9D145D3EB8A238)
  • cleanup

Created / dropped Files

File PathType and Hashes
C:\$Recycle.Bin\S-1-5-18\desktop.ini
  • Type: ASCII text, with CRLF line terminators
  • MD5: A526B9E7C716B3489D8CC062FBCE4005
  • SHA: 2DF502A944FF721241BE20A9E449D2ACD07E0312
  • SHA-256: E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
  • SHA-512: D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
C:\Program Files\Adobe\Reader 9.0\Reader\Optional\README.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D325F6D4508C634AE4A80830B47D745C
  • SHA: D9028D17F67C11C076058A29D9351265873E1072
  • SHA-256: A0540687EA49300E57B7B50E08DE1D8A9549EE1A9DDF6AC4E84F7FF04521AB6B
  • SHA-512: 38D757D6E67DC9213D03622A0345705EEBF2E0AE9F8EEA904A0941E408A502002523609A4A68900E86089392A144F5C0854BD7F3ADA61AC1851BD1CFE7D3CCF4
C:\Program Files\AutoIt3\AutoItX\StandardDLL\VC6\Example\main.CPP.dzwyyul (copy)
  • Type: data
  • MD5: 51125947A81520F82017AD350F7A6A6F
  • SHA: BEC9E360E5701A171510A69A0805A523B724971A
  • SHA-256: 8AECF1F70AB56C8AFEDB21752DD63181F32BEB9C7C1A037459EE539DF69CE77E
  • SHA-512: 8256DC4BA8D4F0B725F11686BA1D3C2D033E72D7AF9420EC39FDB21E4A96E16F4751B02E3621C349ACE3BFF3D9CF71BD0ABB0E7A1A278968F6D5C8626547897A
C:\Program Files\AutoIt3\Examples\COM\Worksheet.XLS.dzwyyul (copy)
  • Type: data
  • MD5: B0CD4C698F4262C06E3BFEB644435FF0
  • SHA: ABD00C2134D8BF5A94887855E268B5FA372C9C46
  • SHA-256: 415600D9DB5036FC9CB062E48444033BD98389A8BB4FF075722DBAD8FB2B4F2C
  • SHA-512: E1BD65097ACAC8A9B6AD22324C386D009A5755FB1953D6383085652B5C42D1E53A8B1885DE40FEC0095691B39A69672E696E3E331F339162EB98F5BFED0B67AC
C:\Program Files\AutoIt3\Examples\GUI\mslogo.JPG.dzwyyul (copy)
  • Type: data
  • MD5: 54553B1F7381CD6FA09158EF3A42F0FB
  • SHA: 342AEFB5B00E6B0BF29F7D619B6698F2D8D63625
  • SHA-256: AB7A748889B992F6871E22E2126E467436D8B702AFE7AFE110CAB14AEE05CFDD
  • SHA-512: 24AC504BFB7CD1BDF941498569BB11A3C943D3902F6822DC755B52E778B5758EC635F4D48A9B8AA0EDBD367FADC98E803E5FB900AF92C588904EA118AC4ED26A
C:\Program Files\AutoIt3\Examples\GUI\msoobe.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\AutoIt3\Examples\_ReadMe_.TXT.dzwyyul (copy)
  • Type: data
  • MD5: 928141115B22F4BCAE943599749B9C0F
  • SHA: 491FF59F87072BB8978DE9DED57D8412464B3B12
  • SHA-256: 334425F9211F124E7FF46815F21209E47D4A5917FBE0C93DF0B41E48B6AC2356
  • SHA-512: 5D7B01C4B5E5C0A19E954A7A4F83F942CC278064902A6E0068990160C84841F2D7A00F00C8B403FB4D8C6D5741AABCF9A09BE86D2029A2C74A356E2CC47E0253
C:\Program Files\AutoIt3\Extras\Editors\_ReadMe_.TXT.dzwyyul (copy)
  • Type: data
  • MD5: E36EE55615CAD0BEE904197687E01AA2
  • SHA: 980BDE873B2FB179A36D56FAD139D047D4ED96B8
  • SHA-256: 852DDCA4DFC061E24B83DB4C9E34606035B7812EA3AC28509FCDF4D7BC40E67A
  • SHA-512: F8421F9463C5CC12413C6167A26A6ECE41AC4CB5DB18688E590D050F453C7EF150E904FDD2505806CF9EDD231F75FE54307EE5964A9371024F4A9DD94829F747
C:\Program Files\AutoIt3\Extras\_ReadMe_.TXT.dzwyyul (copy)
  • Type: data
  • MD5: 09A88425E3D1B498097E904FF20FFDB4
  • SHA: F15A29500B40C0564F4254E530749B677C40CCB5
  • SHA-256: 87108618DDB9EDA40259979828DCA105A7B2E68B6BC43CB158FFA05376CCEBFA
  • SHA-512: 2F65345FD8DB2A624ACBFEDFD497E57F842E9DAD6B21880FDD486B5E728430877D01B240F6764C63D23B27F07C04148A40F8728F53D92DC859BB438710D4F386
C:\Program Files\Common Files\Adobe\Updater6\AdobeAUM_rootCert.CER.dzwyyul (copy)
  • Type: data
  • MD5: 491C43E3F467BA22985D6A8E99920478
  • SHA: 4DCD16F63216AFBD4590B3470748D6C599585D89
  • SHA-256: A068FFF7C4A24467C48C34F5A798EEA8749267185C633735D1F813785E349020
  • SHA-512: 55C0FF6B51D63CB684BE90D9D479A5E6E445B44C51025AF92BBF92B9463659B192DADBF0D569FDB08D54ADE4B0680E386E4387FBB55534AD137BC468767AA0B0
C:\Program Files\Common Files\Adobe\Updater6\AdobeUpdate.CER.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Common Files\Adobe\Updater6\AdobeUpdater.CER.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.CDR.dzwyyul (copy)
  • Type: data
  • MD5: 42B1A8A578FDBF779B41A7753CDEC98C
  • SHA: ED5E3DED92CC33B8A9DFCB709E31B582FEDEBA8B
  • SHA-256: BA41F3491B24B853AAAB1F78924CFE47F41CA1C5AC3F2AAC8007E47C557DECD2
  • SHA-512: 590C863DB385E084F3E5C791E7F75226617FE8FFD1C3401ABF2E061CE1BA0E9362BEE9F3C31ABF41B427971B706453AD717033CAFE3583D2BF6A3DDBBB553425
C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Common Files\microsoft shared\Snapshot Viewer\README.TXT.dzwyyul (copy)
  • Type: data
  • MD5: 6F84C8BEF024AEE691D8F0DB2A473F15
  • SHA: DAA73B0B01236D7739FD963036482CCF228F9F4D
  • SHA-256: 14F18F1A3020E8197A0B5B533287FB28FDB32D6D430AA17832FCC0880D54ECC1
  • SHA-512: A109EE7078E546FCB97460B30F121A5C50D06FCA41455AAD534CE0326E5C1B8D2D7F912F49A31F3C7933DBB023EC2FBFA095A51AFE5C36FF5A5570E0EC04B822
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe.CONFIG.dzwyyul (copy)
  • Type: data
  • MD5: D6DE3518E23D4AE007A0DC52469EC0AE
  • SHA: 01B571BCCE8814B30043DB708FEC1DD2335076A4
  • SHA-256: CBEBDF8071E71145711DF070C0FD2DB442D2303C7FAA05CA3BE4E1E4D13E31A6
  • SHA-512: D906ABBCBF95BBD7129D76CF18531751B28AC3B54D879488F489AB1CFC329B44C209C13AD9DB74F149D50530FD05760B93881564D7CB1DD1AD26382CFC877A7E
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\vs7jit.exe.CONFIG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Java\jre6\README.TXT.dzwyyul (copy)
  • Type: data
  • MD5: BF5C303234A29EB824C452BF6B904A96
  • SHA: D7A9869A7D00C6ED3B3D456C4A13C2CE13326256
  • SHA-256: D648A912EF66729ED7DC55BC5E3E4160320C3C63F5DC3E2A4EA35B8B6062F6F2
  • SHA-512: A9DA211BF31EE7F065495EBF65CE0B0E96C863E55CF1723A76495146855FD8D05B60028BBA1E62060AD41891A52C0F94DF7FD13823E04496D14CB09B5DC36CAE
C:\Program Files\Java\jre6\THIRDPARTYLICENSEREADME.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Java\jre6\bin\client\Xusage.TXT.dzwyyul (copy)
  • Type: data
  • MD5: 00DD888A99A973FCEA43957EF5FB8CEA
  • SHA: 07E00AD42E963986A548BA105CECACAEEB700C9F
  • SHA-256: 902EE76923CAAFA55E995950587CEBF1DBD37F0A9B09C929AE43871AC5839488
  • SHA-512: C3573C4FAC9BC32047D1ECA1A02C9993AFFEA0B2F1B9CF10FFECE6454019C7ACB18140F7BC561D5D7577A92E0D8FE9B106C6051DFDF5FABDE357F4C98103C0B1
C:\Program Files\Java\jre6\lib\deploy\ffjcext.ZIP.dzwyyul (copy)
  • Type: data
  • MD5: C760A2A70032A275EA303E32290AA028
  • SHA: 44743C4C90D73808256B49770363AEAD4A7FDD9B
  • SHA-256: 3D4C4852B38615E25CAF1CAA0004A4DBA6A9468854D77CBDF92C5C96BF185279
  • SHA-512: 71CF6082566249B1138DC1865380CCCE34FC95152B40FEBA5F1A6D0250AD0C03EF3B70B47A144AEC306879EA04BDA28E6A1F9336868C0D2CDEE8B0F78F236651
C:\Program Files\Java\jre6\lib\deploy\jqs\ff\chrome\content\overlay.JS.dzwyyul (copy)
  • Type: data
  • MD5: 734939188BB3BFFDC32A2D0FFA9E965B
  • SHA: 19572E823BF869ABCA91BE8BEEE6742F7F81B51A
  • SHA-256: 8DE5FE93712FA9F9EE87A645AB3ADFD8D82610F85C5681FCFD7A6A5AA5D85026
  • SHA-512: 6A9287ECD6CDEAE4AE25859AAA95569B389FF0D92ACE32095DB69C968EDF20278DB0740BCD2F57C35BABC8667111648782079826BC95AEE0A19241DBB5AC1AAA
C:\Program Files\Java\jre6\lib\jvm.hprof.TXT.dzwyyul (copy)
  • Type: data
  • MD5: 7D86B9A72D9F541610DD269610DB7A9D
  • SHA: D80E4BF69806A5F8CAA28C95621D0394F997233D
  • SHA-256: CE3D2634D68B4673496AC1329E8F2E387F4FADAF662B40ABD850B5D221DF56EA
  • SHA-512: DDD095B00F8EB6E9F937D4F49B686725F16A4C0E6305B3F8F09FEC0283A4BDAB7BA3C225848A2BE70DD567E8C30F0CB1A33410BE5ED76B7B5D885870B30CD317
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dzwyyul.bmp
  • Type: PC bitmap, Windows 3.x format, 1024 x 768 x 24
  • MD5: 7F083C112EAB6E727AB9E855FC557B1D
  • SHA: 9997A226B0C85F3345BC29AB9E1CE04D63DE6F64
  • SHA-256: 851B566EA9D1BD77B51565EBB627BB417CEADA67FC4072E1F677DCFBC0BBD618
  • SHA-512: 3AFB69DDED1443386B675C4EF52C6E995A9C85DE31760A18820A56DC677F1BC4D83A7444174CC3A458A2AF3DA41B9B1F999BF255EE7949037549C04C61AA36F0
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dzwyyul.txt
  • Type: UTF-8 Unicode (with BOM) English text, with CRLF line terminators
  • MD5: D526C3603A4EBEE241473804C3E8724B
  • SHA: 818540D853A500DF2CA18E8611AD6047CC3AF7AF
  • SHA-256: 451C33E753CC5ECAAA24EC640D81AB947690711DF60179E580AD81282AC16508
  • SHA-512: A5D7FC52C5570E78C4357157D9CF60ADD042E2691937FAE67B88FF2256AEE7988BF882292AE97C3664C9DACF68B3AF6116799DE6006F97BB208DD6CDA5EF28BD
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG.dzwyyul (copy)
  • Type: data
  • MD5: BA28BDCBB84CBAE2E20397FAA936E3C3
  • SHA: CCBE84CD890B9DE3EA26FF66FE157A72F8CA4B8F
  • SHA-256: 7AD492325F3B04F2BE18E6D17D0D65F903107C4C51C064780F4B1A7B84DE9A78
  • SHA-512: 6473B2828CCFB7EA85D0E09FE3DF93842356B6E7997D3D3A8A266E8BEEF3F9AECF0005AC1A219526ED266D68A39D7E7AE5AF428CAB595D0381E4CB79940D3001
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG.dzwyyul (copy)
  • Type: data
  • MD5: BAF6B3EB17D5D6F88D85470D8BAB4292
  • SHA: 18FFA850E995805C24EDD36A2B753E8D691A8F2D
  • SHA-256: 4ED83A6FADD695B375C23663C578B55B6E092BB4755C61FCD8A2693962800A96
  • SHA-512: 234C8919A41D149832338F2E36039C0143306A1B7C091BF8F5BEEA995675F5E910948A36C7F735D00CFE67EF18445A1F5640803EB343676194E87D454B422D74
C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\FILTERS.TXT.dzwyyul (copy)
  • Type: data
  • MD5: 14FB12666C8B03195BF1ED90D23A159C
  • SHA: 231C61ED790292DAD48D485DFD483DCDCE810C8C
  • SHA-256: A7133C586C00ED039F770072A5F6E6B4FD745B26201DDA2BE60536F925019C04
  • SHA-512: F6B357E792F759E2EF0A6E08B8CDC615E8C5549DC9BEF975D6086DABFEBBF8EA565B3823485850DA68B3304B8A992E5DC5F20263CE268D2C4E17F766234771BF
C:\Program Files\Microsoft Office\OFFICE11\1033\MS_LOGO.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\OFFTEXT.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\PNGRDM.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\PROTTPLN.DOC.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\PROTTPLN.PPT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\PROTTPLN.XLS.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\PROTTPLV.DOC.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\PROTTPLV.PPT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\PROTTPLV.XLS.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\START.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\TITLE.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\TOUR_NF.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\1033\XL8GALRY.XLS.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISECHS.TXT.dzwyyul (copy)
  • Type: data
  • MD5: 8309DA961AD90E5232A1E4060270B590
  • SHA: 8DD7E50BF9D41DB8FF3B9B70D7D3C0B4D26B9796
  • SHA-256: 6C578C4EB993DE1D0F1676011C4886BC3EF5B5369C5A6EE1913B003069293E99
  • SHA-512: 8D9A3ABB64052A698B03D480767AFBF108FD4F5E92B6C887903D28D18137B1054E844E671814AA416F0DF17809E980F958EF9438CDFC5052AF3C1DFBEF525A8F
C:\Program Files\Microsoft Office\OFFICE11\NOISECHT.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISEDEU.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISEENG.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISEENU.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISEESN.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISEFRA.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISEITA.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISEJPN.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISEKOR.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISENEU.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISENLD.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISESVE.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\NOISETHA.TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\OFFICE11\SAMPLES\SOLVSAMP.XLS.dzwyyul (copy)
  • Type: data
  • MD5: 588B8F4E885A1F26EC6D78796CCB951D
  • SHA: 82EDDE5BA199FDF7B320F4296BF0235724633D82
  • SHA-256: 6A0CF8312763C8918D44B158F5C9578D975E899F7E09A7B46C5E19270B518B60
  • SHA-512: E5CD7B30FA3C4B70A5154C7C847AD0CB1AE01DF3967677DF0A34ABF2F89920CEF05F85F7B283E0D8EBF10C15C19173BF94E954DA69D695632AC403089625E641
C:\Program Files\Microsoft Office\Stationery\1033\NOTEBOOK.JPG.dzwyyul (copy)
  • Type: data
  • MD5: CB5CEF100C22FA234E9AE755EC1FF406
  • SHA: 0B448FC425C53319105A31423F909B2D382B88CC
  • SHA-256: D0B631FFCD2892EE9E0B527982693DC231C1F73AB5EA1A57A3DF7FB4CAE4439A
  • SHA-512: 40D1273ECD3F9BB43858E53A0F4BE09F82001B8A1D469E1FAEA67A13765966B3E4AB3A1C2E4F372C79F47E0F0C08208FFD7D25D74C12AA1FC7FC51231AD30023
C:\Program Files\Microsoft Office\Stationery\1033\PINELUMB.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Microsoft Office\Stationery\1033\SEAMARBL.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Program Files\Sol Edit\License.TXT.dzwyyul (copy)
  • Type: data
  • MD5: 30FC0E689674FFFFE787F6970192DADB
  • SHA: C2657A65C0E877B1BA102EDC35198E3084BCDDFB
  • SHA-256: 62BC46845FB6B29ACEA26C8BB11B35B3B81A141548853A3391677C3CB026B341
  • SHA-512: 7CC70AA5632BA00F56BA15A8DFE81C7722A46A2BBEC989093CFFC81E0BAB00A5ABFD5C74AD6E87A6D141CF2559E48DA6F758E4FA4956466BE80C8F15B4E041CB
C:\ProgramData\Adobe\hygrtse
  • Type: data
  • MD5: 87395BBC45F873CD8C3859C259B6CF10
  • SHA: 006AA75600FB765833AC71A2FF136DD368C307D0
  • SHA-256: 0F0421E7E2B13E2D5D2E2FA5AE7FD6D96F0AFFF441637D688ABC0CD1FD73A344
  • SHA-512: 5BC110524BE0079847E40EA6CBDB6260D0366C6A5B4428253EE5E6E16C5316A4EFC3A411AD13005591C33DDB60407303DE76E65948096889FFD4AF568BF0D881
C:\ProgramData\upbbxxl.html
  • Type: ASCII English text, with very long lines, with CRLF, CR line terminators
  • MD5: 98B71A638C69E0FAEED510A3C323E5C7
  • SHA: D373D7837879818BAD34580D69A846C67D01A1E8
  • SHA-256: EE1539834ADED12F43737643AD2D87F3F9FD7EA73BA036DBD1C56EDADE361BA8
  • SHA-512: 80AEE8FC60A066D0FA53D0571C82D4069DFDF3957461C229D6A3B592AC6935746D69C020368F1E086E5D6BEC19BBB5529349F9D3C56AF7E851AB2133CA5BAB6D
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.JPG.dzwyyul (copy)
  • Type: data
  • MD5: 697F2BBB1E4F17CFF4C17637822ACC3E
  • SHA: C44E203F4F641A06F68E4CB3742C08FA017B15B9
  • SHA-256: E47D3FDEFFF7B475E68F8238967E925C8DC0B634ADBB885C79639F9624581581
  • SHA-512: 41BE78BBD793602FAECD3DA606CB9ECC939CE0DE5A21FCA373740957E13ACBA7D9CEADE03970BD261D345F2A34C2B105C8D739320B4787C56F8CB114F0BA25D5
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\brndlog.TXT.dzwyyul (copy)
  • Type: data
  • MD5: A5C16FF388D7E6CB608543CE27D3E9C7
  • SHA: 90411C5827D3DC69DD271520BE8A2DBBE517FB49
  • SHA-256: 0D93AE4F81B39BE3C02AC16CF38D362BA6F3959F1414368A1E3BDA6973E74376
  • SHA-512: 7F9A82D8ADE6700034A352E6C1E93C3EC60AB57F4FBD2A9E6A13951180333DBD9645318E9A91A82715DD4CCCE11F54369A0F7164FCBD054776B070AF83C0C57C
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.JPG.dzwyyul (copy)
  • Type: data
  • MD5: 4595E2F1018387F301DBC6E82049C0D0
  • SHA: D32307CC15F86D298D468A845CA1A0754CDDB7DE
  • SHA-256: 1AA17AEDB864F6E20D0DA7AA183C35C3A3B07059DD4C836C45E73E34F90E6625
  • SHA-512: A452FA56B9F2774C1B7D0C25183381F2DEB0B24A10AED305DBA46BA7E43CB5CC8E38AE79E6B304F61E76D4AA6B980BF001304343DE145CA80EAB7E5B656BE3E3
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.JPG.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ERC\responsestatecache.xml
  • Type: XML document text
  • MD5: E5A5A467DD553B6B673677505C72444E
  • SHA: B3C6675C52CAA141B0BD349CB8821ACBEE060911
  • SHA-256: 0638CE2BE72BEFBB12472A98E6D40D37A6032AD0B4AA48B162C66B50C2C44DDA
  • SHA-512: 45A28659BDC1EE691E09DDCF708DBD63E9C8330B3C3BDFD7E91053B6F3D2A4AD43DA96D42B182AFF0BDE87A0BD6901FB003E12443C8F44DEA0C1B547F1025521
C:\Users\admin\AppData\Local\Temp\inbdgml.exe
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: 521BD488A5DE44D84E9D145D3EB8A238
  • SHA: A9086094BA2EAA8DC6FF046788CCD441136AD692
  • SHA-256: 8A128F5122D32A4D6780644A13D3AC81CD85895CA025C5FB6E8BB12E94AA5F94
  • SHA-512: E34CA05DCA5745BA7E38F7414CE5C14407E31E28A3653408BE5A9DB411F4A1AE1C9F6E637D5147198E32C997BCD38698AC50F7397FA0696DB039DCE0A458F45B
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\9.0\JavaScripts\glob.settings.JS.dzwyyul (copy)
  • Type: data
  • MD5: 362D11CE5D3BBE29382CACE8FD4B0F71
  • SHA: E428F8DF0BB51C57CFB080ADECD7498C7D342758
  • SHA-256: EBBE328CC9F664AD1A4495AE7B5D81A84859181B3A6D34F5F8BDF1ACAC0EFC94
  • SHA-512: E6EF60A094F2DB3FA2E411705C7ADFB856B989615A190F4FB11DDEBECF462054014FC7255777EB835B4874C0CEC0AB05206494758EE29B5897E19A61A1317134
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@jumpshot[2].TXT.dzwyyul (copy)
  • Type: data
  • MD5: B31493D6AD8D6EAA9EB3F91D18B4815E
  • SHA: A075CF6625A7FEC2DBEDCCFBE8E864FDF696A62B
  • SHA-256: 89F5EC2CDE5099BD80B723C86E562A6A195846F46BF06D027BFE4BDE946DE9A7
  • SHA-512: 2057EF0716BA864B0793AA692F84F2117A405C4DEBB41780D07D405FBB30C82BABB191C544D15DFAF52F7A9619970297BC0249FF40171F3C18B05BB4B340BA7F
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@msn[1].TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@player.vimeo[2].TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@scorecardresearch[2].TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.msn[2].TXT.dzwyyul (copy)
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\Documents\Decrypt-All-Files-dzwyyul.bmp
  • Type: PC bitmap, Windows 3.x format, 800 x 600 x 24
  • MD5: 25DA0490F73F1C0A9FF03836FA9A0B75
  • SHA: BC0ACCF47B2E88BB52FA366EC3A337FB1181C073
  • SHA-256: CEBF5E64A06475D7C0D75E807AA3CD7BAF95C9595B7BB0CEC8C24BAC5557DAA9
  • SHA-512: 86C168F497D756BDBD188262EE0ACDCF767704477CF7F696D3D29FDCB4955719C6FA409682B4B24B538BD864B4C05AD99F7B68D56B0CF0BF4AEBB5DEF1CA7415
C:\Users\admin\Documents\Decrypt-All-Files-dzwyyul.txt
  • Type: UTF-8 Unicode (with BOM) English text, with CRLF line terminators
  • MD5: BE77169AE61DAF8C0BE5853D59CF0B55
  • SHA: F7E4B6504057BF1E704F45EB7DB8744E875753B2
  • SHA-256: 8ECF43271EF3F2490F61E2BFCC6C0976BCBDFDCDDEF746DE58DCDAC2F6A72FCF
  • SHA-512: D0AC8F659C13EF88D047CF6D42BA86FA6B60EEA1F2F31B3C5F908DF9703119D91844BE7BD09E8F1B1EE7D8C72D48B72E8ACFD71A4EE575523E62481551645853
C:\Users\admin\Documents\ProcessExplorer[1]\Eula.TXT.dzwyyul (copy)
  • Type: data
  • MD5: 5194C41C6E0A55AEB54AB6D200D0B3E9
  • SHA: 01DED1BFCA6A9D0FDDCBF3F62209443DB5E36717
  • SHA-256: 610C94363A25F833A1075E5541F902E15781F0E671EB19EF6134D0A0BDAF75B7
  • SHA-512: 6E767800B1BB1616B36687725A131EBB5399C40F1FFC10E71307C25A3CF41B6F26224C2A59AEDF716FD5FBDEF284EFC86C7BEC198E89F38248A7D9979859E7E2
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini
  • Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
  • MD5: 881DFAC93652EDB0A8228029BA92D0F5
  • SHA: 5B317253A63FECB167BF07BEFA05C5ED09C4CCEA
  • SHA-256: A45E345556901CD98B9BF8700B2A263F1DA2B2E53DBDF69B9E6CFAB6E0BD3464
  • SHA-512: 592B24DEB837D6B82C692DA781B8A69D9FA20BBAA3041D6C651839E72F45AC075A86CB967EA2DF08FA0635AE28D6064A900F5D15180B9037BB8BA02F9E8E1810
C:\Windows\Temp\lacrwpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lawdwpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lawlqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\layqwpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lcztvpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lgxpwpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\liaewpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\liiewpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lkdmqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lklcqwba.tmp
  • Type: data
  • MD5: EB8531CF5D1418528EDFFF14337B6ED8
  • SHA: 2E16CB9321B78F06326143238D23DCA602F6696C
  • SHA-256: EA14DA279EEF1F3B8EBF7FA9E5DF97E00D55BD01263963D52701AF318EC99C0A
  • SHA-512: D3051658545F797FED79697EAB38C2BE0145D658E80F3BBD648CBB1D2708E43B424A1473126FCB8CA630D74B05171DDD352100422DBFE8EFBA552390653FB638
C:\Windows\Temp\lknhwpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lkpuvpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lmcqwpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lmcuvpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lmkkqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lmkmwpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lmkuvpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lmmlqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lmqpwpba.tmp
  • Type: data
  • MD5: 9682B4B8F5DB6014461E38706A4ED692
  • SHA: 35C169BD87CC09D5DEB43E609516629EB64C8811
  • SHA-256: F9355FD0BF651DB1E805C59ADCC236623173C907992C98AEE214CB5D71904219
  • SHA-512: 8220BF0226CA45646E2910BA24743E2BEA9625587EECFCC9D208907320CF4BF80657D4D845FAAEF54892BC9D459197B4A131ACE9A323E6E90B4BCB59784E334E
C:\Windows\Temp\lmskqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lofkqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lofmwpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lqakqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lqeewpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lshuvpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lsrhwpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lsvtvpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lsxkqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\luitvpba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lwnkqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lyobqwba.tmp
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Windows\Temp\lyorwpba.tmp
  • Type: data
  • MD5: 5DF3FC16635943D91914DCAABA92718F
  • SHA: 11A537B27E65ADE5A14069AEA7E5B42BD01B7F9B
  • SHA-256: E9589503AC9990BB8CC49D4D5610DA0EAB06D33982B38B0ACF3169FC55D2E026
  • SHA-512: AA45310726EB57A7E34E457A7DA1EB38ECD1A8995F211F601B459871C9E50E953DFE0B6DCDEAF8640007AB51A2FCB7E235116EAB578EB7BE10AACE7F8D0A342E
C:\Windows\Temp\lyqqwpba.tmp
  • Type: data
  • MD5: E48F3A56DAE139874511B9BEF593CD94
  • SHA: 56FA41BAAF1C7B8A0F7356B0BD4B46BEB5F09641
  • SHA-256: ED26D3F6122FBBA851D7A6FB6115B625C13CF9E5820D19466FA3B0897AEB8402
  • SHA-512: 814FAAB90FC0414C3762A84D446839B4EC5E19279E628577918AA33C42DDCFCE959DC7EA737D8B70B3BCCF744A3484BA7E20E4AD80710A2FF19B72B33E1AE4C5

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
  • Win32 Executable (generic) (4510/7) 52.92%
  • Generic Win/DOS Executable (2004/3) 23.51%
  • DOS Executable Generic (2002/1) 23.49%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.08%
File name:downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe
File size:719872
MD5:521bd488a5de44d84e9d145d3eb8a238
SHA1:a9086094ba2eaa8dc6ff046788ccd441136ad692
SHA256:8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94
SHA512:e34ca05dca5745ba7e38f7414ce5c14407e31e28a3653408be5a9db411f4a1ae1c9f6e637d5147198e32c997bcd38698ac50f7397fa0696db039dce0a458f45b

File Icon

Static PE Info

General

Entrypoint:0x4052ae
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x50898883 [Thu Oct 25 18:44:19 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
lea esp, dword ptr [ebp-38h]
add edx, FFFFFFA5h
or byte ptr [0040707Fh], dh
mov dl, byte ptr [00407133h]
mov byte ptr [004071B9h], FFFFFF94h
mov edi, dword ptr [00407009h]
push 00407229h
call dword ptr [00401090h]
test eax, eax
jne 0DC0476Ch
mov byte ptr [004070A6h], 00000018h
mov eax, dword ptr [00407115h]
add dh, FFFFFF99h
push 00407229h
call dword ptr [00401090h]
test eax, eax
jne 0DC0474Ah
mov ebx, dword ptr [004071D9h]
mov byte ptr [004071D5h], FFFFFFB2h
mov esi, dword ptr [0040701Fh]
mov byte ptr [0040712Bh], FFFFFFECh
mov edx, dword ptr [004070D5h]
cmp byte ptr [00407215h], 00000001h
jc 0DC07856h
nop
nop
nop
nop
nop
add edx, ebx
add edx, edx
adc edx, FFFFFFB6h
mov edx, dword ptr [004070B3h]
push 00407272h
push 00000008h
push 0040726Ah
push 0040725Fh
call dword ptr [00401060h]
test eax, eax
jne 0DC07ADAh
add byte ptr [004070C2h], bh
mov byte ptr [00407009h], 00000012h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x63db0xb4.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000xa8e99.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0xb0e990x1c.rsrc
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2600xaa
IMAGE_DIRECTORY_ENTRY_IAT0x10000x198.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000x5d530x5e005.73475962732False0.441281582447ump; dataIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x70000x9fb0xa006.66458950414False0.747265625ump; dataIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x80000xa8ed90xa90007.97245820607False0.98147709412ump; dataIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryNbr Of FunctionsXored PE
RT_ICON0x81f60x4228ump; data0False
RT_ICON0xc41e0x10a8ump; data0False
RT_ICON0xd4c60x988ump; data0False
RT_ICON0xde4e0x468ump; GLS_BINARY_LSB_FIRST0False
RT_RCDATA0xe2b60xa2400ump; data0False
RT_RCDATA0xb06b60x7e3ump; data0False
RT_GROUP_ICON0x81b00x46ump; MS Windows icon resource - 4 icons, 64x64, 256-colors0False

Imports

DLLImport
nddeapi.dllNDdeShareGetInfoA, NDdeShareDelA, NDdeShareSetInfoA
modemui.dlldrvCommConfigDialogA, InvokeControlPanel, CountryRunOnce
WTSAPI32.dllWTSSetSessionInformationW, WTSVirtualChannelRead, WTSLogoffSession, WTSQuerySessionInformationA, WTSEnumerateServersA, WTSFreeMemory, WTSEnumerateProcessesA, WTSVirtualChannelOpen, WTSVirtualChannelClose, WTSWaitSystemEvent, WTSRegisterSessionNotification, WTSQueryUserToken, WTSOpenServerW, WTSUnRegisterSessionNotification, WTSSetUserConfigW
KERNEL32.dllGetPrivateProfileSectionA, ReadConsoleA, FormatMessageA, GetConsoleAliasW, GetStringTypeA, GetModuleHandleA, GetCommandLineA, SetEnvironmentVariableW, GetAtomNameA, WaitForSingleObject, CompareStringA, GetTickCount, SetCurrentDirectoryW, GetTimeFormatA, WriteConsoleA, GetPrivateProfileStructW, GetTickCount, ReadFile, GetCurrentDirectoryA, GetProcessId, GetNumberFormatW, VirtualAllocEx, GetGeoInfoA, SetFilePointer, GetDateFormatA
msimg32.dllDllInitialize, vSetDdrawflag, AlphaBlend, TransparentBlt
SHLWAPI.dllPathCommonPrefixA, UrlUnescapeA, UrlEscapeA, UrlCompareA, UrlGetPartA, UrlGetLocationA, UrlCombineA, UrlIsA, PathCompactPathA, UrlIsNoHistoryW
user32.dllGetPropA, DrawIcon, GetCaretPos, wsprintfA, GetMessageA, PeekMessageA, IsWindow, PostMessageA, SetCursorPos, IsZoomed, DialogBoxParamA, IsDialogMessageA, DispatchMessageA, LoadCursorA, GetWindowLongA, CreateWindowExA, IsCharLowerW
ADVAPI32.dllRegCloseKey, RegEnumValueA, OpenServiceA, IsValidSecurityDescriptor, ClearEventLogA, IsValidAcl, RegOpenKeyExA, CreateProcessAsUserA, RegEnumKeyA, IsTextUnicode, RegCreateKeyA, ControlService, CreateServiceA, RegSaveKeyA, RegDeleteKeyA, IsValidSid, RegFlushKey

Network Behavior

No network behavior found

Hooks - Code Manipulation Behavior

System Behavior

Analysis Process: downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe PID: 3576 Parent PID: 3568

General

Start time:16:27:59
Start date:29/01/2015
Path:C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x75380000
File size:719872 bytes
MD5 hash:521BD488A5DE44D84E9D145D3EB8A238

Chronological Activities

Analysis Process: inbdgml.exe PID: 3220 Parent PID: 3300

General

Start time:16:28:01
Start date:29/01/2015
Path:C:\Users\admin\AppData\Local\Temp\inbdgml.exe
Wow64 process (32bit):false
Commandline:C:\Users\admin\AppData\Local\Temp\inbdgml.exe
Imagebase:0x75a40000
File size:719872 bytes
MD5 hash:521BD488A5DE44D84E9D145D3EB8A238

Chronological Activities

Analysis Process: svchost.exe PID: 588 Parent PID: 3220

General

Start time:16:28:05
Start date:29/01/2015
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch
Imagebase:0xc50000
File size:20992 bytes
MD5 hash:54A47F6B5E09A77E61649109C6A08866

Chronological Activities

Analysis Process: explorer.exe PID: 1260 Parent PID: 3220

General

Start time:16:28:11
Start date:29/01/2015
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:C:\Windows\Explorer.EXE
Imagebase:0x490000
File size:2614272 bytes
MD5 hash:2626FC9755BE22F805D3CFA0CE3EE727

Chronological Activities

Analysis Process: vssadmin.exe PID: 3908 Parent PID: 3220

General

Start time:16:28:12
Start date:29/01/2015
Path:C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):false
Commandline:vssadmin delete shadows all
Imagebase:0x76f30000
File size:115200 bytes
MD5 hash:6E248A3D528EDE43994457CF417BD665

Chronological Activities

Analysis Process: inbdgml.exe PID: 2232 Parent PID: 3220

General

Start time:16:28:13
Start date:29/01/2015
Path:C:\Users\admin\AppData\Local\Temp\inbdgml.exe
Wow64 process (32bit):false
Commandline:C:\Users\admin\AppData\Local\Temp\inbdgml.exe -u
Imagebase:0x400000
File size:719872 bytes
MD5 hash:521BD488A5DE44D84E9D145D3EB8A238

Chronological Activities

Analysis Process: slui.exe PID: 2504 Parent PID: 588

General

Start time:16:28:27
Start date:29/01/2015
Path:C:\Windows\System32\slui.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\slui.exe -Embedding
Imagebase:0x4b0000
File size:325632 bytes
MD5 hash:8AC6025DF003DA5FE21939D58044C5B3

Chronological Activities

Disassembly

Code Analysis

< >

    Analysis Process: downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe PID: 3576 Parent PID: 3568

    Executed Functions

    Function 0155811C, Relevance: 74.2, APIs: 36, Strings: 6, Instructions: 723
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 01558132
      • Part of subcall function 0158E2B1: RegOpenKeyExA.ADVAPI32(80000002,0166BB00,00000000,00000101,01558176,00000057), ref: 0158E2D9
      • Part of subcall function 0158E2B1: RegQueryValueExA.KERNEL32(01558176,0166BB20,00000000,00000000,041d84af-7e76-450d-8340-55db3c73c359,0000003F), ref: 0158E2F9
      • Part of subcall function 0158E2B1: RegCloseKey.KERNEL32(01558176), ref: 0158E302
    • OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 015581B2
    • ExitProcess.KERNEL32(00000000), ref: 015581BD
    • CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 015581CB
    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData\upbbxxl.html), ref: 015581E6
      • Part of subcall function 0158E07D: GetProcessHeap.KERNEL32(00000008,0000001C,.html,015E532C,?,00000000,01558232), ref: 0158E09B
      • Part of subcall function 0158E07D: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0158E0A2
      • Part of subcall function 0158ECC7: GetVersion.KERNEL32(0155825B), ref: 0158ECC7
      • Part of subcall function 0159435A: Sleep.KERNEL32(00002710,.html,015E532C,?,01558269), ref: 015943AC
      • Part of subcall function 0159435A: ExitProcess.KERNEL32(00000000,?,01558269), ref: 015943BD
      • Part of subcall function 0159435A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 01594423
      • Part of subcall function 0159435A: WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 01594439
      • Part of subcall function 01593BDA: FindFirstFileW.KERNELBASE(?,?,00000000,?,01558296,?,?,?), ref: 01593C55
      • Part of subcall function 01593BDA: CreateFileW.KERNEL32(C:\ProgramData\Sun\hygrtse,80000000,00000000,00000000,00000003,00000002,00000000), ref: 01593D37
      • Part of subcall function 01593BDA: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,01558296,?,?,?), ref: 01593D47
      • Part of subcall function 01593BDA: ReadFile.KERNEL32(00000000,016CA528,0000028E,?,00000000), ref: 01593D68
      • Part of subcall function 01593BDA: CloseHandle.KERNEL32(00000000), ref: 01593D7A
      • Part of subcall function 01593BDA: FindNextFileW.KERNEL32(?,?,?,01558296,?,?,?), ref: 01593D8A
      • Part of subcall function 01593BDA: FindClose.KERNELBASE(?,?,01558296,?,?,?), ref: 01593D9B
      • Part of subcall function 01593BDA: CloseHandle.KERNEL32(00000000), ref: 01593DA9
      • Part of subcall function 01593BDA: FindClose.KERNEL32(?,?,?,?,?,?,01558296,?,?,?), ref: 01593DB2
    • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 015582AF
    • Sleep.KERNELBASE(0002BF20), ref: 015584F4
      • Part of subcall function 01593901: GetLogicalDriveStringsW.KERNEL32(00000400,?,.html,?,?,00000000,0155834C), ref: 0159391C
      • Part of subcall function 01593901: RtlInitializeCriticalSection.NTDLL(016CCF2C), ref: 0159392D
      • Part of subcall function 01593901: GetDriveTypeW.KERNEL32(?), ref: 015939A6
      • Part of subcall function 01593901: wsprintfW.USER32(?,0166C148,?), ref: 015939C6
      • Part of subcall function 01593901: GetFileAttributesW.KERNEL32(?,?,?,0155834C), ref: 015939D8
      • Part of subcall function 01593901: HeapCreate.KERNEL32(00000000,00010000,00000000), ref: 01593A48
      • Part of subcall function 01593901: RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 01593A5F
      • Part of subcall function 01593901: RtlInitializeCriticalSection.NTDLL(016CCC28), ref: 01593A89
      • Part of subcall function 01593901: WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 01593AE6
      • Part of subcall function 01593901: CloseHandle.KERNEL32(?), ref: 01593AF6
      • Part of subcall function 01593901: HeapDestroy.KERNEL32(?,00000000,0155834C), ref: 01593B1E
      • Part of subcall function 01593901: CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01593B86
      • Part of subcall function 01593901: WriteFile.KERNEL32(016CCF28,0168AD28,?,00000000), ref: 01593BA8
      • Part of subcall function 01593901: CloseHandle.KERNEL32 ref: 01593BB4
    • GetTempPathW.KERNEL32(00000100,?), ref: 015583E3
    • GetTickCount.KERNEL32 ref: 01558412
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01558440
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 01558460
    • CloseHandle.KERNEL32(00000000), ref: 01558467
    • ShellExecuteW.SHELL32(00000000,0166C2DC,?,00000000,00000000,00000005), ref: 0155847F
    • CloseHandle.KERNEL32(?), ref: 0155848E
      • Part of subcall function 01593DBC: CreateToolhelp32Snapshot.KERNEL32(00000002,01701094), ref: 01593DE4
      • Part of subcall function 01593DBC: Process32FirstW.KERNEL32 ref: 01593DFE
      • Part of subcall function 01593DBC: Process32NextW.KERNEL32(00000000,0000022C), ref: 01593E3E
      • Part of subcall function 01593DBC: CloseHandle.KERNEL32(00000000), ref: 01593E61
      • Part of subcall function 01592F9E: GetModuleFileNameW.KERNEL32(00000000,?,00000200,.html,?,00000000,?,015584B4,?), ref: 01592FBE
      • Part of subcall function 01592F9E: GetTempPathW.KERNEL32(00000200,?), ref: 01592FC9
      • Part of subcall function 01592F9E: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,015584B4,?), ref: 0159302E
      • Part of subcall function 01592F9E: GetFileSize.KERNEL32(00000000,00000000), ref: 01593040
      • Part of subcall function 01592F9E: ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0159305D
      • Part of subcall function 01592F9E: CloseHandle.KERNEL32(00000000), ref: 01593064
      • Part of subcall function 01592F9E: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000000,00000000), ref: 0159307A
      • Part of subcall function 01592F9E: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 015930E2
      • Part of subcall function 01592F9E: CloseHandle.KERNEL32(?), ref: 015930EB
      • Part of subcall function 015930F5: GetVersion.KERNEL32(?,?,015584E8,?,00000000,00000001,?,?,?,?,?,?,?,?), ref: 015930F9
    • RegCloseKey.ADVAPI32(?), ref: 0155858F
    • RegCloseKey.ADVAPI32(?), ref: 015585E9
    • GetCurrentThread.KERNEL32(000000F1), ref: 01558604
    • SetThreadPriority.KERNEL32(00000000), ref: 0155860B
      • Part of subcall function 0158EFB8: GetSystemTimeAsFileTime.KERNEL32(?,.html,015E532C,00000000,?,01594376,.html,015E532C,?,01558269), ref: 0158EFCC
      • Part of subcall function 0158EFB8: RegisterClassExW.USER32 ref: 0158F03B
      • Part of subcall function 0158EFB8: CreateWindowExW.USER32(00000000,?,00000000,00000000,01594376,?,00000001,00000001,00000000,00000000,00000000), ref: 0158F08D
      • Part of subcall function 0158EFB8: UpdateWindow.USER32(00000000), ref: 0158F094
      • Part of subcall function 0158EFB8: TranslateMessage.USER32(?), ref: 0158F0A6
      • Part of subcall function 0158EFB8: DispatchMessageW.USER32(?), ref: 0158F0B0
      • Part of subcall function 0158EFB8: UnregisterClassW.USER32(?), ref: 0158F0D0
      • Part of subcall function 0158EFB8: GetUserGeoID.KERNEL32(00000010), ref: 0158F0D8
      • Part of subcall function 0158EFB8: GetTimeZoneInformation.KERNEL32(?,?,?,01594376,.html,015E532C,?,01558269), ref: 0158F109
      • Part of subcall function 0158EFB8: CryptAcquireContextW.ADVAPI32(0168AD20,00000000,00000000,00000001,F0000000,?,01594376,.html,015E532C,?,01558269), ref: 0158F156
    • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 01558685
    • AllocateAndInitializeSid.ADVAPI32 ref: 015586B2
    • GetLengthSid.ADVAPI32(00000000), ref: 015586C0
    • InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 015586DB
    • AddAccessAllowedAce.ADVAPI32(00000000,00000002,001F01FF,00000000), ref: 015586F4
    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 0155870A
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 01558795
    • CreateFileW.KERNEL32(C:\ProgramData\Sun\hygrtse,40000000,00000000,?,00000002,00000002,00000000), ref: 015587EC
    • CloseHandle.KERNEL32(00000000), ref: 015587FC
      • Part of subcall function 015911DA: CreateFileW.KERNEL32(C:\ProgramData\Sun\hygrtse,40000000,00000000,00000000,00000004,00000002,00000000), ref: 01591272
      • Part of subcall function 015911DA: Sleep.KERNEL32(00000064,?,01558807), ref: 01591281
      • Part of subcall function 015911DA: WriteFile.KERNEL32(00000000,?,0000028E,01558807,00000000), ref: 015912A1
      • Part of subcall function 015911DA: CloseHandle.KERNEL32(00000000), ref: 015912A8
      • Part of subcall function 0159426B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01594292
      • Part of subcall function 0159426B: Process32FirstW.KERNEL32 ref: 015942A8
      • Part of subcall function 0159426B: Process32NextW.KERNEL32(00000000,?), ref: 01594311
      • Part of subcall function 0159426B: Sleep.KERNEL32(000003E8), ref: 01594323
    • CreateThread.KERNEL32(00000000,00000000,01594344,00000000,00000000,00000000), ref: 01558859
    • Sleep.KERNEL32(000003E8), ref: 01558868
      • Part of subcall function 01591163: CreateFileW.KERNEL32(C:\ProgramData\Sun\hygrtse,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 01591183
      • Part of subcall function 01591163: GetFileSize.KERNEL32(00000000,00000000,?,0155887B,?), ref: 01591192
      • Part of subcall function 01591163: ReadFile.KERNEL32(00000000,0155887B,0000028E,?,00000000), ref: 015911AF
      • Part of subcall function 01591163: CloseHandle.KERNEL32(00000000), ref: 015911C3
      • Part of subcall function 01591163: CloseHandle.KERNEL32(00000000), ref: 015911CE
    • CreateThread.KERNEL32(00000000,00000000,01594344,00000000,00000000,00000000), ref: 01558927
    • GetVersion.KERNEL32 ref: 01558939
      • Part of subcall function 01594449: Sleep.KERNEL32(000005DC,?,00000000,0155894B), ref: 01594466
      • Part of subcall function 01594449: SetProcessWindowStation.USER32(00000000), ref: 01594476
      • Part of subcall function 01594449: Sleep.KERNEL32(000005DC,?,00000000,0155894B), ref: 015944A1
      • Part of subcall function 01594449: SetThreadDesktop.USER32(00000000), ref: 015944B7
      • Part of subcall function 015941C0: OpenProcessToken.ADVAPI32(000000FF,00000028,00000002,00000000,00000001,?,015942FB,0000022C), ref: 015941DE
      • Part of subcall function 015941C0: LookupPrivilegeValueW.ADVAPI32(00000000,0166C230,00000040), ref: 015941F2
      • Part of subcall function 015941C0: AdjustTokenPrivileges.ADVAPI32(00000002,00000000,?,00000010,00000000,00000000,?,015942FB,0000022C), ref: 01594212
      • Part of subcall function 015941C0: OpenProcess.KERNEL32(001FFFFF,00000000,00000002,?,015942FB,0000022C), ref: 01594221
      • Part of subcall function 015941C0: CloseHandle.KERNEL32(00000000), ref: 0159425E
    • FindWindowExW.USER32(00000000,00000000,00000000,00000000), ref: 0155898C
    • CloseHandle.KERNEL32(?), ref: 015589A0
      • Part of subcall function 015944C2: Sleep.KERNEL32(000005DC,?,015589AB), ref: 01594524
      • Part of subcall function 0159453A: Sleep.KERNEL32(000005DC,?,015589B0), ref: 01594563
      • Part of subcall function 0159453A: DuplicateTokenEx.ADVAPI32(015589B0,02000000,00000000,00000001,00000001,?,?,015589B0), ref: 0159458C
      • Part of subcall function 0159453A: GetModuleFileNameW.KERNEL32 ref: 015945C5
      • Part of subcall function 0159453A: wsprintfW.USER32(?,0166C2C0,?), ref: 015945DE
      • Part of subcall function 0159453A: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000100), ref: 01594600
    • DeleteFileW.KERNEL32(C:\ProgramData\upbbxxl.html), ref: 01558A5C
      • Part of subcall function 0151258B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0156CD9B,00000000,015A57C1,?,?,0152576F,000000FF,015A56CA,?,?,01502D13), ref: 01512596
    • FindWindowW.USER32(0166C3A4,0166C3C0), ref: 015589ED
    • SendMessageW.USER32(00000000,00000111,000001A3,00000000), ref: 01558A03
      • Part of subcall function 01592609: GetDesktopWindow.USER32(000000FF,000000FF,015E5198,?,01558A4E), ref: 0159261A
      • Part of subcall function 01592609: GetClientRect.USER32(00000000), ref: 01592621
      • Part of subcall function 01592609: CreateWindowExW.USER32(00000080,016CCF64,0166C060,80000000,?,01558A4E,016CCF9C,016CCF98,00000000,00000000,00000000), ref: 01592679
      • Part of subcall function 01592609: ShowWindow.USER32(00000000,00000005), ref: 0159268B
      • Part of subcall function 01592609: UpdateWindow.USER32(00000000), ref: 01592692
      • Part of subcall function 01592609: TranslateMessage.USER32(?), ref: 015926A4
      • Part of subcall function 01592609: DispatchMessageW.USER32(?), ref: 015926AE
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01593BDA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
    APIs
    • FindFirstFileW.KERNELBASE(?,?,00000000,?,01558296,?,?,?), ref: 01593C55
    • CreateFileW.KERNEL32(C:\ProgramData\Sun\hygrtse,80000000,00000000,00000000,00000003,00000002,00000000), ref: 01593D37
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,01558296,?,?,?), ref: 01593D47
    • ReadFile.KERNEL32(00000000,016CA528,0000028E,?,00000000), ref: 01593D68
    • CloseHandle.KERNEL32(00000000), ref: 01593D7A
    • FindNextFileW.KERNEL32(?,?,?,01558296,?,?,?), ref: 01593D8A
    • FindClose.KERNELBASE(?,?,01558296,?,?,?), ref: 01593D9B
    • CloseHandle.KERNEL32(00000000), ref: 01593DA9
    • FindClose.KERNEL32(?,?,?,?,?,?,01558296,?,?,?), ref: 01593DB2
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01592BA1, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 434
    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 01592BB5
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 01592BC7
    • CoCreateInstance.OLE32(0160610C,00000000,00000001,01605EFC,?), ref: 01592BE1
    • CoUninitialize.OLE32 ref: 01592BEB
    • GetUserNameW.ADVAPI32(?,?), ref: 01592DC8
    • CoUninitialize.OLE32 ref: 01592F6C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01593DBC, Relevance: 6.1, APIs: 4, Instructions: 53
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,01701094), ref: 01593DE4
    • Process32FirstW.KERNEL32 ref: 01593DFE
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 01593E3E
    • CloseHandle.KERNEL32(00000000), ref: 01593E61
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158ECC7, Relevance: 1.5, APIs: 1, Instructions: 31
    APIs
    • GetVersion.KERNEL32(0155825B), ref: 0158ECC7
      • Part of subcall function 0158EA04: GetCurrentProcess.KERNEL32(00000008,?,.html,00000000,?,0158ECEB), ref: 0158EA24
      • Part of subcall function 0158EA04: OpenProcessToken.ADVAPI32(00000000,?,0158ECEB), ref: 0158EA2B
      • Part of subcall function 0158EA04: GetTokenInformation.KERNELBASE(00000000,00000019,00000000,00000000,?,015E532C,?,0158ECEB), ref: 0158EA47
      • Part of subcall function 0158EA04: GetLastError.KERNEL32(?,0158ECEB), ref: 0158EA4D
      • Part of subcall function 0158EA04: LocalAlloc.KERNEL32(00000040,?,?,0158ECEB), ref: 0158EA62
      • Part of subcall function 0158EA04: GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?,?,0158ECEB), ref: 0158EA7B
      • Part of subcall function 0158EA04: GetSidSubAuthority.ADVAPI32(00000000,00000000,?,0158ECEB), ref: 0158EA84
      • Part of subcall function 0158EA04: CloseHandle.KERNEL32(?), ref: 0158EA9C
      • Part of subcall function 0158EA04: LocalFree.KERNEL32(00000000,?,0158ECEB), ref: 0158EAA7
      • Part of subcall function 0158EAB4: GetCurrentThread.KERNEL32(0000000A,00000001,?), ref: 0158EB0C
      • Part of subcall function 0158EAB4: OpenThreadToken.ADVAPI32(00000000), ref: 0158EB13
      • Part of subcall function 0158EAB4: GetLastError.KERNEL32 ref: 0158EB1D
      • Part of subcall function 0158EAB4: GetCurrentProcess.KERNEL32(0000000A,?), ref: 0158EB34
      • Part of subcall function 0158EAB4: OpenProcessToken.ADVAPI32(00000000), ref: 0158EB3B
      • Part of subcall function 0158EAB4: DuplicateToken.ADVAPI32(?,00000002,?), ref: 0158EB52
      • Part of subcall function 0158EAB4: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0158EB77
      • Part of subcall function 0158EAB4: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0158EB9E
      • Part of subcall function 0158EAB4: GetLengthSid.ADVAPI32(?), ref: 0158EBAF
      • Part of subcall function 0158EAB4: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0158EBCE
      • Part of subcall function 0158EAB4: AddAccessAllowedAce.ADVAPI32(?,00000002,00000003,?), ref: 0158EBE5
      • Part of subcall function 0158EAB4: SetSecurityDescriptorDacl.ADVAPI32(015E532C,00000001,?,00000000), ref: 0158EBFA
      • Part of subcall function 0158EAB4: SetSecurityDescriptorGroup.ADVAPI32(015E532C,?,00000000), ref: 0158EC0B
      • Part of subcall function 0158EAB4: SetSecurityDescriptorOwner.ADVAPI32(015E532C,?,00000000), ref: 0158EC18
      • Part of subcall function 0158EAB4: IsValidSecurityDescriptor.ADVAPI32(015E532C), ref: 0158EC21
      • Part of subcall function 0158EAB4: AccessCheck.ADVAPI32(015E532C,?,00000001,?,?,?,?,?), ref: 0158EC56
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0150A1D3, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(015DDF48), ref: 0150A1D8
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 004052AE, Relevance: 551.8, APIs: 306, Strings: 6, Instructions: 5847
    APIs
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004011A6
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00401207
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401249
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004012AF
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004012F2
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040134B
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00401390
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004013D3
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00401427
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040143E
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 0040148A
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004014DC
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040152D
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00401548
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 0040159F
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 0040177F
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004017A0
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004017E3
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00401800
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00401854
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00401881
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004018DA
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401924
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040194E
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004019A4
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004019F6
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00401A2A
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00401A6D
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00401A98
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00401AE4
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401B10
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00401B68
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401BCF
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401C33
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00401C4F
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401CA0
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401CF5
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401D46
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401D96
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00401DAF
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00401E06
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00401E31
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00401E7E
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00401E9B
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00401EE6
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00401F0B
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00401F79
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00401FC5
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00402022
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402040
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402078
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004020D9
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040210E
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402164
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402183
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004021C6
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402207
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040226E
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004022BC
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00402314
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402352
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040239F
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004023EE
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00402451
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040247F
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004024D2
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 004024EA
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402541
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402562
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004025AC
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040260C
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402625
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040266D
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004026B0
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402700
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 0040273D
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040276E
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004027D5
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402806
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 0040284D
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040289A
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004028C3
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402929
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00402964
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00402998
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004029E7
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402A18
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402A73
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402A9C
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402AFA
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00402B58
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402B7D
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402BB7
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402BE2
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402C30
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402C80
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402C9C
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402CE1
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402D33
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402D87
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00402DAE
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402DE2
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00402E16
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402E6C
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00402ED1
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00402EFA
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00402F4A
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00402F7F
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00402FDB
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 0040300A
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403062
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004030A3
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403105
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040315D
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00403193
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004031F4
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 0040322D
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403266
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040327B
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004032CB
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004032ED
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 0040334F
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403395
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004033C9
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403425
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403446
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403498
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004034B0
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004034F0
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403546
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004035A9
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 0040361B
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00403651
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004036A3
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004036F6
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403710
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00403765
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004037D4
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040383D
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040386F
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004038C2
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00403903
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 0040393D
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 0040395D
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004039B7
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 004039D3
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403A1D
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403A6B
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403AB4
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403AE6
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403B1B
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403B39
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00403B7F
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403BC8
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403BEC
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00403C4C
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00403C7C
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00403CC4
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00403CEC
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403D30
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403D52
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00403D95
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00403DBA
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403E11
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403E6C
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403EC5
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403EEE
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403F34
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00403F6C
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00403FBE
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00403FFD
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404033
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 0040408F
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004040B8
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404110
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404132
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00404165
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 004041A8
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004041E5
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040422F
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040424B
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004042A7
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004042F8
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040431F
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404372
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004043AD
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004043D6
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00404438
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00404453
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004044A5
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004044C0
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004044FE
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040452F
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404566
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004045B3
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004045EA
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404637
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00404669
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004046A6
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004046CA
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404713
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404733
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040478E
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004047BB
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404810
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00404853
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004048AE
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004048D4
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404927
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040493B
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00404988
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004049A9
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004049ED
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404A31
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404A57
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404ABD
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00404B16
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404B68
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404B86
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404BDC
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404C07
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404C4B
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404CBC
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00404CF0
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404D47
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00404D7E
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404DC9
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404DE4
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404E2B
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404E82
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404EA5
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404EF1
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404F1B
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404F54
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00404F78
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00404FC0
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00404FF4
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040503A
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040505F
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004050AE
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 004050F5
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405144
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040519F
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004051CC
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00405218
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040526F
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 004052D5
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 004052F7
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405355
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00405397
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004053D5
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00405411
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040542D
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405464
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405491
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004054EC
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405513
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040554E
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004055AB
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405602
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040564A
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040568D
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004056AE
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004056F2
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405723
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040577A
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004057B0
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405806
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 0040581E
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040587B
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004058AE
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00405903
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00405930
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405973
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 004059C4
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004059E6
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00405A2C
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00405A4F
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00405AA0
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00405AEE
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405B54
    • VirtualAllocEx.KERNELBASE(FFFFFFFF,04FFFF5C,00000674,00001000,00000040,-4C652C97), ref: 00405BB8
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00405D36
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00405D96
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00405DB6
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00405E16
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00405E46
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00405E93
    • SetCurrentDirectoryW.KERNELBASE(xniGEsfZ), ref: 00405EDF
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00405F3A
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00405F8D
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00405FB0
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040600D
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 0040605E
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 0040608F
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004060F0
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 0040613F
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00406174
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004061CD
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 00406223
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00406255
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004062B6
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 004062CF
    • SetCurrentDirectoryW.KERNEL32(xniGEsfZ), ref: 00406310
    • GetPrivateProfileSectionA.KERNEL32(gDHTGXgeeE,0040726A,00000008,tFnuHyjESekUexMHF), ref: 00406356
    • GetPrivateProfileStructW.KERNEL32(nbKyiWvJUUO,nbKyiWvJUUO,0040723E,0000000F,BnXNbPPsULYKjkxZK), ref: 004063A4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.442597196.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.442592550.00400000.00000002.sdmp
    • Associated: 00000001.00000001.442601940.00407000.00000004.sdmp
    • Associated: 00000001.00000001.442605610.00408000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_downloaded.jbxd
    Function 01592F9E, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 130
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000200,.html,?,00000000,?,015584B4,?), ref: 01592FBE
    • GetTempPathW.KERNEL32(00000200,?), ref: 01592FC9
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,015584B4,?), ref: 0159302E
    • GetFileSize.KERNEL32(00000000,00000000), ref: 01593040
      • Part of subcall function 01548B33: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 01548B78
    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0159305D
    • CloseHandle.KERNEL32(00000000), ref: 01593064
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000000,00000000), ref: 0159307A
    • CloseHandle.KERNEL32(?), ref: 015930EB
      • Part of subcall function 0156A939: HeapFree.KERNEL32(00000000,00000000), ref: 0156A94F
      • Part of subcall function 0156A939: GetLastError.KERNEL32(00000000), ref: 0156A961
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 015930E2
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158EA04, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
    APIs
    • GetCurrentProcess.KERNEL32(00000008,?,.html,00000000,?,0158ECEB), ref: 0158EA24
    • OpenProcessToken.ADVAPI32(00000000,?,0158ECEB), ref: 0158EA2B
    • GetTokenInformation.KERNELBASE(00000000,00000019,00000000,00000000,?,015E532C,?,0158ECEB), ref: 0158EA47
    • GetLastError.KERNEL32(?,0158ECEB), ref: 0158EA4D
    • LocalAlloc.KERNEL32(00000040,?,?,0158ECEB), ref: 0158EA62
    • GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?,?,0158ECEB), ref: 0158EA7B
    • GetSidSubAuthority.ADVAPI32(00000000,00000000,?,0158ECEB), ref: 0158EA84
    • CloseHandle.KERNEL32(?), ref: 0158EA9C
    • LocalFree.KERNEL32(00000000,?,0158ECEB), ref: 0158EAA7
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0152C6E8, Relevance: 13.6, APIs: 9, Instructions: 108
    APIs
    • GetModuleHandleW.KERNEL32(016042B4), ref: 0152C6EE
    • TlsAlloc.KERNEL32 ref: 0152C787
    • RtlEncodePointer.NTDLL ref: 0152C7BD
    • RtlEncodePointer.NTDLL ref: 0152C7CA
    • RtlEncodePointer.NTDLL ref: 0152C7D7
    • RtlEncodePointer.NTDLL ref: 0152C7E4
      • Part of subcall function 01543C0F: InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,00000000,015E52A8,0152C7F0), ref: 01543C37
    • RtlDecodePointer.NTDLL(Function_0005F3D5), ref: 0152C805
      • Part of subcall function 01558E62: Sleep.KERNEL32(00000000,01582184,00000001,00000214), ref: 01558E8A
    • RtlDecodePointer.NTDLL(00000000), ref: 0152C834
      • Part of subcall function 01537A40: GetModuleHandleW.KERNEL32(016042B4,016872C0,00000008,015821AD,00000000,00000000), ref: 01537A51
      • Part of subcall function 01537A40: InterlockedIncrement.KERNEL32(015E58C0), ref: 01537A92
    • GetCurrentThreadId.KERNEL32 ref: 0152C846
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0154B9B8, Relevance: 10.7, APIs: 7, Instructions: 195
    APIs
    • GetStartupInfoW.KERNEL32(?), ref: 0154B9C3
      • Part of subcall function 01558E62: Sleep.KERNEL32(00000000,01582184,00000001,00000214), ref: 01558E8A
    • GetFileType.KERNEL32(?), ref: 0154BAF6
    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0154BB2C
    • GetStdHandle.KERNEL32(-000000F6), ref: 0154BB80
    • GetFileType.KERNEL32(00000000), ref: 0154BB92
    • InitializeCriticalSectionAndSpinCount.KERNEL32(-016888D4,00000FA0), ref: 0154BBC0
    • SetHandleCount.KERNEL32 ref: 0154BBE9
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158E2B1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,0166BB00,00000000,00000101,01558176,00000057), ref: 0158E2D9
    • RegQueryValueExA.KERNEL32(01558176,0166BB20,00000000,00000000,041d84af-7e76-450d-8340-55db3c73c359,0000003F), ref: 0158E2F9
    • RegCloseKey.KERNEL32(01558176), ref: 0158E302
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015DECE3, Relevance: 7.6, APIs: 5, Instructions: 74
    APIs
    • RtlDecodePointer.NTDLL(?,?,?,?,?,0155B1E3,?,01687410,0000000C,0157B1FB,?,?,0155AB8B,0150C59E), ref: 015DECF8
    • RtlDecodePointer.NTDLL(?,?,?,?,?,0155B1E3,?,01687410,0000000C,0157B1FB,?,?,0155AB8B,0150C59E), ref: 015DED05
      • Part of subcall function 01570F49: RtlSizeHeap.NTDLL(00000000,00000000), ref: 01570F74
      • Part of subcall function 01541293: Sleep.KERNEL32(00000000), ref: 015412BD
    • RtlEncodePointer.NTDLL(00000000), ref: 015DED6A
    • RtlEncodePointer.NTDLL(?,?,?,?,?,?,0155B1E3,?,01687410,0000000C,0157B1FB,?,?,0155AB8B,0150C59E), ref: 015DED7E
    • RtlEncodePointer.NTDLL(-00000004,?,?,?,?,?,0155B1E3,?,01687410,0000000C,0157B1FB,?,?,0155AB8B,0150C59E), ref: 015DED86
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 003F0081, Relevance: 6.1, APIs: 4, Instructions: 127
    APIs
      • Part of subcall function 003F05D2: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,003F0096), ref: 003F05DF
    • VirtualProtect.KERNELBASE(?,?,00000004,?,?), ref: 003F00B6
    • VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,00000004,?,?), ref: 003F00C6
    • VirtualProtect.KERNELBASE(?,?,00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004), ref: 003F010F
    • VirtualProtect.KERNELBASE(00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004,?,?), ref: 003F0125
      • Part of subcall function 003F01EC: VirtualProtect.KERNELBASE(?,?,00000004,?,00000000,?,00000000), ref: 003F022D
      • Part of subcall function 003F01EC: VirtualProtect.KERNELBASE ref: 003F0266
    Memory Dump Source
    • Source File: 00000001.00000002.867601621.003F0000.00000040.sdmp, Offset: 003F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3f0000_downloaded.jbxd
    Function 0153329D, Relevance: 4.6, APIs: 3, Instructions: 100
    APIs
      • Part of subcall function 0155379D: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 015537D4
      • Part of subcall function 0155379D: GetCurrentProcessId.KERNEL32 ref: 015537E0
      • Part of subcall function 0155379D: GetCurrentThreadId.KERNEL32 ref: 015537E8
      • Part of subcall function 0155379D: GetTickCount.KERNEL32 ref: 015537F0
      • Part of subcall function 0155379D: QueryPerformanceCounter.KERNEL32(?), ref: 015537FC
    • GetStartupInfoW.KERNEL32(?,01687240,00000058), ref: 015DD13F
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 015DD154
      • Part of subcall function 015394A0: HeapCreate.KERNELBASE(00000000,00001000,00000000,015DD1A8), ref: 015394A9
      • Part of subcall function 0152C6E6: GetModuleHandleW.KERNEL32(016042B4), ref: 0152C6EE
      • Part of subcall function 0152C6E6: TlsAlloc.KERNEL32 ref: 0152C787
      • Part of subcall function 0152C6E6: RtlEncodePointer.NTDLL ref: 0152C7BD
      • Part of subcall function 0152C6E6: RtlEncodePointer.NTDLL ref: 0152C7CA
      • Part of subcall function 0152C6E6: RtlEncodePointer.NTDLL ref: 0152C7D7
      • Part of subcall function 0152C6E6: RtlEncodePointer.NTDLL ref: 0152C7E4
      • Part of subcall function 0152C6E6: RtlDecodePointer.NTDLL(Function_0005F3D5), ref: 0152C805
      • Part of subcall function 0152C6E6: RtlDecodePointer.NTDLL(00000000), ref: 0152C834
      • Part of subcall function 0152C6E6: GetCurrentThreadId.KERNEL32 ref: 0152C846
      • Part of subcall function 0154B9B6: GetStartupInfoW.KERNEL32(?), ref: 0154B9C3
      • Part of subcall function 0154B9B6: GetFileType.KERNEL32(?), ref: 0154BAF6
      • Part of subcall function 0154B9B6: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0154BB2C
      • Part of subcall function 0154B9B6: GetStdHandle.KERNEL32(-000000F6), ref: 0154BB80
      • Part of subcall function 0154B9B6: GetFileType.KERNEL32(00000000), ref: 0154BB92
      • Part of subcall function 0154B9B6: InitializeCriticalSectionAndSpinCount.KERNEL32(-016888D4,00000FA0), ref: 0154BBC0
      • Part of subcall function 0154B9B6: SetHandleCount.KERNEL32 ref: 0154BBE9
    • GetCommandLineW.KERNEL32 ref: 015DD1DE
      • Part of subcall function 01528ECD: GetEnvironmentStringsW.KERNEL32(00000000,015DD1EE), ref: 01528ED0
      • Part of subcall function 01528ECD: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 01528F0C
      • Part of subcall function 0150BDA1: GetModuleFileNameW.KERNEL32(00000000,C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe,00000104), ref: 0150BDC1
      • Part of subcall function 0155811C: GetModuleHandleW.KERNEL32(00000000), ref: 01558132
      • Part of subcall function 0155811C: OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 015581B2
      • Part of subcall function 0155811C: ExitProcess.KERNEL32(00000000), ref: 015581BD
      • Part of subcall function 0155811C: CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 015581CB
      • Part of subcall function 0155811C: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData\upbbxxl.html), ref: 015581E6
      • Part of subcall function 0155811C: GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 015582AF
      • Part of subcall function 0155811C: GetTempPathW.KERNEL32(00000100,?), ref: 015583E3
      • Part of subcall function 0155811C: GetTickCount.KERNEL32 ref: 01558412
      • Part of subcall function 0155811C: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01558440
      • Part of subcall function 0155811C: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 01558460
      • Part of subcall function 0155811C: CloseHandle.KERNEL32(00000000), ref: 01558467
      • Part of subcall function 0155811C: ShellExecuteW.SHELL32(00000000,0166C2DC,?,00000000,00000000,00000005), ref: 0155847F
      • Part of subcall function 0155811C: CloseHandle.KERNEL32(?), ref: 0155848E
      • Part of subcall function 0155811C: Sleep.KERNELBASE(0002BF20), ref: 015584F4
      • Part of subcall function 0155811C: RegCloseKey.ADVAPI32(?), ref: 0155858F
      • Part of subcall function 0155811C: RegCloseKey.ADVAPI32(?), ref: 015585E9
      • Part of subcall function 0155811C: GetCurrentThread.KERNEL32(000000F1), ref: 01558604
      • Part of subcall function 0155811C: SetThreadPriority.KERNEL32(00000000), ref: 0155860B
      • Part of subcall function 0155811C: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 01558685
      • Part of subcall function 0155811C: AllocateAndInitializeSid.ADVAPI32 ref: 015586B2
      • Part of subcall function 0155811C: GetLengthSid.ADVAPI32(00000000), ref: 015586C0
      • Part of subcall function 0155811C: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 015586DB
      • Part of subcall function 0155811C: AddAccessAllowedAce.ADVAPI32(00000000,00000002,001F01FF,00000000), ref: 015586F4
      • Part of subcall function 0155811C: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 0155870A
      • Part of subcall function 0155811C: CreateDirectoryW.KERNEL32(?,00000000), ref: 01558795
      • Part of subcall function 0155811C: CreateFileW.KERNEL32(C:\ProgramData\Sun\hygrtse,40000000,00000000,?,00000002,00000002,00000000), ref: 015587EC
      • Part of subcall function 0155811C: CloseHandle.KERNEL32(00000000), ref: 015587FC
      • Part of subcall function 0155811C: CreateThread.KERNEL32(00000000,00000000,01594344,00000000,00000000,00000000), ref: 01558859
      • Part of subcall function 0155811C: Sleep.KERNEL32(000003E8), ref: 01558868
      • Part of subcall function 0155811C: CreateThread.KERNEL32(00000000,00000000,01594344,00000000,00000000,00000000), ref: 01558927
      • Part of subcall function 0155811C: GetVersion.KERNEL32 ref: 01558939
      • Part of subcall function 0155811C: FindWindowExW.USER32(00000000,00000000,00000000,00000000), ref: 0155898C
      • Part of subcall function 0155811C: CloseHandle.KERNEL32(?), ref: 015589A0
      • Part of subcall function 0155811C: FindWindowW.USER32(0166C3A4,0166C3C0), ref: 015589ED
      • Part of subcall function 0155811C: SendMessageW.USER32(00000000,00000111,000001A3,00000000), ref: 01558A03
      • Part of subcall function 0155811C: DeleteFileW.KERNEL32(C:\ProgramData\upbbxxl.html), ref: 01558A5C
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 003F01B9, Relevance: 3.1, APIs: 2, Instructions: 98
    APIs
    • VirtualProtect.KERNELBASE(?,?,00000004,?,00000000,?,00000000), ref: 003F022D
    • VirtualProtect.KERNELBASE ref: 003F0266
    Memory Dump Source
    • Source File: 00000001.00000002.867601621.003F0000.00000040.sdmp, Offset: 003F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3f0000_downloaded.jbxd
    Function 01548B33, Relevance: 1.6, APIs: 1, Instructions: 58
    APIs
      • Part of subcall function 0154156E: GetModuleFileNameW.KERNEL32(00000000,01689AF2,00000104,00000001,00000000,?), ref: 0154160A
      • Part of subcall function 0154156E: GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 015416BC
      • Part of subcall function 0154156E: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 01541708
      • Part of subcall function 0150799B: ExitProcess.KERNEL32(?,?,01548B62,000000FF,0000001E,00000001,00000000,00000000,?,0151246B,?,00000001,?,?,0158005B,00000018), ref: 015079AC
    • RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 01548B78
      • Part of subcall function 01581789: RtlDecodePointer.NTDLL ref: 01581794
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01503871, Relevance: 1.6, APIs: 1, Instructions: 52
    APIs
    • RtlAllocateHeap.NTDLL(00000008,01582184,00000000), ref: 015038B4
      • Part of subcall function 01581789: RtlDecodePointer.NTDLL ref: 01581794
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015930F5, Relevance: 1.5, APIs: 1, Instructions: 19
    APIs
    • GetVersion.KERNEL32(?,?,015584E8,?,00000000,00000001,?,?,?,?,?,?,?,?), ref: 015930F9
      • Part of subcall function 01592BA1: CoInitializeEx.OLE32(00000000,00000000), ref: 01592BB5
      • Part of subcall function 01592BA1: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 01592BC7
      • Part of subcall function 01592BA1: CoCreateInstance.OLE32(0160610C,00000000,00000001,01605EFC,?), ref: 01592BE1
      • Part of subcall function 01592BA1: CoUninitialize.OLE32 ref: 01592BEB
      • Part of subcall function 01592BA1: GetUserNameW.ADVAPI32(?,?), ref: 01592DC8
      • Part of subcall function 01592BA1: CoUninitialize.OLE32 ref: 01592F6C
      • Part of subcall function 015926C5: CoInitialize.OLE32(00000000), ref: 015926D7
      • Part of subcall function 015926C5: CoCreateInstance.OLE32(01603EF8,00000000,00000001,01603F50,00000001), ref: 015926F9
      • Part of subcall function 015926C5: CoUninitialize.OLE32 ref: 01592703
      • Part of subcall function 015926C5: GetUserNameW.ADVAPI32(?,?), ref: 0159279C
      • Part of subcall function 015926C5: CoUninitialize.OLE32 ref: 0159288E
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0152C991, Relevance: 1.5, APIs: 1, Instructions: 13
    APIs
    • RtlEncodePointer.NTDLL(DDCF4142), ref: 0152C99D
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015394A0, Relevance: 1.5, APIs: 1, Instructions: 10
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,015DD1A8), ref: 015394A9
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0043EECF, Relevance: 1.5, APIs: 1, Instructions: 5
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.867635576.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.867608225.00400000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_downloaded.jbxd
    Function 01582B60, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • RtlEncodePointer.NTDLL(Function_000DEBD7), ref: 01582B65
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0153D31E, Relevance: 1.5, APIs: 1, Instructions: 3
    APIs
    • RtlEncodePointer.NTDLL(00000000), ref: 0153D320
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 002F0000, Relevance: 1.3, APIs: 1, Instructions: 49
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00000674,00001000,00000040), ref: 002F0068
    Memory Dump Source
    • Source File: 00000001.00000002.867554722.002F0000.00000040.sdmp, Offset: 002F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_2f0000_downloaded.jbxd
    Function 01558E62, Relevance: 1.3, APIs: 1, Instructions: 30
    APIs
      • Part of subcall function 01503871: RtlAllocateHeap.NTDLL(00000008,01582184,00000000), ref: 015038B4
    • Sleep.KERNEL32(00000000,01582184,00000001,00000214), ref: 01558E8A
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 003F05D2, Relevance: 1.3, APIs: 1, Instructions: 8
    APIs
    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,003F0096), ref: 003F05DF
    Memory Dump Source
    • Source File: 00000001.00000002.867601621.003F0000.00000040.sdmp, Offset: 003F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3f0000_downloaded.jbxd

    Non-executed Functions

    Function 01593901, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 212
    APIs
    • GetLogicalDriveStringsW.KERNEL32(00000400,?,.html,?,?,00000000,0155834C), ref: 0159391C
    • RtlInitializeCriticalSection.NTDLL(016CCF2C), ref: 0159392D
    • GetDriveTypeW.KERNEL32(?), ref: 015939A6
    • wsprintfW.USER32(?,0166C148,?), ref: 015939C6
    • GetFileAttributesW.KERNEL32(?,?,?,0155834C), ref: 015939D8
    • HeapCreate.KERNEL32(00000000,00010000,00000000), ref: 01593A48
    • RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 01593A5F
    • RtlInitializeCriticalSection.NTDLL(016CCC28), ref: 01593A89
    • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 01593AE6
    • CloseHandle.KERNEL32(?), ref: 01593AF6
    • HeapDestroy.KERNEL32(?,00000000,0155834C), ref: 01593B1E
    • CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01593B86
    • WriteFile.KERNEL32(016CCF28,0168AD28,?,00000000), ref: 01593BA8
    • CloseHandle.KERNEL32 ref: 01593BB4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01590762, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 219
    APIs
      • Part of subcall function 01590654: Sleep.KERNEL32(000003E8,015E51A0,?,015907D4,00000001), ref: 0159066D
    • socket.WS2_32(00000002,00000001,00000006), ref: 015907E3
    • Sleep.KERNEL32(000000FA), ref: 015907F0
    • connect.WS2_32(00000000,0100007F,00000010), ref: 0159080B
    • send.WS2_32(00000000,?,00000020,00000000), ref: 01590851
    • recv.WS2_32(00000000,?,00000008,00000000), ref: 01590860
      • Part of subcall function 0158F9C2: GetTickCount.KERNEL32(key,?,?,01592939,00000000,00000000,?,00000000,00000000,?,0158F862,00000000,?,00000000,00000000,00000000), ref: 0158FA1D
    • send.WS2_32(00000000,?,00000000,00000000), ref: 01590908
    • select.WS2_32(00000001,?,00000000,?,?), ref: 01590960
    • Sleep.KERNEL32(000000FA), ref: 0159096F
    • closesocket.WS2_32(00000000), ref: 01590978
    • ioctlsocket.WS2_32(00000000,4004667F,?), ref: 0159099A
    • recv.WS2_32(00000000,?,?,00000000), ref: 015909C1
    • closesocket.WS2_32(00000000), ref: 01590A0B
      • Part of subcall function 0159005C: OemToCharW.USER32(?,016D0718), ref: 01590330
    • closesocket.WS2_32(00000000), ref: 01590A30
    • TerminateThread.KERNEL32(00000000), ref: 01590A3E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015921ED, Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 304
    APIs
    • GetUserGeoID.KERNEL32(00000010), ref: 015922AC
    • LoadLibraryA.KERNEL32 ref: 01592360
    • GetProcAddress.KERNEL32(00000000,0166C050,?,00000000,015589E3), ref: 0159236C
    • GetDesktopWindow.USER32(?,00000000,015589E3), ref: 01592374
    • GetDC.USER32(00000000), ref: 0159237F
      • Part of subcall function 01548B33: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 01548B78
      • Part of subcall function 01591DE2: GetDesktopWindow.USER32(00000000,000002BC,015921E7,00000000,00000000), ref: 01591DEE
      • Part of subcall function 01591DE2: GetDC.USER32(00000000), ref: 01591DF8
      • Part of subcall function 01591DE2: CreateCompatibleBitmap.GDI32(00000000,00000331,00000219), ref: 01591E04
      • Part of subcall function 01591DE2: CreateCompatibleDC.GDI32(00000000), ref: 01591E10
      • Part of subcall function 01591DE2: SelectObject.GDI32(00000000,?), ref: 01591E1D
      • Part of subcall function 01591DE2: SetDIBits.GDI32 ref: 01591E6E
      • Part of subcall function 01591DE2: ReleaseDC.USER32(?,?), ref: 01591E7A
    • ReleaseDC.USER32(?,?), ref: 01592561
    • CreateIconFromResource.USER32(01601816,000025A8,00000001,00030000), ref: 01592593
    • GetLastError.KERNEL32 ref: 0159259B
    • LoadCursorW.USER32 ref: 015925D4
    • RegisterClassExW.USER32 ref: 015925FB
    Strings
    • netilnedvlse<screentext>%a1%%f3%%c3%I tuoi dati personali sono criptati da CTB-Locker.%f0%%c0%I tuoi documenti, foto, dati e altri file importanti sono stati criptati con la crittografia forte e chiave univoca, generati per questo computer.Chiave , xrefs: 0159232E
    • Tahoma, xrefs: 01592201, 01592206, 0159221D, 01592254, 0159226F
    • 0, xrefs: 015925AC
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0159453A, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76
    APIs
      • Part of subcall function 015944C2: Sleep.KERNEL32(000005DC,?,015589AB), ref: 01594524
    • Sleep.KERNEL32(000005DC,?,015589B0), ref: 01594563
    • DuplicateTokenEx.ADVAPI32(015589B0,02000000,00000000,00000001,00000001,?,?,015589B0), ref: 0159458C
    • GetModuleFileNameW.KERNEL32 ref: 015945C5
    • wsprintfW.USER32(?,0166C2C0,?), ref: 015945DE
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000100), ref: 01594600
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0150E372, Relevance: 12.2, APIs: 8, Instructions: 154
    APIs
    • htonl.WS2_32(7F000001), ref: 0150E3D6
    • bind.WS2_32(00000000,?,00000010), ref: 0150E3EE
    • listen.WS2_32(00000000,00000001), ref: 0150E400
    • connect.WS2_32(00000002,?,00000010), ref: 0150E44C
    • accept.WS2_32(00000000,?,?), ref: 0150E463
    • WSAGetLastError.WS2_32 ref: 0150E4C8
    • WSASetLastError.WS2_32(00000000), ref: 0150E4FB
      • Part of subcall function 0155EEE4: closesocket.WS2_32(?), ref: 0155EEE8
    • WSASetLastError.WS2_32(00002726), ref: 0150E50A
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015941C0, Relevance: 7.6, APIs: 5, Instructions: 66
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000028,00000002,00000000,00000001,?,015942FB,0000022C), ref: 015941DE
    • LookupPrivilegeValueW.ADVAPI32(00000000,0166C230,00000040), ref: 015941F2
    • AdjustTokenPrivileges.ADVAPI32(00000002,00000000,?,00000010,00000000,00000000,?,015942FB,0000022C), ref: 01594212
    • OpenProcess.KERNEL32(001FFFFF,00000000,00000002,?,015942FB,0000022C), ref: 01594221
      • Part of subcall function 01594177: GetModuleHandleA.KERNEL32(0166C210,?,01594237,?,015942FB,0000022C), ref: 01594194
      • Part of subcall function 01594177: GetProcAddress.KERNEL32(00000000,0166C220,?,01594237,?,015942FB,0000022C), ref: 015941A0
      • Part of subcall function 01593F0F: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,015E51F8,00000000,00000000,0162AEA0,0162AEA0,00000000,015E27F8,01687870,000000FF,?,01594254,00000000), ref: 01593F55
      • Part of subcall function 01593F0F: VirtualAllocEx.KERNEL32(00000002,00000000,?,00001000,00000004,015E51F8,00000000,00000000,0162AEA0,0162AEA0,00000000,015E27F8,01687870,000000FF,?,01594254), ref: 01593F60
      • Part of subcall function 01593F0F: VirtualProtect.KERNEL32(?,?,00000020,?), ref: 01593FDC
      • Part of subcall function 01593F0F: CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 01593FEE
      • Part of subcall function 01593F0F: WriteProcessMemory.KERNEL32(00000002,00000000,00000000,?,?), ref: 0159400B
      • Part of subcall function 01593F0F: VirtualProtectEx.KERNEL32(00000002,?,?,00000020,?), ref: 01594024
      • Part of subcall function 01593F0F: GetModuleHandleA.KERNEL32(0166C1F0,?,00000020,?), ref: 01594037
      • Part of subcall function 01593F0F: ResumeThread.KERNEL32(?,?,?,?,?,?,00000020,?), ref: 015940CE
      • Part of subcall function 01593F0F: ResumeThread.KERNEL32(?,?,00000020,?), ref: 0159414C
      • Part of subcall function 01593F0F: CloseHandle.KERNEL32(?), ref: 01594155
    • CloseHandle.KERNEL32(00000000), ref: 0159425E
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015153EA, Relevance: 7.6, APIs: 5, Instructions: 53
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 015154A3
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 015154B8
    • UnhandledExceptionFilter.KERNEL32(01605718), ref: 015154C3
    • GetCurrentProcess.KERNEL32(C0000409), ref: 015154DF
    • TerminateProcess.KERNEL32(00000000), ref: 015154E6
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158E07D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55
    APIs
    • GetProcessHeap.KERNEL32(00000008,0000001C,.html,015E532C,?,00000000,01558232), ref: 0158E09B
    • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0158E0A2
    Strings
    • pwm,kwm,txt,cer,crt,der,pem,doc,cpp,c,php,js,cs,pas,bas,pl,py,docx,rtf,docm,xls,xlsx,safe,groups,xlk,xlsb,xlsm,mdb,mdf,dbf,sql,md,, xrefs: 0158E088
    • .html, xrefs: 0158E092
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015A791B, Relevance: 4.7, APIs: 3, Instructions: 205
    APIs
      • Part of subcall function 01565D80: htons.WS2_32(?), ref: 01565DAB
      • Part of subcall function 01527627: socket.WS2_32(0157256E,0157256E,0157256E), ref: 01527634
    • setsockopt.WS2_32(00000000,00000029,0000001B,015973F9,00000004), ref: 015A79B0
    • bind.WS2_32(00000000,?,015973F9), ref: 015A79C8
      • Part of subcall function 0154D432: WSAGetLastError.WS2_32(00000002,?,01572599,00000000), ref: 0154D445
      • Part of subcall function 0154D432: getsockopt.WS2_32(000000FF,0000FFFF,00001007,000000FF,00000004), ref: 0154D470
      • Part of subcall function 01555BBA: closesocket.WS2_32(?), ref: 01555BBF
    • getsockname.WS2_32(00000000,?,?), ref: 015A7A12
      • Part of subcall function 01560184: ioctlsocket.WS2_32(0150875F,8004667E,00000000), ref: 015601A2
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01531588, Relevance: 4.6, APIs: 3, Instructions: 75
    APIs
    • IsDebuggerPresent.KERNEL32(?,00000001,?), ref: 01531672
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0153167C
    • UnhandledExceptionFilter.KERNEL32(?), ref: 01531689
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015E0E4D, Relevance: 1.8, APIs: 1, Instructions: 269
    APIs
      • Part of subcall function 015503A9: RtlEnterCriticalSection.NTDLL(?), ref: 015503D3
      • Part of subcall function 0151245A: Sleep.KERNEL32(00000000,00000001,?,?,0158005B,00000018,01687370,0000000C,015503C4,?,?,?,01537A8A,0000000D), ref: 0151247B
      • Part of subcall function 01575F7A: GetCurrentProcess.KERNEL32(C0000417), ref: 01575F90
      • Part of subcall function 01575F7A: TerminateProcess.KERNEL32(00000000), ref: 01575F97
      • Part of subcall function 0156A939: HeapFree.KERNEL32(00000000,00000000), ref: 0156A94F
      • Part of subcall function 0156A939: GetLastError.KERNEL32(00000000), ref: 0156A961
    • GetTimeZoneInformation.KERNEL32(0168A808,00000000,00000000,00000000,00000000,00000000,01687760,0000002C,01509494,01687780,00000008,01585FB1,?,?,00000000), ref: 015E0F76
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015C136D, Relevance: 1.6, APIs: 1, Instructions: 92
    APIs
    • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 015C142E
      • Part of subcall function 015C1624: GetLastError.KERNEL32(015C12FF), ref: 015C1624
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01550F55, Relevance: 1.5, APIs: 1, Instructions: 42
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000005,00000000,0155CFE1,?,015B150C,00000001,00000000,0155CFE1,?,015B1924,0155CFE1,00000001,00000005,00000000,00000005,00000000), ref: 01550F66
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015A38FB, Relevance: 1.5, APIs: 1, Instructions: 22
    APIs
    • GetSystemInfo.KERNEL32(?,?,?,0155ABF9,01572842,0159961A,00000000,015973B1), ref: 015A3915
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015938C3, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 229
    APIs
    • Sleep.KERNEL32(000003E8), ref: 015938D5
      • Part of subcall function 01591163: CreateFileW.KERNEL32(C:\ProgramData\Sun\hygrtse,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 01591183
      • Part of subcall function 01591163: GetFileSize.KERNEL32(00000000,00000000,?,0155887B,?), ref: 01591192
      • Part of subcall function 01591163: ReadFile.KERNEL32(00000000,0155887B,0000028E,?,00000000), ref: 015911AF
      • Part of subcall function 01591163: CloseHandle.KERNEL32(00000000), ref: 015911C3
      • Part of subcall function 01591163: CloseHandle.KERNEL32(00000000), ref: 015911CE
    • ExitProcess.KERNEL32(00000000), ref: 015938FA
    • GetLogicalDriveStringsW.KERNEL32(00000400,?,.html,?,?,00000000,0155834C), ref: 0159391C
    • RtlInitializeCriticalSection.NTDLL(016CCF2C), ref: 0159392D
    • GetDriveTypeW.KERNEL32(?), ref: 015939A6
    • wsprintfW.USER32(?,0166C148,?), ref: 015939C6
    • GetFileAttributesW.KERNEL32(?,?,?,0155834C), ref: 015939D8
    • HeapCreate.KERNEL32(00000000,00010000,00000000), ref: 01593A48
    • RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 01593A5F
    • RtlInitializeCriticalSection.NTDLL(016CCC28), ref: 01593A89
    • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 01593AE6
    • CloseHandle.KERNEL32(?), ref: 01593AF6
    • HeapDestroy.KERNEL32(?,00000000,0155834C), ref: 01593B1E
    • CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01593B86
    • WriteFile.KERNEL32(016CCF28,0168AD28,?,00000000), ref: 01593BA8
    • CloseHandle.KERNEL32 ref: 01593BB4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158EAB4, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 160
    APIs
    • GetCurrentThread.KERNEL32(0000000A,00000001,?), ref: 0158EB0C
    • OpenThreadToken.ADVAPI32(00000000), ref: 0158EB13
    • GetLastError.KERNEL32 ref: 0158EB1D
    • GetCurrentProcess.KERNEL32(0000000A,?), ref: 0158EB34
    • OpenProcessToken.ADVAPI32(00000000), ref: 0158EB3B
    • DuplicateToken.ADVAPI32(?,00000002,?), ref: 0158EB52
    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0158EB77
    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0158EB9E
    • GetLengthSid.ADVAPI32(?), ref: 0158EBAF
    • InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0158EBCE
    • AddAccessAllowedAce.ADVAPI32(?,00000002,00000003,?), ref: 0158EBE5
    • SetSecurityDescriptorDacl.ADVAPI32(015E532C,00000001,?,00000000), ref: 0158EBFA
    • SetSecurityDescriptorGroup.ADVAPI32(015E532C,?,00000000), ref: 0158EC0B
    • SetSecurityDescriptorOwner.ADVAPI32(015E532C,?,00000000), ref: 0158EC18
    • IsValidSecurityDescriptor.ADVAPI32(015E532C), ref: 0158EC21
    • AccessCheck.ADVAPI32(015E532C,?,00000001,?,?,?,?,?), ref: 0158EC56
      • Part of subcall function 0158EC80: LocalFree.KERNEL32(?,0158EC6C), ref: 0158EC88
      • Part of subcall function 0158EC80: LocalFree.KERNEL32(015E532C,0158EC6C), ref: 0158EC96
      • Part of subcall function 0158EC80: FreeSid.ADVAPI32(?,0158EC6C), ref: 0158ECA4
      • Part of subcall function 0158EC80: CloseHandle.KERNEL32(?), ref: 0158ECB2
      • Part of subcall function 0158EC80: CloseHandle.KERNEL32(?), ref: 0158ECC0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158E5B9, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 325
    APIs
    • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0158E611
    • ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0158E626
    • GetFileSize.KERNEL32(?,00000000), ref: 0158E6CB
    • ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0158E6F7
    • ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0158E7C3
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0158E82E
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0158E88A
    • DeleteFileW.KERNEL32(?), ref: 0158E8DD
    • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0158E8F2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0158E904
    • SetFileTime.KERNEL32(?,?,?,?), ref: 0158E919
    • DeleteFileW.KERNEL32(00000001), ref: 0158E932
    • CloseHandle.KERNEL32(?), ref: 0158E952
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158EFB8, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 180
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(?,.html,015E532C,00000000,?,01594376,.html,015E532C,?,01558269), ref: 0158EFCC
    • RegisterClassExW.USER32 ref: 0158F03B
      • Part of subcall function 0151258B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0156CD9B,00000000,015A57C1,?,?,0152576F,000000FF,015A56CA,?,?,01502D13), ref: 01512596
      • Part of subcall function 0158ED1A: GetVersionExW.KERNEL32(?,?,?,01594376,.html,015E532C,?,01558269), ref: 0158ED53
      • Part of subcall function 0158ED1A: GetNativeSystemInfo.KERNEL32(?), ref: 0158ED5D
      • Part of subcall function 0158ED1A: RegOpenKeyExA.ADVAPI32(80000002,0166BC4C,00000000,00000101,?,?,01594376,.html,015E532C,?,01558269), ref: 0158ED77
      • Part of subcall function 0158ED1A: RegQueryValueExA.ADVAPI32(?,0166BC7C,00000000,00000000,?,?,?,01594376,.html,015E532C,?,01558269), ref: 0158EDA2
      • Part of subcall function 0158ED1A: RegCloseKey.ADVAPI32(?,?,01594376,.html,015E532C,?,01558269), ref: 0158EDAB
      • Part of subcall function 0158ED1A: GetModuleFileNameW.KERNEL32(00000000,?,000001FF,?,01594376,.html,015E532C,?,01558269), ref: 0158EDFE
      • Part of subcall function 0158ED1A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0158EE1A
      • Part of subcall function 0158ED1A: GetFileSize.KERNEL32(00000000,00000000,?,01594376,.html,015E532C,?,01558269), ref: 0158EE29
      • Part of subcall function 0158ED1A: CloseHandle.KERNEL32(00000000), ref: 0158EE32
    • CreateWindowExW.USER32(00000000,?,00000000,00000000,01594376,?,00000001,00000001,00000000,00000000,00000000), ref: 0158F08D
    • UpdateWindow.USER32(00000000), ref: 0158F094
    • TranslateMessage.USER32(?), ref: 0158F0A6
    • DispatchMessageW.USER32(?), ref: 0158F0B0
    • UnregisterClassW.USER32(?), ref: 0158F0D0
    • GetUserGeoID.KERNEL32(00000010), ref: 0158F0D8
    • GetTimeZoneInformation.KERNEL32(?,?,?,01594376,.html,015E532C,?,01558269), ref: 0158F109
    • CryptAcquireContextW.ADVAPI32(0168AD20,00000000,00000000,00000001,F0000000,?,01594376,.html,015E532C,?,01558269), ref: 0158F156
      • Part of subcall function 0158E13D: CryptGenRandom.ADVAPI32(00000014,?,016CA6DC,016CA58C,?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E156
      • Part of subcall function 0158E13D: GetSystemTimeAsFileTime.KERNEL32(?,?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E160
      • Part of subcall function 0158E13D: GetTickCount.KERNEL32(?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E166
      • Part of subcall function 0158E13D: GetCurrentThreadId.KERNEL32(?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E16F
      • Part of subcall function 0158E13D: GetCurrentProcessId.KERNEL32(?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E17A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015935E7, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 211
    APIs
    • Sleep.KERNEL32(000003E8), ref: 0159362C
    • RtlEnterCriticalSection.NTDLL(?), ref: 01593642
    • RtlLeaveCriticalSection.NTDLL(?), ref: 01593671
      • Part of subcall function 0158E503: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0158E524
      • Part of subcall function 0158E503: ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0158E53D
      • Part of subcall function 0158E503: CloseHandle.KERNEL32(00000000), ref: 0158E544
      • Part of subcall function 0158E5B9: GetFileTime.KERNEL32(00000000,?,?,?), ref: 0158E611
      • Part of subcall function 0158E5B9: ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0158E626
      • Part of subcall function 0158E5B9: GetFileSize.KERNEL32(?,00000000), ref: 0158E6CB
      • Part of subcall function 0158E5B9: ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0158E6F7
      • Part of subcall function 0158E5B9: ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0158E7C3
      • Part of subcall function 0158E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0158E82E
      • Part of subcall function 0158E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0158E88A
      • Part of subcall function 0158E5B9: DeleteFileW.KERNEL32(?), ref: 0158E8DD
      • Part of subcall function 0158E5B9: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0158E8F2
      • Part of subcall function 0158E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0158E904
      • Part of subcall function 0158E5B9: SetFileTime.KERNEL32(?,?,?,?), ref: 0158E919
      • Part of subcall function 0158E5B9: DeleteFileW.KERNEL32(00000001), ref: 0158E932
      • Part of subcall function 0158E5B9: CloseHandle.KERNEL32(?), ref: 0158E952
      • Part of subcall function 0159462A: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,015937F2,?,?,?,00000400), ref: 01594644
    • RtlEnterCriticalSection.NTDLL(016CCF2C), ref: 01593861
    • CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01593883
    • WriteFile.KERNEL32(016CCF28,?,?,?,00000000), ref: 015938A6
    • RtlLeaveCriticalSection.NTDLL(016CCF2C), ref: 015938AD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01593F0F, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 204
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,015E51F8,00000000,00000000,0162AEA0,0162AEA0,00000000,015E27F8,01687870,000000FF,?,01594254,00000000), ref: 01593F55
    • VirtualAllocEx.KERNEL32(00000002,00000000,?,00001000,00000004,015E51F8,00000000,00000000,0162AEA0,0162AEA0,00000000,015E27F8,01687870,000000FF,?,01594254), ref: 01593F60
      • Part of subcall function 0156A939: HeapFree.KERNEL32(00000000,00000000), ref: 0156A94F
      • Part of subcall function 0156A939: GetLastError.KERNEL32(00000000), ref: 0156A961
    • VirtualProtect.KERNEL32(?,?,00000020,?), ref: 01593FDC
    • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 01593FEE
    • WriteProcessMemory.KERNEL32(00000002,00000000,00000000,?,?), ref: 0159400B
    • VirtualProtectEx.KERNEL32(00000002,?,?,00000020,?), ref: 01594024
    • GetModuleHandleA.KERNEL32(0166C1F0,?,00000020,?), ref: 01594037
    • ResumeThread.KERNEL32(?,?,?,?,?,?,00000020,?), ref: 015940CE
    • ResumeThread.KERNEL32(?,?,00000020,?), ref: 0159414C
    • CloseHandle.KERNEL32(?), ref: 01594155
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0153B540, Relevance: 18.5, APIs: 12, Instructions: 494
    APIs
    • GetLastError.KERNEL32(?,0154DBE5,00000001,?,?,01687350,00000010,0156D8C7,?,00000001,00000001,?,?,?,?), ref: 0153BBA1
      • Part of subcall function 0156D8EE: SetFilePointer.KERNEL32(00000000,00000001,00000000,0151ED28,00000001,00000001,?,?,?,0153B613,00000001,00000000,00000000,00000002,00000001,00000001), ref: 0156D930
      • Part of subcall function 0156D8EE: GetLastError.KERNEL32(?,0153B613,00000001,00000000,00000000,00000002,00000001,00000001,00000001,?,0154DBE5,00000001,?,?,01687350,00000010), ref: 0156D93D
    • GetConsoleMode.KERNEL32(00000001,?), ref: 0153B650
    • GetConsoleCP.KERNEL32(?,0154DBE5,00000001,?,?,01687350,00000010,0156D8C7,?,00000001,00000001,?,?,?,?), ref: 0153B670
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 0153B760
    • WriteFile.KERNEL32(00000001,?,00000000,?,00000000), ref: 0153B789
    • WriteFile.KERNEL32(00000001,?,00000001,?,00000000), ref: 0153B7E2
      • Part of subcall function 01549069: WriteConsoleW.KERNEL32(015E6590,00000001,00000001,00000000,00000000), ref: 0154909B
    • WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 0153B950
    • WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 0153BA2A
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0153BAFA
    • WriteFile.KERNEL32(00000001,?,00000000,?,00000000), ref: 0153BB2B
    • GetLastError.KERNEL32 ref: 0153BB41
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0153BB82
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0159005C, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 271
    APIs
    • OemToCharW.USER32(?,016D0718), ref: 01590330
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015512A3, Relevance: 16.8, APIs: 11, Instructions: 314
    APIs
    • FindFirstFileExA.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0155134F
    • GetDriveTypeA.KERNEL32(00000000), ref: 015513B7
      • Part of subcall function 0156A939: HeapFree.KERNEL32(00000000,00000000), ref: 0156A94F
      • Part of subcall function 0156A939: GetLastError.KERNEL32(00000000), ref: 0156A961
      • Part of subcall function 0156A5A2: GetFileType.KERNEL32(?), ref: 0156A68B
      • Part of subcall function 0156A5A2: GetLastError.KERNEL32 ref: 0156A6AD
      • Part of subcall function 0156A5A2: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0156A71D
      • Part of subcall function 0156A5A2: GetFileInformationByHandle.KERNEL32(?,?), ref: 0156A755
      • Part of subcall function 0156A5A2: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0156A797
      • Part of subcall function 0156A5A2: FileTimeToSystemTime.KERNEL32(?,?), ref: 0156A7AD
      • Part of subcall function 0156A5A2: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0156A809
      • Part of subcall function 0156A5A2: FileTimeToSystemTime.KERNEL32(?,?), ref: 0156A81F
      • Part of subcall function 0156A5A2: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0156A87B
      • Part of subcall function 0156A5A2: FileTimeToSystemTime.KERNEL32(?,?), ref: 0156A891
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 015514D5
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 015514F1
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0155156B
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 01551587
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01551601
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0155161D
    • FindClose.KERNEL32(?), ref: 01551671
    • GetLastError.KERNEL32 ref: 015516CD
    • FindClose.KERNEL32(?), ref: 015516E0
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01593129, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 278
    APIs
    • FindFirstFileW.KERNEL32(?,?), ref: 0159317A
    • RtlEnterCriticalSection.NTDLL(?), ref: 0159335D
    • RtlReAllocateHeap.NTDLL(00000008,?), ref: 015933DF
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 0159343F
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 01593489
    • RtlLeaveCriticalSection.NTDLL(?), ref: 015934A8
    • FindNextFileW.KERNEL32(?,?), ref: 015934B7
    • FindClose.KERNEL32(?), ref: 015934C9
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0156A5A2, Relevance: 15.3, APIs: 10, Instructions: 272
    APIs
      • Part of subcall function 0157CC07: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0,01687450,0000000C,0154DBCB,00000001,01687350,00000010,0156D8C7,?,00000001,00000001,?,?,?,?), ref: 0157CC51
      • Part of subcall function 0157CC07: RtlEnterCriticalSection.NTDLL(?), ref: 0157CC89
    • GetFileType.KERNEL32(?), ref: 0156A68B
    • GetLastError.KERNEL32 ref: 0156A6AD
    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0156A71D
    • GetFileInformationByHandle.KERNEL32(?,?), ref: 0156A755
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0156A797
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0156A7AD
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0156A809
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0156A81F
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0156A87B
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0156A891
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0157BB9D, Relevance: 15.2, APIs: 10, Instructions: 163
    APIs
      • Part of subcall function 01582159: GetLastError.KERNEL32(?,015BCB8F,01567506,01570344,00000000,?,?), ref: 0158215D
      • Part of subcall function 01582159: RtlDecodePointer.NTDLL(00000000), ref: 01582199
      • Part of subcall function 01582159: GetCurrentThreadId.KERNEL32 ref: 015821AF
      • Part of subcall function 01582159: SetLastError.KERNEL32(00000000), ref: 015821C7
      • Part of subcall function 0151245A: Sleep.KERNEL32(00000000,00000001,?,?,0158005B,00000018,01687370,0000000C,015503C4,?,?,?,01537A8A,0000000D), ref: 0151247B
      • Part of subcall function 015503A9: RtlEnterCriticalSection.NTDLL(?), ref: 015503D3
    • SetConsoleCtrlHandler.KERNEL32(015DEC10,00000001), ref: 0157BCBC
    • GetLastError.KERNEL32(?,015D12F3), ref: 0157BCD8
    • RtlDecodePointer.NTDLL(016873D0), ref: 0157BD0C
    • RtlEncodePointer.NTDLL(?), ref: 0157BD1A
    • RtlDecodePointer.NTDLL(016873D0), ref: 0157BD2D
    • RtlEncodePointer.NTDLL(?), ref: 0157BD3B
    • RtlDecodePointer.NTDLL(016873D0), ref: 0157BD4E
    • RtlEncodePointer.NTDLL(?), ref: 0157BD5C
    • RtlDecodePointer.NTDLL(016873D0), ref: 0157BD6F
    • RtlEncodePointer.NTDLL(?), ref: 0157BD7D
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015D85AD, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 487
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158F1F1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128
    APIs
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000001,?,00000040,00000000,?,01592687,00000000,?,01558A4E), ref: 0158F257
    • BitBlt.GDI32(?,?,00000000,00000000,00000000,00CC0020,?,01592687,00000000), ref: 0158F299
    • SetBkMode.GDI32(?,00000001), ref: 0158F2A4
    • SelectObject.GDI32(?), ref: 0158F2C3
    • GetTextExtentPointW.GDI32(?,?,?,?), ref: 0158F2D7
    • TextOutW.GDI32(?,0000005C,?,?,?), ref: 0158F317
    • TextOutW.GDI32(?,?,?,?,?), ref: 0158F354
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01590BEA, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 127
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00090A4F,?,00000000,?), ref: 01590D0B
    • WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 01590D19
    • TerminateThread.KERNEL32(00000000,00000000), ref: 01590D25
    • CloseHandle.KERNEL32(00000000), ref: 01590D2C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01590FA6, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 01590FC6
    • GetTempPathW.KERNEL32(00000200,?), ref: 01591013
    • DeleteFileW.KERNEL32(?), ref: 0159106E
    • GetVersion.KERNEL32 ref: 01591074
    • CoInitialize.OLE32(00000000), ref: 01591085
    • CoCreateInstance.OLE32(01603EF8,00000000,00000001,01603F50,?), ref: 015910A0
    • CoUninitialize.OLE32 ref: 015910CF
      • Part of subcall function 01590EAC: CoInitializeEx.OLE32(00000000,00000000), ref: 01590EBE
      • Part of subcall function 01590EAC: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 01590ED0
      • Part of subcall function 01590EAC: CoCreateInstance.OLE32(0160610C,00000000,00000001,01605EFC,?), ref: 01590EEA
      • Part of subcall function 01590EAC: CoUninitialize.OLE32 ref: 01590F9B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01591DE2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 61
    APIs
    • GetDesktopWindow.USER32(00000000,000002BC,015921E7,00000000,00000000), ref: 01591DEE
    • GetDC.USER32(00000000), ref: 01591DF8
    • CreateCompatibleBitmap.GDI32(00000000,00000331,00000219), ref: 01591E04
    • CreateCompatibleDC.GDI32(00000000), ref: 01591E10
    • SelectObject.GDI32(00000000,?), ref: 01591E1D
    • SetDIBits.GDI32 ref: 01591E6E
    • ReleaseDC.USER32(?,?), ref: 01591E7A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158F4E6, Relevance: 13.8, APIs: 9, Instructions: 254
    APIs
    • SetTextColor.GDI32(?,00FFFFFF), ref: 0158F510
    • SetBkMode.GDI32(?,00000001), ref: 0158F519
    • GetTextExtentPoint32W.GDI32(?,0166BC94,00000007,?), ref: 0158F52B
    • SetTextColor.GDI32(?,00FFFFFF), ref: 0158F647
    • GetTextExtentPoint32W.GDI32(?,0166BC94,00000007,?), ref: 0158F6E3
    • SetTextColor.GDI32(?), ref: 0158F6F3
    • BitBlt.GDI32(?,?,00000000,00000000,00000000,00CC0020,?,01592687,00000000), ref: 0158F734
    • GetTextExtentPoint32W.GDI32(?,0166BC94,00000007,?), ref: 0158F769
    • SetTextColor.GDI32(?), ref: 0158F7A4
      • Part of subcall function 0158F3D8: GetTextExtentPoint32W.GDI32(?,?,-0000FFFF,0158F8B0), ref: 0158F43A
      • Part of subcall function 0158F3D8: GetTextExtentPoint32W.GDI32(?,?,-0000FFFF,0158F8B0), ref: 0158F468
      • Part of subcall function 0158F3D8: TextOutW.GDI32(?,0158F8B0,?,?,?), ref: 0158F4D1
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158ED1A, Relevance: 13.7, APIs: 9, Instructions: 165
    APIs
    • GetVersionExW.KERNEL32(?,?,?,01594376,.html,015E532C,?,01558269), ref: 0158ED53
    • GetNativeSystemInfo.KERNEL32(?), ref: 0158ED5D
    • RegOpenKeyExA.ADVAPI32(80000002,0166BC4C,00000000,00000101,?,?,01594376,.html,015E532C,?,01558269), ref: 0158ED77
    • RegQueryValueExA.ADVAPI32(?,0166BC7C,00000000,00000000,?,?,?,01594376,.html,015E532C,?,01558269), ref: 0158EDA2
    • RegCloseKey.ADVAPI32(?,?,01594376,.html,015E532C,?,01558269), ref: 0158EDAB
      • Part of subcall function 0151258B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0156CD9B,00000000,015A57C1,?,?,0152576F,000000FF,015A56CA,?,?,01502D13), ref: 01512596
    • GetModuleFileNameW.KERNEL32(00000000,?,000001FF,?,01594376,.html,015E532C,?,01558269), ref: 0158EDFE
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0158EE1A
    • GetFileSize.KERNEL32(00000000,00000000,?,01594376,.html,015E532C,?,01558269), ref: 0158EE29
    • CloseHandle.KERNEL32(00000000), ref: 0158EE32
      • Part of subcall function 0158E95F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0158E971
      • Part of subcall function 0158E95F: Process32FirstW.KERNEL32 ref: 0158E98B
      • Part of subcall function 0158E95F: Process32NextW.KERNEL32(00000000,0000022C), ref: 0158E9E2
      • Part of subcall function 0158E95F: CloseHandle.KERNEL32(00000000), ref: 0158E9ED
      • Part of subcall function 0158E95F: CloseHandle.KERNEL32(00000000), ref: 0158E9F9
      • Part of subcall function 0158ECC7: GetVersion.KERNEL32(0155825B), ref: 0158ECC7
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158FADC, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 332
    APIs
    • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000), ref: 0158FB1A
    • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00000000,00CC0020,?,0158FF54), ref: 0158FB46
      • Part of subcall function 0158F1F1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000001,?,00000040,00000000,?,01592687,00000000,?,01558A4E), ref: 0158F257
      • Part of subcall function 0158F1F1: BitBlt.GDI32(?,?,00000000,00000000,00000000,00CC0020,?,01592687,00000000), ref: 0158F299
      • Part of subcall function 0158F1F1: SetBkMode.GDI32(?,00000001), ref: 0158F2A4
      • Part of subcall function 0158F1F1: SelectObject.GDI32(?), ref: 0158F2C3
      • Part of subcall function 0158F1F1: GetTextExtentPointW.GDI32(?,?,?,?), ref: 0158F2D7
      • Part of subcall function 0158F1F1: TextOutW.GDI32(?,0000005C,?,?,?), ref: 0158F317
      • Part of subcall function 0158F1F1: TextOutW.GDI32(?,?,?,?,?), ref: 0158F354
    • SetTextColor.GDI32(?,00FF80FF), ref: 0158FDEB
    • DrawTextW.USER32(?,016CD748,000000FF,?,00004024), ref: 0158FE31
    • SetTextColor.GDI32(?,00FF80FF), ref: 0158FE86
    • DrawTextW.USER32(?,016CD748,000000FF,?,00004024), ref: 0158FED0
      • Part of subcall function 0158F835: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,?,00001000,?,01592687,00000000,?,01558A4E), ref: 0158F880
      • Part of subcall function 0158F8B7: SetTextColor.GDI32(?,00FFFFFF), ref: 0158F904
      • Part of subcall function 0158F8B7: SetTextColor.GDI32(?,0020FFFF), ref: 0158F91E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0159435A, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 82
    APIs
      • Part of subcall function 0158EFB8: GetSystemTimeAsFileTime.KERNEL32(?,.html,015E532C,00000000,?,01594376,.html,015E532C,?,01558269), ref: 0158EFCC
      • Part of subcall function 0158EFB8: RegisterClassExW.USER32 ref: 0158F03B
      • Part of subcall function 0158EFB8: CreateWindowExW.USER32(00000000,?,00000000,00000000,01594376,?,00000001,00000001,00000000,00000000,00000000), ref: 0158F08D
      • Part of subcall function 0158EFB8: UpdateWindow.USER32(00000000), ref: 0158F094
      • Part of subcall function 0158EFB8: TranslateMessage.USER32(?), ref: 0158F0A6
      • Part of subcall function 0158EFB8: DispatchMessageW.USER32(?), ref: 0158F0B0
      • Part of subcall function 0158EFB8: UnregisterClassW.USER32(?), ref: 0158F0D0
      • Part of subcall function 0158EFB8: GetUserGeoID.KERNEL32(00000010), ref: 0158F0D8
      • Part of subcall function 0158EFB8: GetTimeZoneInformation.KERNEL32(?,?,?,01594376,.html,015E532C,?,01558269), ref: 0158F109
      • Part of subcall function 0158EFB8: CryptAcquireContextW.ADVAPI32(0168AD20,00000000,00000000,00000001,F0000000,?,01594376,.html,015E532C,?,01558269), ref: 0158F156
    • Sleep.KERNEL32(00002710,.html,015E532C,?,01558269), ref: 015943AC
    • ExitProcess.KERNEL32(00000000,?,01558269), ref: 015943BD
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 01594423
    • WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 01594439
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01590A4F, Relevance: 12.1, APIs: 8, Instructions: 138
    APIs
    • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 01590A75
    • InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 01590AAE
    • HttpOpenRequestA.WININET(00000000,0166BF30,0166BF14,0166BF24,?,0166BF14,84A83100,00000000), ref: 01590AE7
    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 01590B11
    • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 01590B35
    • HttpOpenRequestA.WININET(00000000,0166BF30,0166BF14,0166BF24,?,0166BF14,84080100,00000000), ref: 01590B6E
    • HttpSendRequestA.WININET(?,?,000000FF,00000000,00000000), ref: 01590B85
    • InternetReadFile.WININET(00000000,00000000,00001000,0166BF14), ref: 01590BCD
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0154B5E0, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 325
    APIs
    • htons.WS2_32(00000010), ref: 0154B730
    • htonl.WS2_32(0000012C), ref: 0154B783
    • htonl.WS2_32(00000000), ref: 0154B7FA
    • htons.WS2_32(?), ref: 0154B815
    • htons.WS2_32(00000000), ref: 0154B85D
      • Part of subcall function 0151258B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0156CD9B,00000000,015A57C1,?,?,0152576F,000000FF,015A56CA,?,?,01502D13), ref: 01512596
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015926C5, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179
    APIs
    • CoInitialize.OLE32(00000000), ref: 015926D7
    • CoCreateInstance.OLE32(01603EF8,00000000,00000001,01603F50,00000001), ref: 015926F9
    • CoUninitialize.OLE32 ref: 01592703
    • GetUserNameW.ADVAPI32(?,?), ref: 0159279C
    • CoUninitialize.OLE32 ref: 0159288E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015CB95A, Relevance: 10.6, APIs: 7, Instructions: 102
    APIs
    • LoadLibraryA.KERNEL32(01674900), ref: 015CB97A
    • CloseHandle.KERNEL32(00000000), ref: 015CB9E1
    • FreeLibrary.KERNEL32(00000000), ref: 015CB9E8
    • CloseHandle.KERNEL32(00000000), ref: 015CBA1B
    • FreeLibrary.KERNEL32(00000000), ref: 015CBA22
    • CloseHandle.KERNEL32(00000000), ref: 015CBA30
    • FreeLibrary.KERNEL32(00000000), ref: 015CBA37
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01592609, Relevance: 10.6, APIs: 7, Instructions: 76
    APIs
    • GetDesktopWindow.USER32(000000FF,000000FF,015E5198,?,01558A4E), ref: 0159261A
    • GetClientRect.USER32(00000000), ref: 01592621
    • CreateWindowExW.USER32(00000080,016CCF64,0166C060,80000000,?,01558A4E,016CCF9C,016CCF98,00000000,00000000,00000000), ref: 01592679
      • Part of subcall function 0158FF19: GetDC.USER32(?), ref: 0158FF46
      • Part of subcall function 0158FF19: ReleaseDC.USER32(?,00000000), ref: 0158FF59
      • Part of subcall function 0158FF19: MoveWindow.USER32(016CCBD8,00000000,00000000,00000000,00000000,00000000), ref: 0158FF8B
      • Part of subcall function 0158FF19: SetWindowTextA.USER32(016CA5A6), ref: 0158FFEC
      • Part of subcall function 0158FF19: RedrawWindow.USER32(?,00000000,00000000,00000001), ref: 0159002B
    • ShowWindow.USER32(00000000,00000005), ref: 0159268B
    • UpdateWindow.USER32(00000000), ref: 01592692
    • TranslateMessage.USER32(?), ref: 015926A4
    • DispatchMessageW.USER32(?), ref: 015926AE
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01591163, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
    APIs
    • CreateFileW.KERNEL32(C:\ProgramData\Sun\hygrtse,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 01591183
    • GetFileSize.KERNEL32(00000000,00000000,?,0155887B,?), ref: 01591192
    • ReadFile.KERNEL32(00000000,0155887B,0000028E,?,00000000), ref: 015911AF
    • CloseHandle.KERNEL32(00000000), ref: 015911C3
    • CloseHandle.KERNEL32(00000000), ref: 015911CE
    Strings
    • C:\ProgramData\Sun\hygrtse, xrefs: 0159117E
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01594449, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
    APIs
    • Sleep.KERNEL32(000005DC,?,00000000,0155894B), ref: 01594466
    • SetProcessWindowStation.USER32(00000000), ref: 01594476
    • Sleep.KERNEL32(000005DC,?,00000000,0155894B), ref: 015944A1
    • SetThreadDesktop.USER32(00000000), ref: 015944B7
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01508109, Relevance: 9.2, APIs: 6, Instructions: 155
    APIs
      • Part of subcall function 0156D8EE: SetFilePointer.KERNEL32(00000000,00000001,00000000,0151ED28,00000001,00000001,?,?,?,0153B613,00000001,00000000,00000000,00000002,00000001,00000001), ref: 0156D930
      • Part of subcall function 0156D8EE: GetLastError.KERNEL32(?,0153B613,00000001,00000000,00000000,00000002,00000001,00000001,00000001,?,0154DBE5,00000001,?,?,01687350,00000010), ref: 0156D93D
    • GetProcessHeap.KERNEL32(00000008,00001000), ref: 01508170
    • RtlAllocateHeap.NTDLL(00000000), ref: 01508177
      • Part of subcall function 0153B540: GetConsoleMode.KERNEL32(00000001,?), ref: 0153B650
      • Part of subcall function 0153B540: GetConsoleCP.KERNEL32(?,0154DBE5,00000001,?,?,01687350,00000010,0156D8C7,?,00000001,00000001,?,?,?,?), ref: 0153B670
      • Part of subcall function 0153B540: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 0153B760
      • Part of subcall function 0153B540: WriteFile.KERNEL32(00000001,?,00000000,?,00000000), ref: 0153B789
      • Part of subcall function 0153B540: WriteFile.KERNEL32(00000001,?,00000001,?,00000000), ref: 0153B7E2
      • Part of subcall function 0153B540: WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 0153B950
      • Part of subcall function 0153B540: WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 0153BA2A
      • Part of subcall function 0153B540: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0153BAFA
      • Part of subcall function 0153B540: WriteFile.KERNEL32(00000001,?,00000000,?,00000000), ref: 0153BB2B
      • Part of subcall function 0153B540: GetLastError.KERNEL32 ref: 0153BB41
      • Part of subcall function 0153B540: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0153BB82
      • Part of subcall function 0153B540: GetLastError.KERNEL32(?,0154DBE5,00000001,?,?,01687350,00000010,0156D8C7,?,00000001,00000001,?,?,?,?), ref: 0153BBA1
    • GetProcessHeap.KERNEL32(00000000,?), ref: 015081F3
    • HeapFree.KERNEL32(00000000), ref: 015081FA
    • SetEndOfFile.KERNEL32(00000000), ref: 01508255
    • GetLastError.KERNEL32 ref: 01508282
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0151E2FC, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 386
    APIs
      • Part of subcall function 015043E8: htonl.WS2_32(?), ref: 0150444E
    • htonl.WS2_32(0151CF0C), ref: 0151E3D8
      • Part of subcall function 015B35A3: htonl.WS2_32(?), ref: 015B36FF
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0157241E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162
    APIs
      • Part of subcall function 0159C6AB: GetProcAddress.KERNEL32(00000000,0166ED18,?,00000000,?,01572439,?,00000100,00000000,?,0157FBC5,00000002,?,00000100,?,01547C60), ref: 0159C6D6
      • Part of subcall function 0159C6AB: FreeLibrary.KERNEL32(?,?,01572439,?,00000100,00000000,?,0157FBC5,00000002,?,00000100,?,01547C60,?,?,00000000), ref: 0159C798
      • Part of subcall function 01529CC1: htonl.WS2_32(?), ref: 01529CF4
      • Part of subcall function 0156C4CB: htonl.WS2_32(?), ref: 0156C561
      • Part of subcall function 0156A939: HeapFree.KERNEL32(00000000,00000000), ref: 0156A94F
      • Part of subcall function 0156A939: GetLastError.KERNEL32(00000000), ref: 0156A961
    • htons.WS2_32(00000009), ref: 0157255A
      • Part of subcall function 01527627: socket.WS2_32(0157256E,0157256E,0157256E), ref: 01527634
    • htonl.WS2_32 ref: 01572585
      • Part of subcall function 0154D432: WSAGetLastError.WS2_32(00000002,?,01572599,00000000), ref: 0154D445
      • Part of subcall function 0154D432: getsockopt.WS2_32(000000FF,0000FFFF,00001007,000000FF,00000004), ref: 0154D470
      • Part of subcall function 01555BBA: closesocket.WS2_32(?), ref: 01555BBF
      • Part of subcall function 01565D80: htons.WS2_32(?), ref: 01565DAB
    • connect.WS2_32(00000000,?,?), ref: 015725A6
    • getsockname.WS2_32(00000000,?,?), ref: 015725C1
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01547BDE, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 129
    APIs
    • gethostname.WS2_32(?,00000100), ref: 01547BFD
      • Part of subcall function 015043E8: htonl.WS2_32(?), ref: 0150444E
      • Part of subcall function 0157FBAE: htonl.WS2_32(00000000), ref: 0157FBDC
    • htonl.WS2_32(?), ref: 01547C8F
      • Part of subcall function 0152032B: htonl.WS2_32(?), ref: 01520339
      • Part of subcall function 015787B4: htonl.WS2_32(?), ref: 015787CA
      • Part of subcall function 0156A939: HeapFree.KERNEL32(00000000,00000000), ref: 0156A94F
      • Part of subcall function 0156A939: GetLastError.KERNEL32(00000000), ref: 0156A961
      • Part of subcall function 0155230E: htonl.WS2_32(?), ref: 01552333
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015C148D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110
    APIs
    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 015C14EC
    • CryptSetHashParam.ADVAPI32(00000000,00000002,?,00000000), ref: 015C150B
      • Part of subcall function 015C1624: GetLastError.KERNEL32(015C12FF), ref: 015C1624
    • CryptSignHashA.ADVAPI32(?,?,00000000,00000000,?,?), ref: 015C1538
    • CryptDestroyHash.ADVAPI32(?), ref: 015C15A3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0159426B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01594292
    • Process32FirstW.KERNEL32 ref: 015942A8
      • Part of subcall function 015941C0: OpenProcessToken.ADVAPI32(000000FF,00000028,00000002,00000000,00000001,?,015942FB,0000022C), ref: 015941DE
      • Part of subcall function 015941C0: LookupPrivilegeValueW.ADVAPI32(00000000,0166C230,00000040), ref: 015941F2
      • Part of subcall function 015941C0: AdjustTokenPrivileges.ADVAPI32(00000002,00000000,?,00000010,00000000,00000000,?,015942FB,0000022C), ref: 01594212
      • Part of subcall function 015941C0: OpenProcess.KERNEL32(001FFFFF,00000000,00000002,?,015942FB,0000022C), ref: 01594221
      • Part of subcall function 015941C0: CloseHandle.KERNEL32(00000000), ref: 0159425E
    • Process32NextW.KERNEL32(00000000,?), ref: 01594311
    • Sleep.KERNEL32(000003E8), ref: 01594323
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015911DA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
    APIs
    • CreateFileW.KERNEL32(C:\ProgramData\Sun\hygrtse,40000000,00000000,00000000,00000004,00000002,00000000), ref: 01591272
    • Sleep.KERNEL32(00000064,?,01558807), ref: 01591281
    • WriteFile.KERNEL32(00000000,?,0000028E,01558807,00000000), ref: 015912A1
    • CloseHandle.KERNEL32(00000000), ref: 015912A8
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158E503, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0158E524
    • ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0158E53D
    • CloseHandle.KERNEL32(00000000), ref: 0158E544
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0153605B, Relevance: 7.7, APIs: 5, Instructions: 210
    APIs
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,?), ref: 01536146
    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,?), ref: 0153617A
    • GetLastError.KERNEL32 ref: 0153619F
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,?), ref: 015361CD
    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?), ref: 0153628B
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158FF19, Relevance: 7.6, APIs: 5, Instructions: 93
    APIs
    • GetDC.USER32(?), ref: 0158FF46
      • Part of subcall function 0158FADC: BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000), ref: 0158FB1A
      • Part of subcall function 0158FADC: BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00000000,00CC0020,?,0158FF54), ref: 0158FB46
      • Part of subcall function 0158FADC: SetTextColor.GDI32(?,00FF80FF), ref: 0158FDEB
      • Part of subcall function 0158FADC: DrawTextW.USER32(?,016CD748,000000FF,?,00004024), ref: 0158FE31
      • Part of subcall function 0158FADC: SetTextColor.GDI32(?,00FF80FF), ref: 0158FE86
      • Part of subcall function 0158FADC: DrawTextW.USER32(?,016CD748,000000FF,?,00004024), ref: 0158FED0
    • ReleaseDC.USER32(?,00000000), ref: 0158FF59
    • MoveWindow.USER32(016CCBD8,00000000,00000000,00000000,00000000,00000000), ref: 0158FF8B
    • SetWindowTextA.USER32(016CA5A6), ref: 0158FFEC
      • Part of subcall function 0158F9C2: GetTickCount.KERNEL32(key,?,?,01592939,00000000,00000000,?,00000000,00000000,?,0158F862,00000000,?,00000000,00000000,00000000), ref: 0158FA1D
    • RedrawWindow.USER32(?,00000000,00000000,00000001), ref: 0159002B
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0150E9F6, Relevance: 7.6, APIs: 5, Instructions: 91
    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 0150EA10
    • GetProcAddress.KERNEL32(00000000,01674628), ref: 0150EA20
    • GetDesktopWindow.USER32 ref: 0150EA4A
    • GetProcessWindowStation.USER32 ref: 0150EA50
    • GetLastError.KERNEL32 ref: 0150EA72
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015D9CAB, Relevance: 7.6, APIs: 5, Instructions: 86
    APIs
    • GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,?), ref: 015D9CEA
    • RtlLeaveCriticalSection.NTDLL(?), ref: 015D9D05
    • GetQueuedCompletionStatus.KERNEL32(?,?,000000FF,?,?), ref: 015D9D4C
    • ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 015D9D7E
    • RtlLeaveCriticalSection.NTDLL(?), ref: 015D9D87
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158E95F, Relevance: 7.6, APIs: 5, Instructions: 57
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0158E971
    • Process32FirstW.KERNEL32 ref: 0158E98B
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0158E9E2
    • CloseHandle.KERNEL32(00000000), ref: 0158E9ED
    • CloseHandle.KERNEL32(00000000), ref: 0158E9F9
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0155379F, Relevance: 7.6, APIs: 5, Instructions: 53
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 015537D4
    • GetCurrentProcessId.KERNEL32 ref: 015537E0
    • GetCurrentThreadId.KERNEL32 ref: 015537E8
    • GetTickCount.KERNEL32 ref: 015537F0
    • QueryPerformanceCounter.KERNEL32(?), ref: 015537FC
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158E13D, Relevance: 7.5, APIs: 5, Instructions: 48
    APIs
    • CryptGenRandom.ADVAPI32(00000014,?,016CA6DC,016CA58C,?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E156
    • GetSystemTimeAsFileTime.KERNEL32(?,?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E160
    • GetTickCount.KERNEL32(?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E166
    • GetCurrentThreadId.KERNEL32(?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E16F
    • GetCurrentProcessId.KERNEL32(?,0158F16B,016CA528,?,01594376,.html,015E532C,?,01558269), ref: 0158E17A
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158EC80, Relevance: 7.5, APIs: 5, Instructions: 21
    APIs
    • LocalFree.KERNEL32(?,0158EC6C), ref: 0158EC88
    • LocalFree.KERNEL32(015E532C,0158EC6C), ref: 0158EC96
    • FreeSid.ADVAPI32(?,0158EC6C), ref: 0158ECA4
    • CloseHandle.KERNEL32(?), ref: 0158ECB2
    • CloseHandle.KERNEL32(?), ref: 0158ECC0
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0152712A, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 193
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015C1224, Relevance: 6.1, APIs: 4, Instructions: 118
    APIs
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 015C12CC
    • CryptSetHashParam.ADVAPI32(?,00000002,?,00000000), ref: 015C12EB
      • Part of subcall function 015C1624: GetLastError.KERNEL32(015C12FF), ref: 015C1624
    • CryptSignHashA.ADVAPI32(?,?,00000000,00000000,?,?), ref: 015C131B
    • CryptDestroyHash.ADVAPI32(?), ref: 015C135F
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01590EAC, Relevance: 6.1, APIs: 4, Instructions: 111
    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 01590EBE
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 01590ED0
    • CoCreateInstance.OLE32(0160610C,00000000,00000001,01605EFC,?), ref: 01590EEA
    • CoUninitialize.OLE32 ref: 01590F9B
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0159B6FC, Relevance: 6.1, APIs: 4, Instructions: 111
    APIs
    • htonl.WS2_32(?), ref: 0159B716
    • htonl.WS2_32(?), ref: 0159B763
      • Part of subcall function 0152032B: htonl.WS2_32(?), ref: 01520339
      • Part of subcall function 0156A939: HeapFree.KERNEL32(00000000,00000000), ref: 0156A94F
      • Part of subcall function 0156A939: GetLastError.KERNEL32(00000000), ref: 0156A961
    • htonl.WS2_32(?), ref: 0159B7FE
    • htonl.WS2_32(00000000), ref: 0159B833
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015CBA7C, Relevance: 6.1, APIs: 4, Instructions: 67
    APIs
    • LoadLibraryA.KERNEL32(01674900), ref: 015CBA8F
    • FreeLibrary.KERNEL32(00000000), ref: 015CBAD5
    • CloseHandle.KERNEL32(00000000), ref: 015CBAFE
    • FreeLibrary.KERNEL32(00000000), ref: 015CBB05
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158EF14, Relevance: 6.1, APIs: 4, Instructions: 54
    APIs
    • DestroyWindow.USER32(?), ref: 0158EF7E
    • PostQuitMessage.USER32(00000000), ref: 0158EF88
    • SetTimer.USER32(?,00000032,00000032,00000000), ref: 0158EF99
    • DefWindowProcW.USER32(?,?,?,?), ref: 0158EFAB
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01582159, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetLastError.KERNEL32(?,015BCB8F,01567506,01570344,00000000,?,?), ref: 0158215D
      • Part of subcall function 0158A606: TlsGetValue.KERNEL32(015BCB8F,01582170), ref: 0158A60F
      • Part of subcall function 0158A606: RtlDecodePointer.NTDLL ref: 0158A621
      • Part of subcall function 0158A606: TlsSetValue.KERNEL32(00000000), ref: 0158A630
    • SetLastError.KERNEL32(00000000), ref: 015821C7
      • Part of subcall function 01558E62: Sleep.KERNEL32(00000000,01582184,00000001,00000214), ref: 01558E8A
    • RtlDecodePointer.NTDLL(00000000), ref: 01582199
    • GetCurrentThreadId.KERNEL32 ref: 015821AF
      • Part of subcall function 0156A939: HeapFree.KERNEL32(00000000,00000000), ref: 0156A94F
      • Part of subcall function 0156A939: GetLastError.KERNEL32(00000000), ref: 0156A961
      • Part of subcall function 01537A40: GetModuleHandleW.KERNEL32(016042B4,016872C0,00000008,015821AD,00000000,00000000), ref: 01537A51
      • Part of subcall function 01537A40: InterlockedIncrement.KERNEL32(015E58C0), ref: 01537A92
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015725F2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01562ECB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151
    APIs
    • htons.WS2_32(00000000), ref: 01562F7F
      • Part of subcall function 0156A939: HeapFree.KERNEL32(00000000,00000000), ref: 0156A94F
      • Part of subcall function 0156A939: GetLastError.KERNEL32(00000000), ref: 0156A961
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01524BA0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 015A3576, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
    APIs
    • htonl.WS2_32(43452D45), ref: 015A35F8
    • htonl.WS2_32(00000000), ref: 015A362A
      • Part of subcall function 0156C4CB: htonl.WS2_32(?), ref: 0156C561
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 01593510, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
    APIs
    • GetProcessHeap.KERNEL32 ref: 0159352A
    • wsprintfW.USER32(?,0166C170,016CD748,016CA6CC), ref: 01593578
      • Part of subcall function 0158E5B9: GetFileTime.KERNEL32(00000000,?,?,?), ref: 0158E611
      • Part of subcall function 0158E5B9: ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0158E626
      • Part of subcall function 0158E5B9: GetFileSize.KERNEL32(?,00000000), ref: 0158E6CB
      • Part of subcall function 0158E5B9: ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0158E6F7
      • Part of subcall function 0158E5B9: ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0158E7C3
      • Part of subcall function 0158E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0158E82E
      • Part of subcall function 0158E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0158E88A
      • Part of subcall function 0158E5B9: DeleteFileW.KERNEL32(?), ref: 0158E8DD
      • Part of subcall function 0158E5B9: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0158E8F2
      • Part of subcall function 0158E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0158E904
      • Part of subcall function 0158E5B9: SetFileTime.KERNEL32(?,?,?,?), ref: 0158E919
      • Part of subcall function 0158E5B9: DeleteFileW.KERNEL32(00000001), ref: 0158E932
      • Part of subcall function 0158E5B9: CloseHandle.KERNEL32(?), ref: 0158E952
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd
    Function 0158D75F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000104,00000100,?,0159C6BC,00000000,?,01572439,?,00000100,00000000,?,0157FBC5,00000002,?,00000100), ref: 0158D77A
    • LoadLibraryW.KERNEL32(?), ref: 0158D7CF
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.867921179.01500000.00000020.sdmp, Offset: 01500000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1500000_downloaded.jbxd

    Analysis Process: inbdgml.exe PID: 3220 Parent PID: 3300

    Executed Functions

    Non-executed Functions

    Analysis Process: svchost.exe PID: 588 Parent PID: 3220

    Executed Functions

    Function 003E643B, Relevance: 248.8, APIs: 71, Strings: 71, Instructions: 282
    APIs
    • LoadLibraryA.KERNEL32(user32.dll), ref: 003E6441
    • GetProcAddress.KERNEL32(00000000,GetDC), ref: 003E644F
    • GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 003E6460
    • GetProcAddress.KERNEL32(00000000,FillRect), ref: 003E6471
    • GetProcAddress.KERNEL32(00000000,SystemParametersInfoW), ref: 003E6482
    • GetProcAddress.KERNEL32(00000000,GetWindowRect), ref: 003E6493
    • GetProcAddress.KERNEL32(00000000,GetDesktopWindow), ref: 003E64A4
    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 003E64B4
    • GetProcAddress.KERNEL32(00000000,RegSetValueExW), ref: 003E64C2
    • GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 003E64D3
    • GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 003E64E4
    • GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 003E64F5
    • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 003E6506
    • GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 003E6517
    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 003E6528
    • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 003E6539
    • LoadLibraryA.KERNEL32(gdi32.dll), ref: 003E6549
    • GetProcAddress.KERNEL32(00000000,SetTextColor), ref: 003E6557
    • GetProcAddress.KERNEL32(00000000,GetTextExtentPoint32W), ref: 003E6568
    • GetProcAddress.KERNEL32(00000000,GetDIBits), ref: 003E6579
    • GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 003E658A
    • GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 003E659B
    • GetProcAddress.KERNEL32(00000000,CreateSolidBrush), ref: 003E65AC
    • GetProcAddress.KERNEL32(00000000,TextOutW), ref: 003E65BD
    • GetProcAddress.KERNEL32(00000000,CreateFontW), ref: 003E65CE
    • GetProcAddress.KERNEL32(00000000,SetBkMode), ref: 003E65DF
    • GetProcAddress.KERNEL32(00000000,SelectObject), ref: 003E65F0
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 003E6600
    • GetProcAddress.KERNEL32(00000000,HeapDestroy), ref: 003E660E
    • GetProcAddress.KERNEL32(00000000,SetEndOfFile), ref: 003E661F
    • GetProcAddress.KERNEL32(00000000,SetFilePointer), ref: 003E6630
    • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 003E6641
    • GetProcAddress.KERNEL32(00000000,WideCharToMultiByte), ref: 003E6652
    • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 003E6663
    • GetProcAddress.KERNEL32(00000000,GetTickCount), ref: 003E6674
    • GetProcAddress.KERNEL32(00000000,GetDriveTypeW), ref: 003E6685
    • GetProcAddress.KERNEL32(00000000,EnterCriticalSection), ref: 003E6696
    • GetProcAddress.KERNEL32(00000000,GetTempPathW), ref: 003E66A7
    • GetProcAddress.KERNEL32(00000000,SetFileTime), ref: 003E66B8
    • GetProcAddress.KERNEL32(00000000,InitializeCriticalSection), ref: 003E66C9
    • GetProcAddress.KERNEL32(00000000,HeapReAlloc), ref: 003E66DA
    • GetProcAddress.KERNEL32(00000000,GetCurrentThread), ref: 003E66EB
    • GetProcAddress.KERNEL32(00000000,HeapAlloc), ref: 003E66FC
    • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 003E670D
    • GetProcAddress.KERNEL32(00000000,LeaveCriticalSection), ref: 003E671E
    • GetProcAddress.KERNEL32(00000000,GetUserGeoID), ref: 003E672F
    • GetProcAddress.KERNEL32(00000000,DeleteCriticalSection), ref: 003E6740
    • GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 003E6751
    • GetProcAddress.KERNEL32(00000000,CreateThread), ref: 003E6762
    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 003E6773
    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 003E6784
    • GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 003E6795
    • GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsW), ref: 003E67A6
    • GetProcAddress.KERNEL32(00000000,WaitForMultipleObjects), ref: 003E67B7
    • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 003E67C8
    • GetProcAddress.KERNEL32(00000000,SetErrorMode), ref: 003E67D9
    • GetProcAddress.KERNEL32(00000000,GetFileTime), ref: 003E67EA
    • GetProcAddress.KERNEL32(00000000,Sleep), ref: 003E67FB
    • GetProcAddress.KERNEL32(00000000,GetProcessHeap), ref: 003E680C
    • GetProcAddress.KERNEL32(00000000,HeapFree), ref: 003E681D
    • GetProcAddress.KERNEL32(00000000,FindClose), ref: 003E682E
    • GetProcAddress.KERNEL32(00000000,SetThreadPriority), ref: 003E683F
    • GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 003E6850
    • GetProcAddress.KERNEL32(00000000,MultiByteToWideChar), ref: 003E6861
    • GetProcAddress.KERNEL32(00000000,GetSystemTimeAsFileTime), ref: 003E6872
    • GetProcAddress.KERNEL32(00000000,HeapCreate), ref: 003E6883
    • GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 003E6894
    • GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 003E68A5
    • LoadLibraryA.KERNEL32(shell32.dll), ref: 003E68B5
    • GetProcAddress.KERNEL32(00000000,SHEmptyRecycleBinW), ref: 003E68C3
    • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 003E68D4
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E514D, Relevance: 63.4, APIs: 30, Strings: 6, Instructions: 435
    APIs
    • GetLogicalDriveStringsW.KERNELBASE(00000400,?), ref: 003E5165
    • RtlInitializeCriticalSection.NTDLL(0044D8BC), ref: 003E5188
    • CreateThread.KERNEL32(00000000,00000000,Function_00005141,00000000,00000000,00000000), ref: 003E51A5
    • WaitForMultipleObjects.KERNEL32(00000001,?,00000001,00000BB8), ref: 003E51C4
    • CloseHandle.KERNEL32(?), ref: 003E51D9
    • GetDriveTypeW.KERNELBASE(?), ref: 003E51F4
      • Part of subcall function 003E373D: SetErrorMode.KERNELBASE(00000001), ref: 003E3760
      • Part of subcall function 003E373D: GetFileAttributesW.KERNEL32(?), ref: 003E376A
      • Part of subcall function 003E373D: SetErrorMode.KERNELBASE(00000000), ref: 003E3774
    • HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 003E5262
    • RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 003E5279
    • RtlInitializeCriticalSection.NTDLL(0044DD68), ref: 003E52A2
    • CreateThread.KERNEL32(00000000,00000000,Function_000046A3,00000000,00000000,?), ref: 003E52BD
    • CreateThread.KERNEL32(00000000,00000000,Function_00004CE0,00000000,00000000,?), ref: 003E52DA
      • Part of subcall function 003E46A3: GetCurrentThread.KERNEL32(000000F1), ref: 003E46A6
      • Part of subcall function 003E46A3: SetThreadPriority.KERNEL32(00000000), ref: 003E46AD
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 003E531F
    • CloseHandle.KERNEL32(?), ref: 003E5333
    • RtlDeleteCriticalSection.NTDLL(0044D8BC), ref: 003E5688
      • Part of subcall function 003E4CE0: GetCurrentThread.KERNEL32(000000F1), ref: 003E4CF2
      • Part of subcall function 003E4CE0: SetThreadPriority.KERNEL32(00000000), ref: 003E4CF9
      • Part of subcall function 003E4CE0: GetCurrentThreadId.KERNEL32 ref: 003E4CFF
      • Part of subcall function 003E4CE0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 003E4D1C
      • Part of subcall function 003E4CE0: CryptGenRandom.ADVAPI32(?,00000020,?), ref: 003E4D2D
      • Part of subcall function 003E4CE0: CryptGenRandom.ADVAPI32(?,00000020,?), ref: 003E4D3B
      • Part of subcall function 003E4CE0: CryptGenRandom.ADVAPI32(?,00000004,?), ref: 003E4D4A
      • Part of subcall function 003E4CE0: GetTickCount.KERNEL32 ref: 003E4D50
      • Part of subcall function 003E4CE0: CryptReleaseContext.ADVAPI32(?,00000000,?), ref: 003E4D88
      • Part of subcall function 003E4CE0: GetTempPathW.KERNEL32(00000100,?), ref: 003E4D9D
      • Part of subcall function 003E4CE0: Sleep.KERNELBASE(000003E8), ref: 003E4DD9
      • Part of subcall function 003E4CE0: RtlAllocateHeap.NTDLL(00000008,00040100), ref: 003E4DFA
      • Part of subcall function 003E4CE0: RtlAllocateHeap.NTDLL(00000008,00040100), ref: 003E4E11
      • Part of subcall function 003E4CE0: RtlEnterCriticalSection.NTDLL(?), ref: 003E4E2F
      • Part of subcall function 003E4CE0: GetTickCount.KERNEL32 ref: 003E4E4B
      • Part of subcall function 003E4CE0: RtlLeaveCriticalSection.NTDLL(?), ref: 003E4F71
      • Part of subcall function 003E4CE0: RtlEnterCriticalSection.NTDLL(0044D8BC), ref: 003E4FBF
      • Part of subcall function 003E4CE0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,6D74683C,000007D0,00000000,00000000), ref: 003E5059
      • Part of subcall function 003E4CE0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,6D74683C,000003E8,00000000,00000000), ref: 003E50B0
      • Part of subcall function 003E4CE0: CreateFileW.KERNEL32(0044D958,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E50FC
      • Part of subcall function 003E4CE0: WriteFile.KERNEL32(0044D8D4,<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'></head><body bgcolor=#424242 onLoad="window.location='#list';"><p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'>Your documents, photos, databases and other important,00000000,?,00000000), ref: 003E511C
      • Part of subcall function 003E4CE0: RtlLeaveCriticalSection.NTDLL(0044D8BC), ref: 003E512D
    • RtlDeleteCriticalSection.NTDLL(0044DD68), ref: 003E5361
    • HeapDestroy.KERNEL32 ref: 003E536E
    • CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,40000000,00000000,00000000,00000004,00000000,00000000), ref: 003E53AA
    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 003E53BF
    • WriteFile.KERNEL32(<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'></head><body bgcolor=#424242 onLoad="window.location='#list';"><p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'>Your documents, photos, databases and other important,?,00000000), ref: 003E53E0
    • CloseHandle.KERNEL32 ref: 003E53EC
    • CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 003E53FE
    • GetFileSize.KERNEL32(00000000,00000000), ref: 003E5414
      • Part of subcall function 003E3509: GetProcessHeap.KERNEL32(00000008,?,003E40A2,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003E350F
      • Part of subcall function 003E3509: RtlAllocateHeap.NTDLL(00000000), ref: 003E3516
    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 003E5441
    • SetFilePointer.KERNELBASE(00000000,00000000,00000000), ref: 003E54C6
    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 003E550F
    • WriteFile.KERNEL32(?,?,?,00000000), ref: 003E55F7
    • WriteFile.KERNEL32(?,?,?,00000000), ref: 003E562B
    • WriteFile.KERNEL32(</table></body></html>,00000016,?,00000000), ref: 003E5649
    • SetEndOfFile.KERNELBASE ref: 003E5655
      • Part of subcall function 003E351D: GetProcessHeap.KERNEL32(00000000,?,003E4191,?), ref: 003E3523
      • Part of subcall function 003E351D: HeapFree.KERNEL32(00000000), ref: 003E352A
    • CloseHandle.KERNEL32 ref: 003E5676
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E3EB0, Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 275
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E3F18
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 003E3F7D
    • CloseHandle.KERNEL32(00000000), ref: 003E3F84
    • GetDesktopWindow.USER32(?,?,?,00000000,?,?), ref: 003E3FD0
    • GetWindowRect.USER32(00000000,?), ref: 003E3FDE
    • GetDC.USER32(?), ref: 003E3FF0
    • CreateCompatibleDC.GDI32(00000000), ref: 003E3FFA
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 003E4008
    • ReleaseDC.USER32(?,?), ref: 003E4017
    • SelectObject.GDI32(?,?), ref: 003E4023
    • CreateSolidBrush.GDI32(00000000), ref: 003E402B
    • FillRect.USER32(?,?,00000000), ref: 003E4039
      • Part of subcall function 003E3E36: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,?,00001000,?,?,003E4090,?), ref: 003E3E7B
      • Part of subcall function 003E3509: GetProcessHeap.KERNEL32(00000008,?,003E40A2,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003E350F
      • Part of subcall function 003E3509: RtlAllocateHeap.NTDLL(00000000), ref: 003E3516
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003E40C1
    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 003E411E
    • WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 003E4159
    • WriteFile.KERNEL32(?,?,00000028,?,00000000), ref: 003E416A
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003E417C
    • CloseHandle.KERNEL32(?), ref: 003E4183
      • Part of subcall function 003E351D: GetProcessHeap.KERNEL32(00000000,?,003E4191,?), ref: 003E3523
      • Part of subcall function 003E351D: HeapFree.KERNEL32(00000000), ref: 003E352A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E4CE0, Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 337
    APIs
    • GetCurrentThread.KERNEL32(000000F1), ref: 003E4CF2
    • SetThreadPriority.KERNEL32(00000000), ref: 003E4CF9
    • GetCurrentThreadId.KERNEL32 ref: 003E4CFF
    • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 003E4D1C
    • CryptGenRandom.ADVAPI32(?,00000020,?), ref: 003E4D2D
    • CryptGenRandom.ADVAPI32(?,00000020,?), ref: 003E4D3B
    • CryptGenRandom.ADVAPI32(?,00000004,?), ref: 003E4D4A
    • GetTickCount.KERNEL32 ref: 003E4D50
    • CryptReleaseContext.ADVAPI32(?,00000000,?), ref: 003E4D88
    • GetTempPathW.KERNEL32(00000100,?), ref: 003E4D9D
    • Sleep.KERNELBASE(000003E8), ref: 003E4DD9
    • RtlAllocateHeap.NTDLL(00000008,00040100), ref: 003E4DFA
    • RtlAllocateHeap.NTDLL(00000008,00040100), ref: 003E4E11
    • RtlEnterCriticalSection.NTDLL(?), ref: 003E4E2F
    • GetTickCount.KERNEL32 ref: 003E4E4B
    • RtlLeaveCriticalSection.NTDLL(?), ref: 003E4F71
      • Part of subcall function 003E4721: MoveFileExW.KERNEL32(?,?,00000001), ref: 003E478D
      • Part of subcall function 003E4721: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 003E47A9
      • Part of subcall function 003E4721: MoveFileExW.KERNEL32(?,?,00000001), ref: 003E47C5
      • Part of subcall function 003E4721: GetFileTime.KERNEL32(00000000,?,?,?,?,?,003E4FAC,?,?,?,?,?,00000000,?,?), ref: 003E47E0
      • Part of subcall function 003E4721: GetFileSize.KERNEL32(00000000,00000000,?,003E4FAC,?,?,?,?,?,00000000,?,?), ref: 003E47E8
      • Part of subcall function 003E4721: ReadFile.KERNEL32(?,?,Actx ,?,00000000), ref: 003E4807
      • Part of subcall function 003E4721: GetSystemTimeAsFileTime.KERNEL32(?,?,003E4FAC,?,?,?,?,?,00000000,?,?), ref: 003E4811
      • Part of subcall function 003E4721: GetTickCount.KERNEL32(?,003E4FAC,?,?,?,?,?,00000000,?,?), ref: 003E4835
      • Part of subcall function 003E4721: SetFilePointer.KERNELBASE(?,00000030,00000000,00000000,?,?,?,?,?,?,?), ref: 003E4928
      • Part of subcall function 003E4721: SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 003E49BF
      • Part of subcall function 003E4721: ReadFile.KERNEL32(?,?,Actx ,?,00000000), ref: 003E49D8
      • Part of subcall function 003E4721: SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 003E49FF
      • Part of subcall function 003E4721: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003E4A3F
      • Part of subcall function 003E4721: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 003E4A86
      • Part of subcall function 003E4721: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003E4AC6
      • Part of subcall function 003E4721: SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 003E4B28
      • Part of subcall function 003E4721: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003E4B63
      • Part of subcall function 003E4721: SetEndOfFile.KERNELBASE(?), ref: 003E4B6F
      • Part of subcall function 003E4721: SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 003E4B7B
      • Part of subcall function 003E4721: WriteFile.KERNEL32(?,?,00000030,?,00000000), ref: 003E4BB8
      • Part of subcall function 003E4721: SetFileTime.KERNELBASE(?,?,?,?), ref: 003E4BCD
      • Part of subcall function 003E4721: CloseHandle.KERNEL32(?), ref: 003E4BD6
      • Part of subcall function 003E4721: MoveFileExW.KERNEL32(?,000003E8,00000001), ref: 003E4BE7
    • RtlEnterCriticalSection.NTDLL(0044D8BC), ref: 003E4FBF
      • Part of subcall function 003E4C24: CreateFileW.KERNEL32(0044D498,40000000,00000000,00000000,00000002,00000002,00000000), ref: 003E4C9F
      • Part of subcall function 003E4C24: Sleep.KERNEL32(00000064), ref: 003E4CAE
      • Part of subcall function 003E4C24: WriteFile.KERNEL32(00000000,?,0000028E,003E5003,00000000), ref: 003E4CCE
      • Part of subcall function 003E4C24: CloseHandle.KERNEL32(00000000), ref: 003E4CD5
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,6D74683C,000007D0,00000000,00000000), ref: 003E5059
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,6D74683C,000003E8,00000000,00000000), ref: 003E50B0
    • CreateFileW.KERNEL32(0044D958,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E50FC
    • WriteFile.KERNEL32(0044D8D4,<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'></head><body bgcolor=#424242 onLoad="window.location='#list';"><p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'>Your documents, photos, databases and other important,00000000,?,00000000), ref: 003E511C
    • RtlLeaveCriticalSection.NTDLL(0044D8BC), ref: 003E512D
    Strings
    • C:\ProgramData\upbbxxl.html, xrefs: 003E50F7
    • <html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'></head><body bgcolor=#424242 onLoad="window.location='#list';"><p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'>Your documents, photos, databases and other important, xrefs: 003E501E, 003E511A
    • <tr><td>, xrefs: 003E500E
    • </td><td>, xrefs: 003E506D
    • </td></tr>, xrefs: 003E50C4
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E4721, Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 440
    APIs
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 003E478D
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 003E47A9
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 003E47C5
    • GetFileTime.KERNEL32(00000000,?,?,?,?,?,003E4FAC,?,?,?,?,?,00000000,?,?), ref: 003E47E0
    • GetFileSize.KERNEL32(00000000,00000000,?,003E4FAC,?,?,?,?,?,00000000,?,?), ref: 003E47E8
    • ReadFile.KERNEL32(?,?,Actx ,?,00000000), ref: 003E4807
    • GetSystemTimeAsFileTime.KERNEL32(?,?,003E4FAC,?,?,?,?,?,00000000,?,?), ref: 003E4811
    • GetTickCount.KERNEL32(?,003E4FAC,?,?,?,?,?,00000000,?,?), ref: 003E4835
    • SetFilePointer.KERNELBASE(?,00000030,00000000,00000000,?,?,?,?,?,?,?), ref: 003E4928
    • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 003E49BF
    • ReadFile.KERNEL32(?,?,Actx ,?,00000000), ref: 003E49D8
    • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 003E49FF
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003E4A3F
    • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 003E4A86
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003E4AC6
    • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 003E4B28
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003E4B63
    • SetEndOfFile.KERNELBASE(?), ref: 003E4B6F
    • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 003E4B7B
    • WriteFile.KERNEL32(?,?,00000030,?,00000000), ref: 003E4BB8
    • SetFileTime.KERNELBASE(?,?,?,?), ref: 003E4BCD
    • CloseHandle.KERNEL32(?), ref: 003E4BD6
    • MoveFileExW.KERNEL32(?,000003E8,00000001), ref: 003E4BE7
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E4277, Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 313
    APIs
    • FindFirstFileW.KERNELBASE(?,?,?,?,003E46D0,?,?,00000000), ref: 003E42F6
    • RtlEnterCriticalSection.NTDLL(?), ref: 003E4520
    • RtlReAllocateHeap.NTDLL(00000008,?), ref: 003E45A2
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 003E4602
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 003E4641
    • RtlLeaveCriticalSection.NTDLL(?), ref: 003E466F
      • Part of subcall function 003E3EB0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E3F18
      • Part of subcall function 003E3EB0: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 003E3F7D
      • Part of subcall function 003E3EB0: CloseHandle.KERNEL32(00000000), ref: 003E3F84
      • Part of subcall function 003E3EB0: GetDesktopWindow.USER32(?,?,?,00000000,?,?), ref: 003E3FD0
      • Part of subcall function 003E3EB0: GetWindowRect.USER32(00000000,?), ref: 003E3FDE
      • Part of subcall function 003E3EB0: GetDC.USER32(?), ref: 003E3FF0
      • Part of subcall function 003E3EB0: CreateCompatibleDC.GDI32(00000000), ref: 003E3FFA
      • Part of subcall function 003E3EB0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 003E4008
      • Part of subcall function 003E3EB0: ReleaseDC.USER32(?,?), ref: 003E4017
      • Part of subcall function 003E3EB0: SelectObject.GDI32(?,?), ref: 003E4023
      • Part of subcall function 003E3EB0: CreateSolidBrush.GDI32(00000000), ref: 003E402B
      • Part of subcall function 003E3EB0: FillRect.USER32(?,?,00000000), ref: 003E4039
      • Part of subcall function 003E3EB0: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003E40C1
      • Part of subcall function 003E3EB0: GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 003E411E
      • Part of subcall function 003E3EB0: WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 003E4159
      • Part of subcall function 003E3EB0: WriteFile.KERNEL32(?,?,00000028,?,00000000), ref: 003E416A
      • Part of subcall function 003E3EB0: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003E417C
      • Part of subcall function 003E3EB0: CloseHandle.KERNEL32(?), ref: 003E4183
    • FindNextFileW.KERNEL32(?,?), ref: 003E4684
    • FindClose.KERNELBASE(?), ref: 003E4695
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E35A0, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 136
    APIs
    • FindFirstFileW.KERNELBASE(?,?), ref: 003E361D
    • CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 003E36B8
    • GetFileSize.KERNEL32(00000000,00000000), ref: 003E36C8
    • ReadFile.KERNEL32(00000000,0040A580,0000028E,?,00000000), ref: 003E36E9
    • CloseHandle.KERNEL32(00000000), ref: 003E36FB
    • FindNextFileW.KERNEL32(?,?), ref: 003E370B
    • FindClose.KERNEL32(?), ref: 003E371C
    • CloseHandle.KERNEL32(00000000), ref: 003E372A
    • FindClose.KERNELBASE(?), ref: 003E3733
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E41BB, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 64
    APIs
    • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 003E41D3
      • Part of subcall function 003E3EB0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E3F18
      • Part of subcall function 003E3EB0: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 003E3F7D
      • Part of subcall function 003E3EB0: CloseHandle.KERNEL32(00000000), ref: 003E3F84
      • Part of subcall function 003E3EB0: GetDesktopWindow.USER32(?,?,?,00000000,?,?), ref: 003E3FD0
      • Part of subcall function 003E3EB0: GetWindowRect.USER32(00000000,?), ref: 003E3FDE
      • Part of subcall function 003E3EB0: GetDC.USER32(?), ref: 003E3FF0
      • Part of subcall function 003E3EB0: CreateCompatibleDC.GDI32(00000000), ref: 003E3FFA
      • Part of subcall function 003E3EB0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 003E4008
      • Part of subcall function 003E3EB0: ReleaseDC.USER32(?,?), ref: 003E4017
      • Part of subcall function 003E3EB0: SelectObject.GDI32(?,?), ref: 003E4023
      • Part of subcall function 003E3EB0: CreateSolidBrush.GDI32(00000000), ref: 003E402B
      • Part of subcall function 003E3EB0: FillRect.USER32(?,?,00000000), ref: 003E4039
      • Part of subcall function 003E3EB0: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003E40C1
      • Part of subcall function 003E3EB0: GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 003E411E
      • Part of subcall function 003E3EB0: WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 003E4159
      • Part of subcall function 003E3EB0: WriteFile.KERNEL32(?,?,00000028,?,00000000), ref: 003E416A
      • Part of subcall function 003E3EB0: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003E417C
      • Part of subcall function 003E3EB0: CloseHandle.KERNEL32(?), ref: 003E4183
    • SHEmptyRecycleBinW.SHELL32(00000000,00000000,00000007), ref: 003E41F2
    • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Desktop,00000000,00000103,?), ref: 003E421A
    • RegSetValueExW.KERNEL32(?,TileWallpaper,00000000,00000001,?,00000004), ref: 003E423C
    • RegSetValueExW.KERNEL32(?,WallpaperStyle,00000000,00000001,00000030,00000004), ref: 003E4253
    • RegCloseKey.KERNEL32(?), ref: 003E425C
    • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 003E426E
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E57D3, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 133
    APIs
      • Part of subcall function 003E643B: LoadLibraryA.KERNEL32(user32.dll), ref: 003E6441
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,GetDC), ref: 003E644F
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 003E6460
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,FillRect), ref: 003E6471
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,SystemParametersInfoW), ref: 003E6482
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,GetWindowRect), ref: 003E6493
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,GetDesktopWindow), ref: 003E64A4
      • Part of subcall function 003E643B: LoadLibraryA.KERNEL32(advapi32.dll), ref: 003E64B4
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,RegSetValueExW), ref: 003E64C2
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 003E64D3
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 003E64E4
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 003E64F5
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 003E6506
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 003E6517
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 003E6528
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 003E6539
      • Part of subcall function 003E643B: LoadLibraryA.KERNEL32(gdi32.dll), ref: 003E6549
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,SetTextColor), ref: 003E6557
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,GetTextExtentPoint32W), ref: 003E6568
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,GetDIBits), ref: 003E6579
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 003E658A
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 003E659B
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,CreateSolidBrush), ref: 003E65AC
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,TextOutW), ref: 003E65BD
      • Part of subcall function 003E643B: GetProcAddress.KERNEL32(00000000,CreateFontW), ref: 003E65CE
    • Sleep.KERNELBASE(000003E8), ref: 003E585D
      • Part of subcall function 003E56EA: CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Tahoma), ref: 003E5709
      • Part of subcall function 003E56EA: CreateFontW.GDI32(00000012,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 003E572C
      • Part of subcall function 003E56EA: CreateFontW.GDI32(00000024,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Tahoma), ref: 003E5747
      • Part of subcall function 003E56EA: GetUserGeoID.KERNEL32(00000010), ref: 003E575F
      • Part of subcall function 003E333C: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000101,?), ref: 003E335E
      • Part of subcall function 003E333C: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,041d84af-7e76-450d-8340-55db3c73c359,0000003F), ref: 003E337E
      • Part of subcall function 003E333C: RegCloseKey.KERNEL32(?), ref: 003E3387
    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData\upbbxxl.html), ref: 003E58A4
    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 003E5916
      • Part of subcall function 003E35A0: FindFirstFileW.KERNELBASE(?,?), ref: 003E361D
      • Part of subcall function 003E35A0: CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 003E36B8
      • Part of subcall function 003E35A0: GetFileSize.KERNEL32(00000000,00000000), ref: 003E36C8
      • Part of subcall function 003E35A0: ReadFile.KERNEL32(00000000,0040A580,0000028E,?,00000000), ref: 003E36E9
      • Part of subcall function 003E35A0: CloseHandle.KERNEL32(00000000), ref: 003E36FB
      • Part of subcall function 003E35A0: FindNextFileW.KERNEL32(?,?), ref: 003E370B
      • Part of subcall function 003E35A0: FindClose.KERNEL32(?), ref: 003E371C
      • Part of subcall function 003E35A0: CloseHandle.KERNEL32(00000000), ref: 003E372A
      • Part of subcall function 003E35A0: FindClose.KERNELBASE(?), ref: 003E3733
    • Sleep.KERNEL32(000000FF), ref: 003E592F
    • Sleep.KERNELBASE(000000FF), ref: 003E596F
      • Part of subcall function 003E4C24: CreateFileW.KERNEL32(0044D498,40000000,00000000,00000000,00000002,00000002,00000000), ref: 003E4C9F
      • Part of subcall function 003E4C24: Sleep.KERNEL32(00000064), ref: 003E4CAE
      • Part of subcall function 003E4C24: WriteFile.KERNEL32(00000000,?,0000028E,003E5003,00000000), ref: 003E4CCE
      • Part of subcall function 003E4C24: CloseHandle.KERNEL32(00000000), ref: 003E4CD5
      • Part of subcall function 003E514D: GetLogicalDriveStringsW.KERNELBASE(00000400,?), ref: 003E5165
      • Part of subcall function 003E514D: RtlInitializeCriticalSection.NTDLL(0044D8BC), ref: 003E5188
      • Part of subcall function 003E514D: CreateThread.KERNEL32(00000000,00000000,Function_00005141,00000000,00000000,00000000), ref: 003E51A5
      • Part of subcall function 003E514D: WaitForMultipleObjects.KERNEL32(00000001,?,00000001,00000BB8), ref: 003E51C4
      • Part of subcall function 003E514D: CloseHandle.KERNEL32(?), ref: 003E51D9
      • Part of subcall function 003E514D: GetDriveTypeW.KERNELBASE(?), ref: 003E51F4
      • Part of subcall function 003E514D: HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 003E5262
      • Part of subcall function 003E514D: RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 003E5279
      • Part of subcall function 003E514D: RtlInitializeCriticalSection.NTDLL(0044DD68), ref: 003E52A2
      • Part of subcall function 003E514D: CreateThread.KERNEL32(00000000,00000000,Function_000046A3,00000000,00000000,?), ref: 003E52BD
      • Part of subcall function 003E514D: CreateThread.KERNEL32(00000000,00000000,Function_00004CE0,00000000,00000000,?), ref: 003E52DA
      • Part of subcall function 003E514D: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 003E531F
      • Part of subcall function 003E514D: CloseHandle.KERNEL32(?), ref: 003E5333
      • Part of subcall function 003E514D: RtlDeleteCriticalSection.NTDLL(0044DD68), ref: 003E5361
      • Part of subcall function 003E514D: HeapDestroy.KERNEL32 ref: 003E536E
      • Part of subcall function 003E514D: CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,40000000,00000000,00000000,00000004,00000000,00000000), ref: 003E53AA
      • Part of subcall function 003E514D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 003E53BF
      • Part of subcall function 003E514D: WriteFile.KERNEL32(<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'></head><body bgcolor=#424242 onLoad="window.location='#list';"><p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'>Your documents, photos, databases and other important,?,00000000), ref: 003E53E0
      • Part of subcall function 003E514D: CloseHandle.KERNEL32 ref: 003E53EC
      • Part of subcall function 003E514D: CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 003E53FE
      • Part of subcall function 003E514D: GetFileSize.KERNEL32(00000000,00000000), ref: 003E5414
      • Part of subcall function 003E514D: ReadFile.KERNEL32(00000000,?,?,00000000), ref: 003E5441
      • Part of subcall function 003E514D: SetFilePointer.KERNELBASE(00000000,00000000,00000000), ref: 003E54C6
      • Part of subcall function 003E514D: GetSystemTimeAsFileTime.KERNEL32(?), ref: 003E550F
      • Part of subcall function 003E514D: WriteFile.KERNEL32(?,?,?,00000000), ref: 003E55F7
      • Part of subcall function 003E514D: WriteFile.KERNEL32(?,?,?,00000000), ref: 003E562B
      • Part of subcall function 003E514D: WriteFile.KERNEL32(</table></body></html>,00000016,?,00000000), ref: 003E5649
      • Part of subcall function 003E514D: SetEndOfFile.KERNELBASE ref: 003E5655
      • Part of subcall function 003E514D: CloseHandle.KERNEL32 ref: 003E5676
      • Part of subcall function 003E514D: RtlDeleteCriticalSection.NTDLL(0044D8BC), ref: 003E5688
      • Part of subcall function 003E41BB: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 003E41D3
      • Part of subcall function 003E41BB: SHEmptyRecycleBinW.SHELL32(00000000,00000000,00000007), ref: 003E41F2
      • Part of subcall function 003E41BB: RegOpenKeyExW.KERNEL32(80000001,Control Panel\Desktop,00000000,00000103,?), ref: 003E421A
      • Part of subcall function 003E41BB: RegSetValueExW.KERNEL32(?,TileWallpaper,00000000,00000001,?,00000004), ref: 003E423C
      • Part of subcall function 003E41BB: RegSetValueExW.KERNEL32(?,WallpaperStyle,00000000,00000001,00000030,00000004), ref: 003E4253
      • Part of subcall function 003E41BB: RegCloseKey.KERNEL32(?), ref: 003E425C
      • Part of subcall function 003E41BB: SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 003E426E
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E391F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134
    APIs
    • SelectObject.GDI32(003E3EA9), ref: 003E3932
    • SetTextColor.GDI32(003E3EA9,00FFFFFF), ref: 003E393E
    • SetBkMode.GDI32(003E3EA9,00000001), ref: 003E3947
    • GetTextExtentPoint32W.GDI32(003E3EA9,|{y!~^_,00000007,?), ref: 003E3959
    • SelectObject.GDI32(003E3EA9), ref: 003E3A1C
    • GetTextExtentPoint32W.GDI32(003E3EA9,|{y!~^_,00000007,?), ref: 003E3A2E
    • SetTextColor.GDI32(003E3EA9), ref: 003E3A3E
      • Part of subcall function 003E3849: GetTextExtentPoint32W.GDI32(003E3EA9,?,00000000,003E3EA9), ref: 003E3871
      • Part of subcall function 003E3849: GetTextExtentPoint32W.GDI32(003E3EA9,?,00000000,003E3EA9), ref: 003E38B1
      • Part of subcall function 003E3849: TextOutW.GDI32(003E3EA9,003E3EA9,?,?,00000000), ref: 003E3914
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E333C, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 61
    APIs
    • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000101,?), ref: 003E335E
    • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,041d84af-7e76-450d-8340-55db3c73c359,0000003F), ref: 003E337E
    • RegCloseKey.KERNEL32(?), ref: 003E3387
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E56EA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 94
    APIs
    • CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Tahoma), ref: 003E5709
    • CreateFontW.GDI32(00000012,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 003E572C
    • CreateFontW.GDI32(00000024,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Tahoma), ref: 003E5747
    • GetUserGeoID.KERNEL32(00000010), ref: 003E575F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E4C24, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
    APIs
    • CreateFileW.KERNEL32(0044D498,40000000,00000000,00000000,00000002,00000002,00000000), ref: 003E4C9F
    • Sleep.KERNEL32(00000064), ref: 003E4CAE
    • WriteFile.KERNEL32(00000000,?,0000028E,003E5003,00000000), ref: 003E4CCE
    • CloseHandle.KERNEL32(00000000), ref: 003E4CD5
    Strings
    • C:\ProgramData\Adobe\hygrtse, xrefs: 003E4C9A
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E373D, Relevance: 4.5, APIs: 3, Instructions: 28
    APIs
    • SetErrorMode.KERNELBASE(00000001), ref: 003E3760
    • GetFileAttributesW.KERNEL32(?), ref: 003E376A
    • SetErrorMode.KERNELBASE(00000000), ref: 003E3774
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E98AB, Relevance: 3.0, APIs: 2, Instructions: 8
    APIs
    • GetProcessHeap.KERNEL32(00000008,?), ref: 003E98B7
    • RtlAllocateHeap.NTDLL(00000000), ref: 003E98BE
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E3509, Relevance: 3.0, APIs: 2, Instructions: 6
    APIs
    • GetProcessHeap.KERNEL32(00000008,?,003E40A2,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003E350F
    • RtlAllocateHeap.NTDLL(00000000), ref: 003E3516
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E98C5, Relevance: 2.5, APIs: 2, Instructions: 6
    APIs
    • GetProcessHeap.KERNEL32(00000000,?), ref: 003E98CB
    • HeapFree.KERNEL32(00000000), ref: 003E98D2
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd
    Function 003E3E36, Relevance: 1.3, APIs: 1, Instructions: 42
    APIs
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,?,00001000,?,?,003E4090,?), ref: 003E3E7B
      • Part of subcall function 003E391F: SelectObject.GDI32(003E3EA9), ref: 003E3932
      • Part of subcall function 003E391F: SetTextColor.GDI32(003E3EA9,00FFFFFF), ref: 003E393E
      • Part of subcall function 003E391F: SetBkMode.GDI32(003E3EA9,00000001), ref: 003E3947
      • Part of subcall function 003E391F: GetTextExtentPoint32W.GDI32(003E3EA9,|{y!~^_,00000007,?), ref: 003E3959
      • Part of subcall function 003E391F: SelectObject.GDI32(003E3EA9), ref: 003E3A1C
      • Part of subcall function 003E391F: GetTextExtentPoint32W.GDI32(003E3EA9,|{y!~^_,00000007,?), ref: 003E3A2E
      • Part of subcall function 003E391F: SetTextColor.GDI32(003E3EA9), ref: 003E3A3E
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd

    Non-executed Functions

    Function 003E46A3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
    APIs
    • GetCurrentThread.KERNEL32(000000F1), ref: 003E46A6
    • SetThreadPriority.KERNEL32(00000000), ref: 003E46AD
      • Part of subcall function 003E4277: FindFirstFileW.KERNELBASE(?,?,?,?,003E46D0,?,?,00000000), ref: 003E42F6
      • Part of subcall function 003E4277: RtlEnterCriticalSection.NTDLL(?), ref: 003E4520
      • Part of subcall function 003E4277: RtlReAllocateHeap.NTDLL(00000008,?), ref: 003E45A2
      • Part of subcall function 003E4277: RtlAllocateHeap.NTDLL(00000008,?), ref: 003E4602
      • Part of subcall function 003E4277: RtlAllocateHeap.NTDLL(00000008,?), ref: 003E4641
      • Part of subcall function 003E4277: RtlLeaveCriticalSection.NTDLL(?), ref: 003E466F
      • Part of subcall function 003E4277: FindNextFileW.KERNEL32(?,?), ref: 003E4684
      • Part of subcall function 003E4277: FindClose.KERNELBASE(?), ref: 003E4695
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.866467108.003E0000.00000020.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_svchost.jbxd

    Analysis Process: explorer.exe PID: 1260 Parent PID: 3220

    Executed Functions

    Function 01E03EB0, Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 275
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01E03F18
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 01E03F7D
    • CloseHandle.KERNEL32(00000000), ref: 01E03F84
    • GetDesktopWindow.USER32 ref: 01E03FD0
    • GetWindowRect.USER32(00000000,?), ref: 01E03FDE
    • GetDC.USER32(?), ref: 01E03FF0
    • CreateCompatibleDC.GDI32(00000000), ref: 01E03FFA
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 01E04008
    • ReleaseDC.USER32(?,?), ref: 01E04017
    • SelectObject.GDI32(?,?), ref: 01E04023
    • CreateSolidBrush.GDI32(00000000), ref: 01E0402B
    • FillRect.USER32(?,?,00000000), ref: 01E04039
      • Part of subcall function 01E03E36: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,?,00001000), ref: 01E03E7B
      • Part of subcall function 01E03509: GetProcessHeap.KERNEL32(00000008,00000001,01E01D45,0000001C), ref: 01E0350F
      • Part of subcall function 01E03509: RtlAllocateHeap.NTDLL(00000000), ref: 01E03516
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 01E040C1
    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 01E0411E
    • WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 01E04159
    • WriteFile.KERNEL32(?,?,00000028,?,00000000), ref: 01E0416A
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01E0417C
    • CloseHandle.KERNEL32(?), ref: 01E04183
      • Part of subcall function 01E0351D: GetProcessHeap.KERNEL32(00000000,?,01E04191,?), ref: 01E03523
      • Part of subcall function 01E0351D: HeapFree.KERNEL32(00000000), ref: 01E0352A
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E035A0, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 136
    APIs
    • FindFirstFileW.KERNELBASE(?,?), ref: 01E0361D
    • CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 01E036B8
    • GetFileSize.KERNEL32(00000000,00000000), ref: 01E036C8
    • ReadFile.KERNEL32(00000000,01E2A580,0000028E,?,00000000), ref: 01E036E9
    • CloseHandle.KERNEL32(00000000), ref: 01E036FB
    • FindNextFileW.KERNEL32(?,?), ref: 01E0370B
    • FindClose.KERNEL32(?), ref: 01E0371C
    • CloseHandle.KERNEL32(00000000), ref: 01E0372A
    • FindClose.KERNELBASE(?), ref: 01E03733
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E041BB, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 64
    APIs
    • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 01E041D3
      • Part of subcall function 01E03EB0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01E03F18
      • Part of subcall function 01E03EB0: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 01E03F7D
      • Part of subcall function 01E03EB0: CloseHandle.KERNEL32(00000000), ref: 01E03F84
      • Part of subcall function 01E03EB0: GetDesktopWindow.USER32 ref: 01E03FD0
      • Part of subcall function 01E03EB0: GetWindowRect.USER32(00000000,?), ref: 01E03FDE
      • Part of subcall function 01E03EB0: GetDC.USER32(?), ref: 01E03FF0
      • Part of subcall function 01E03EB0: CreateCompatibleDC.GDI32(00000000), ref: 01E03FFA
      • Part of subcall function 01E03EB0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 01E04008
      • Part of subcall function 01E03EB0: ReleaseDC.USER32(?,?), ref: 01E04017
      • Part of subcall function 01E03EB0: SelectObject.GDI32(?,?), ref: 01E04023
      • Part of subcall function 01E03EB0: CreateSolidBrush.GDI32(00000000), ref: 01E0402B
      • Part of subcall function 01E03EB0: FillRect.USER32(?,?,00000000), ref: 01E04039
      • Part of subcall function 01E03EB0: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 01E040C1
      • Part of subcall function 01E03EB0: GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 01E0411E
      • Part of subcall function 01E03EB0: WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 01E04159
      • Part of subcall function 01E03EB0: WriteFile.KERNEL32(?,?,00000028,?,00000000), ref: 01E0416A
      • Part of subcall function 01E03EB0: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01E0417C
      • Part of subcall function 01E03EB0: CloseHandle.KERNEL32(?), ref: 01E04183
    • SHEmptyRecycleBinW.SHELL32(00000000,00000000,00000007), ref: 01E041F2
    • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop,00000000,00000103,?), ref: 01E0421A
    • RegSetValueExW.KERNEL32(?,TileWallpaper,00000000,00000001,?,00000004), ref: 01E0423C
    • RegSetValueExW.KERNEL32(?,WallpaperStyle,00000000,00000001,00000030,00000004), ref: 01E04253
    • RegCloseKey.KERNEL32(?), ref: 01E0425C
    • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 01E0426E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E057D3, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 133
    APIs
      • Part of subcall function 01E0643B: LoadLibraryA.KERNEL32(user32.dll), ref: 01E06441
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,GetDC), ref: 01E0644F
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 01E06460
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,FillRect), ref: 01E06471
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,SystemParametersInfoW), ref: 01E06482
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,GetWindowRect), ref: 01E06493
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,GetDesktopWindow), ref: 01E064A4
      • Part of subcall function 01E0643B: LoadLibraryA.KERNEL32(advapi32.dll), ref: 01E064B4
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,RegSetValueExW), ref: 01E064C2
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 01E064D3
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 01E064E4
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 01E064F5
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 01E06506
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 01E06517
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 01E06528
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 01E06539
      • Part of subcall function 01E0643B: LoadLibraryA.KERNEL32(gdi32.dll), ref: 01E06549
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,SetTextColor), ref: 01E06557
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,GetTextExtentPoint32W), ref: 01E06568
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,GetDIBits), ref: 01E06579
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 01E0658A
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 01E0659B
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,CreateSolidBrush), ref: 01E065AC
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,TextOutW), ref: 01E065BD
      • Part of subcall function 01E0643B: GetProcAddress.KERNEL32(00000000,CreateFontW), ref: 01E065CE
    • Sleep.KERNELBASE(000003E8), ref: 01E0585D
      • Part of subcall function 01E056EA: CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Tahoma), ref: 01E05709
      • Part of subcall function 01E056EA: CreateFontW.GDI32(00000012,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 01E0572C
      • Part of subcall function 01E056EA: CreateFontW.GDI32(00000024,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Tahoma), ref: 01E05747
      • Part of subcall function 01E056EA: GetUserGeoID.KERNEL32(00000010), ref: 01E0575F
      • Part of subcall function 01E0333C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000101,?), ref: 01E0335E
      • Part of subcall function 01E0333C: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,041d84af-7e76-450d-8340-55db3c73c359,0000003F), ref: 01E0337E
      • Part of subcall function 01E0333C: RegCloseKey.KERNEL32(?), ref: 01E03387
    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData\upbbxxl.html), ref: 01E058A4
    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 01E05916
      • Part of subcall function 01E035A0: FindFirstFileW.KERNELBASE(?,?), ref: 01E0361D
      • Part of subcall function 01E035A0: CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 01E036B8
      • Part of subcall function 01E035A0: GetFileSize.KERNEL32(00000000,00000000), ref: 01E036C8
      • Part of subcall function 01E035A0: ReadFile.KERNEL32(00000000,01E2A580,0000028E,?,00000000), ref: 01E036E9
      • Part of subcall function 01E035A0: CloseHandle.KERNEL32(00000000), ref: 01E036FB
      • Part of subcall function 01E035A0: FindNextFileW.KERNEL32(?,?), ref: 01E0370B
      • Part of subcall function 01E035A0: FindClose.KERNEL32(?), ref: 01E0371C
      • Part of subcall function 01E035A0: CloseHandle.KERNEL32(00000000), ref: 01E0372A
      • Part of subcall function 01E035A0: FindClose.KERNELBASE(?), ref: 01E03733
    • Sleep.KERNEL32(000000FF), ref: 01E0592F
    • Sleep.KERNELBASE(000000FF), ref: 01E0596F
      • Part of subcall function 01E04C24: CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,40000000,00000000,00000000,00000002,00000002,00000000), ref: 01E04C9F
      • Part of subcall function 01E04C24: Sleep.KERNEL32(00000064), ref: 01E04CAE
      • Part of subcall function 01E04C24: WriteFile.KERNEL32(00000000,?,0000028E,?,00000000), ref: 01E04CCE
      • Part of subcall function 01E04C24: CloseHandle.KERNEL32(00000000), ref: 01E04CD5
      • Part of subcall function 01E0514D: GetLogicalDriveStringsW.KERNEL32(00000400,?), ref: 01E05165
      • Part of subcall function 01E0514D: RtlInitializeCriticalSection.NTDLL(01E6D8BC), ref: 01E05188
      • Part of subcall function 01E0514D: CreateThread.KERNEL32(00000000,00000000,01E05141,00000000,00000000,00000000), ref: 01E051A5
      • Part of subcall function 01E0514D: WaitForMultipleObjects.KERNEL32(00000001,?,00000001,00000BB8), ref: 01E051C4
      • Part of subcall function 01E0514D: CloseHandle.KERNEL32(?), ref: 01E051D9
      • Part of subcall function 01E0514D: GetDriveTypeW.KERNEL32(?), ref: 01E051F4
      • Part of subcall function 01E0514D: HeapCreate.KERNEL32(00000000,00010000,00000000), ref: 01E05262
      • Part of subcall function 01E0514D: RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 01E05279
      • Part of subcall function 01E0514D: RtlInitializeCriticalSection.NTDLL(01E6DD68), ref: 01E052A2
      • Part of subcall function 01E0514D: CreateThread.KERNEL32(00000000,00000000,Function_000046A3,00000000,00000000,?), ref: 01E052BD
      • Part of subcall function 01E0514D: CreateThread.KERNEL32(00000000,00000000,Function_00004CE0,00000000,00000000,?), ref: 01E052DA
      • Part of subcall function 01E0514D: WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 01E0531F
      • Part of subcall function 01E0514D: CloseHandle.KERNEL32(?), ref: 01E05333
      • Part of subcall function 01E0514D: RtlDeleteCriticalSection.NTDLL(01E6DD68), ref: 01E05361
      • Part of subcall function 01E0514D: HeapDestroy.KERNEL32 ref: 01E0536E
      • Part of subcall function 01E0514D: CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,40000000,00000000,00000000,00000004,00000000,00000000), ref: 01E053AA
      • Part of subcall function 01E0514D: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 01E053BF
      • Part of subcall function 01E0514D: WriteFile.KERNEL32(01E2BC10,?,00000000), ref: 01E053E0
      • Part of subcall function 01E0514D: CloseHandle.KERNEL32 ref: 01E053EC
      • Part of subcall function 01E0514D: CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 01E053FE
      • Part of subcall function 01E0514D: GetFileSize.KERNEL32(00000000,00000000), ref: 01E05414
      • Part of subcall function 01E0514D: ReadFile.KERNEL32(00000000,?,?,00000000), ref: 01E05441
      • Part of subcall function 01E0514D: SetFilePointer.KERNEL32(00000000,00000000,00000000), ref: 01E054C6
      • Part of subcall function 01E0514D: GetSystemTimeAsFileTime.KERNEL32(?), ref: 01E0550F
      • Part of subcall function 01E0514D: WriteFile.KERNEL32(?,?,?,00000000), ref: 01E055F7
      • Part of subcall function 01E0514D: WriteFile.KERNEL32(?,?,?,00000000), ref: 01E0562B
      • Part of subcall function 01E0514D: WriteFile.KERNEL32(</table></body></html>,00000016,?,00000000), ref: 01E05649
      • Part of subcall function 01E0514D: SetEndOfFile.KERNEL32 ref: 01E05655
      • Part of subcall function 01E0514D: CloseHandle.KERNEL32 ref: 01E05676
      • Part of subcall function 01E0514D: RtlDeleteCriticalSection.NTDLL(01E6D8BC), ref: 01E05688
      • Part of subcall function 01E041BB: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 01E041D3
      • Part of subcall function 01E041BB: SHEmptyRecycleBinW.SHELL32(00000000,00000000,00000007), ref: 01E041F2
      • Part of subcall function 01E041BB: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop,00000000,00000103,?), ref: 01E0421A
      • Part of subcall function 01E041BB: RegSetValueExW.KERNEL32(?,TileWallpaper,00000000,00000001,?,00000004), ref: 01E0423C
      • Part of subcall function 01E041BB: RegSetValueExW.KERNEL32(?,WallpaperStyle,00000000,00000001,00000030,00000004), ref: 01E04253
      • Part of subcall function 01E041BB: RegCloseKey.KERNEL32(?), ref: 01E0425C
      • Part of subcall function 01E041BB: SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 01E0426E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E0333C, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 61
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000101,?), ref: 01E0335E
    • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,041d84af-7e76-450d-8340-55db3c73c359,0000003F), ref: 01E0337E
    • RegCloseKey.KERNEL32(?), ref: 01E03387
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E056EA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 94
    APIs
    • CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Tahoma), ref: 01E05709
    • CreateFontW.GDI32(00000012,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 01E0572C
    • CreateFontW.GDI32(00000024,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Tahoma), ref: 01E05747
    • GetUserGeoID.KERNEL32(00000010), ref: 01E0575F
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E03509, Relevance: 3.0, APIs: 2, Instructions: 6
    APIs
    • GetProcessHeap.KERNEL32(00000008,00000001,01E01D45,0000001C), ref: 01E0350F
    • RtlAllocateHeap.NTDLL(00000000), ref: 01E03516
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd

    Non-executed Functions

    Function 01E0514D, Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 435
    APIs
    • GetLogicalDriveStringsW.KERNEL32(00000400,?), ref: 01E05165
    • RtlInitializeCriticalSection.NTDLL(01E6D8BC), ref: 01E05188
    • CreateThread.KERNEL32(00000000,00000000,01E05141,00000000,00000000,00000000), ref: 01E051A5
    • WaitForMultipleObjects.KERNEL32(00000001,?,00000001,00000BB8), ref: 01E051C4
    • CloseHandle.KERNEL32(?), ref: 01E051D9
    • GetDriveTypeW.KERNEL32(?), ref: 01E051F4
      • Part of subcall function 01E0373D: SetErrorMode.KERNEL32(00000001), ref: 01E03760
      • Part of subcall function 01E0373D: GetFileAttributesW.KERNEL32(?), ref: 01E0376A
      • Part of subcall function 01E0373D: SetErrorMode.KERNEL32(00000000), ref: 01E03774
    • HeapCreate.KERNEL32(00000000,00010000,00000000), ref: 01E05262
    • RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 01E05279
    • RtlInitializeCriticalSection.NTDLL(01E6DD68), ref: 01E052A2
    • CreateThread.KERNEL32(00000000,00000000,Function_000046A3,00000000,00000000,?), ref: 01E052BD
    • CreateThread.KERNEL32(00000000,00000000,Function_00004CE0,00000000,00000000,?), ref: 01E052DA
      • Part of subcall function 01E046A3: GetCurrentThread.KERNEL32(000000F1,00000000,01E052F5,00000000), ref: 01E046A6
      • Part of subcall function 01E046A3: SetThreadPriority.KERNEL32(00000000), ref: 01E046AD
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 01E0531F
    • CloseHandle.KERNEL32(?), ref: 01E05333
    • RtlDeleteCriticalSection.NTDLL(01E6D8BC), ref: 01E05688
      • Part of subcall function 01E04CE0: GetCurrentThread.KERNEL32(000000F1), ref: 01E04CF2
      • Part of subcall function 01E04CE0: SetThreadPriority.KERNEL32(00000000), ref: 01E04CF9
      • Part of subcall function 01E04CE0: GetCurrentThreadId.KERNEL32 ref: 01E04CFF
      • Part of subcall function 01E04CE0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 01E04D1C
      • Part of subcall function 01E04CE0: CryptGenRandom.ADVAPI32(?,00000020,?), ref: 01E04D2D
      • Part of subcall function 01E04CE0: CryptGenRandom.ADVAPI32(?,00000020,?), ref: 01E04D3B
      • Part of subcall function 01E04CE0: CryptGenRandom.ADVAPI32(?,00000004,?), ref: 01E04D4A
      • Part of subcall function 01E04CE0: GetTickCount.KERNEL32 ref: 01E04D50
      • Part of subcall function 01E04CE0: CryptReleaseContext.ADVAPI32(?,00000000,?), ref: 01E04D88
      • Part of subcall function 01E04CE0: GetTempPathW.KERNEL32(00000100,?), ref: 01E04D9D
      • Part of subcall function 01E04CE0: Sleep.KERNEL32(000003E8), ref: 01E04DD9
      • Part of subcall function 01E04CE0: RtlAllocateHeap.NTDLL(00000008,00040100), ref: 01E04DFA
      • Part of subcall function 01E04CE0: RtlAllocateHeap.NTDLL(00000008,00040100), ref: 01E04E11
      • Part of subcall function 01E04CE0: RtlEnterCriticalSection.NTDLL(?), ref: 01E04E2F
      • Part of subcall function 01E04CE0: GetTickCount.KERNEL32 ref: 01E04E4B
      • Part of subcall function 01E04CE0: RtlLeaveCriticalSection.NTDLL(?), ref: 01E04F71
      • Part of subcall function 01E04CE0: RtlEnterCriticalSection.NTDLL(01E6D8BC), ref: 01E04FBF
      • Part of subcall function 01E04CE0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,000007D0,00000000,00000000), ref: 01E05059
      • Part of subcall function 01E04CE0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,000003E8,00000000,00000000), ref: 01E050B0
      • Part of subcall function 01E04CE0: CreateFileW.KERNEL32(01E6D958,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01E050FC
      • Part of subcall function 01E04CE0: WriteFile.KERNEL32(01E6D8D4,01E2BC10,00000000,?,00000000), ref: 01E0511C
      • Part of subcall function 01E04CE0: RtlLeaveCriticalSection.NTDLL(01E6D8BC), ref: 01E0512D
    • RtlDeleteCriticalSection.NTDLL(01E6DD68), ref: 01E05361
    • HeapDestroy.KERNEL32 ref: 01E0536E
    • CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,40000000,00000000,00000000,00000004,00000000,00000000), ref: 01E053AA
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 01E053BF
    • WriteFile.KERNEL32(01E2BC10,?,00000000), ref: 01E053E0
    • CloseHandle.KERNEL32 ref: 01E053EC
    • CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 01E053FE
    • GetFileSize.KERNEL32(00000000,00000000), ref: 01E05414
      • Part of subcall function 01E03509: GetProcessHeap.KERNEL32(00000008,00000001,01E01D45,0000001C), ref: 01E0350F
      • Part of subcall function 01E03509: RtlAllocateHeap.NTDLL(00000000), ref: 01E03516
    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 01E05441
    • SetFilePointer.KERNEL32(00000000,00000000,00000000), ref: 01E054C6
    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 01E0550F
    • WriteFile.KERNEL32(?,?,?,00000000), ref: 01E055F7
    • WriteFile.KERNEL32(?,?,?,00000000), ref: 01E0562B
    • WriteFile.KERNEL32(</table></body></html>,00000016,?,00000000), ref: 01E05649
    • SetEndOfFile.KERNEL32 ref: 01E05655
      • Part of subcall function 01E0351D: GetProcessHeap.KERNEL32(00000000,?,01E04191,?), ref: 01E03523
      • Part of subcall function 01E0351D: HeapFree.KERNEL32(00000000), ref: 01E0352A
    • CloseHandle.KERNEL32 ref: 01E05676
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E05142, Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 370
    APIs
      • Part of subcall function 01E046A3: GetCurrentThread.KERNEL32(000000F1,00000000,01E052F5,00000000), ref: 01E046A6
      • Part of subcall function 01E046A3: SetThreadPriority.KERNEL32(00000000), ref: 01E046AD
    • GetLogicalDriveStringsW.KERNEL32(00000400,?), ref: 01E05165
    • RtlInitializeCriticalSection.NTDLL(01E6D8BC), ref: 01E05188
    • CreateThread.KERNEL32(00000000,00000000,01E05141,00000000,00000000,00000000), ref: 01E051A5
    • WaitForMultipleObjects.KERNEL32(00000001,?,00000001,00000BB8), ref: 01E051C4
    • CloseHandle.KERNEL32(?), ref: 01E051D9
    • GetDriveTypeW.KERNEL32(?), ref: 01E051F4
      • Part of subcall function 01E0373D: SetErrorMode.KERNEL32(00000001), ref: 01E03760
      • Part of subcall function 01E0373D: GetFileAttributesW.KERNEL32(?), ref: 01E0376A
      • Part of subcall function 01E0373D: SetErrorMode.KERNEL32(00000000), ref: 01E03774
    • HeapCreate.KERNEL32(00000000,00010000,00000000), ref: 01E05262
    • RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 01E05279
    • RtlInitializeCriticalSection.NTDLL(01E6DD68), ref: 01E052A2
    • CreateThread.KERNEL32(00000000,00000000,Function_000046A3,00000000,00000000,?), ref: 01E052BD
    • CreateThread.KERNEL32(00000000,00000000,Function_00004CE0,00000000,00000000,?), ref: 01E052DA
    • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 01E0531F
    • CloseHandle.KERNEL32(?), ref: 01E05333
    • RtlDeleteCriticalSection.NTDLL(01E6DD68), ref: 01E05361
    • HeapDestroy.KERNEL32 ref: 01E0536E
    • CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,40000000,00000000,00000000,00000004,00000000,00000000), ref: 01E053AA
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 01E053BF
    • WriteFile.KERNEL32(01E2BC10,?,00000000), ref: 01E053E0
    • CloseHandle.KERNEL32 ref: 01E053EC
    • CreateFileW.KERNEL32(C:\ProgramData\upbbxxl.html,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 01E053FE
    • GetFileSize.KERNEL32(00000000,00000000), ref: 01E05414
      • Part of subcall function 01E03509: GetProcessHeap.KERNEL32(00000008,00000001,01E01D45,0000001C), ref: 01E0350F
      • Part of subcall function 01E03509: RtlAllocateHeap.NTDLL(00000000), ref: 01E03516
    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 01E05441
    • SetFilePointer.KERNEL32(00000000,00000000,00000000), ref: 01E054C6
    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 01E0550F
    • WriteFile.KERNEL32(?,?,?,00000000), ref: 01E055F7
    • WriteFile.KERNEL32(?,?,?,00000000), ref: 01E0562B
    • WriteFile.KERNEL32(</table></body></html>,00000016,?,00000000), ref: 01E05649
    • SetEndOfFile.KERNEL32 ref: 01E05655
      • Part of subcall function 01E0351D: GetProcessHeap.KERNEL32(00000000,?,01E04191,?), ref: 01E03523
      • Part of subcall function 01E0351D: HeapFree.KERNEL32(00000000), ref: 01E0352A
    • CloseHandle.KERNEL32 ref: 01E05676
    • RtlDeleteCriticalSection.NTDLL(01E6D8BC), ref: 01E05688
      • Part of subcall function 01E04CE0: GetCurrentThread.KERNEL32(000000F1), ref: 01E04CF2
      • Part of subcall function 01E04CE0: SetThreadPriority.KERNEL32(00000000), ref: 01E04CF9
      • Part of subcall function 01E04CE0: GetCurrentThreadId.KERNEL32 ref: 01E04CFF
      • Part of subcall function 01E04CE0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 01E04D1C
      • Part of subcall function 01E04CE0: CryptGenRandom.ADVAPI32(?,00000020,?), ref: 01E04D2D
      • Part of subcall function 01E04CE0: CryptGenRandom.ADVAPI32(?,00000020,?), ref: 01E04D3B
      • Part of subcall function 01E04CE0: CryptGenRandom.ADVAPI32(?,00000004,?), ref: 01E04D4A
      • Part of subcall function 01E04CE0: GetTickCount.KERNEL32 ref: 01E04D50
      • Part of subcall function 01E04CE0: CryptReleaseContext.ADVAPI32(?,00000000,?), ref: 01E04D88
      • Part of subcall function 01E04CE0: GetTempPathW.KERNEL32(00000100,?), ref: 01E04D9D
      • Part of subcall function 01E04CE0: Sleep.KERNEL32(000003E8), ref: 01E04DD9
      • Part of subcall function 01E04CE0: RtlAllocateHeap.NTDLL(00000008,00040100), ref: 01E04DFA
      • Part of subcall function 01E04CE0: RtlAllocateHeap.NTDLL(00000008,00040100), ref: 01E04E11
      • Part of subcall function 01E04CE0: RtlEnterCriticalSection.NTDLL(?), ref: 01E04E2F
      • Part of subcall function 01E04CE0: GetTickCount.KERNEL32 ref: 01E04E4B
      • Part of subcall function 01E04CE0: RtlLeaveCriticalSection.NTDLL(?), ref: 01E04F71
      • Part of subcall function 01E04CE0: RtlEnterCriticalSection.NTDLL(01E6D8BC), ref: 01E04FBF
      • Part of subcall function 01E04CE0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,000007D0,00000000,00000000), ref: 01E05059
      • Part of subcall function 01E04CE0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,000003E8,00000000,00000000), ref: 01E050B0
      • Part of subcall function 01E04CE0: CreateFileW.KERNEL32(01E6D958,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01E050FC
      • Part of subcall function 01E04CE0: WriteFile.KERNEL32(01E6D8D4,01E2BC10,00000000,?,00000000), ref: 01E0511C
      • Part of subcall function 01E04CE0: RtlLeaveCriticalSection.NTDLL(01E6D8BC), ref: 01E0512D
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E0643B, Relevance: 248.8, APIs: 71, Strings: 71, Instructions: 282
    APIs
    • LoadLibraryA.KERNEL32(user32.dll), ref: 01E06441
    • GetProcAddress.KERNEL32(00000000,GetDC), ref: 01E0644F
    • GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 01E06460
    • GetProcAddress.KERNEL32(00000000,FillRect), ref: 01E06471
    • GetProcAddress.KERNEL32(00000000,SystemParametersInfoW), ref: 01E06482
    • GetProcAddress.KERNEL32(00000000,GetWindowRect), ref: 01E06493
    • GetProcAddress.KERNEL32(00000000,GetDesktopWindow), ref: 01E064A4
    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 01E064B4
    • GetProcAddress.KERNEL32(00000000,RegSetValueExW), ref: 01E064C2
    • GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 01E064D3
    • GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 01E064E4
    • GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 01E064F5
    • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 01E06506
    • GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 01E06517
    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 01E06528
    • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 01E06539
    • LoadLibraryA.KERNEL32(gdi32.dll), ref: 01E06549
    • GetProcAddress.KERNEL32(00000000,SetTextColor), ref: 01E06557
    • GetProcAddress.KERNEL32(00000000,GetTextExtentPoint32W), ref: 01E06568
    • GetProcAddress.KERNEL32(00000000,GetDIBits), ref: 01E06579
    • GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 01E0658A
    • GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 01E0659B
    • GetProcAddress.KERNEL32(00000000,CreateSolidBrush), ref: 01E065AC
    • GetProcAddress.KERNEL32(00000000,TextOutW), ref: 01E065BD
    • GetProcAddress.KERNEL32(00000000,CreateFontW), ref: 01E065CE
    • GetProcAddress.KERNEL32(00000000,SetBkMode), ref: 01E065DF
    • GetProcAddress.KERNEL32(00000000,SelectObject), ref: 01E065F0
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 01E06600
    • GetProcAddress.KERNEL32(00000000,HeapDestroy), ref: 01E0660E
    • GetProcAddress.KERNEL32(00000000,SetEndOfFile), ref: 01E0661F
    • GetProcAddress.KERNEL32(00000000,SetFilePointer), ref: 01E06630
    • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 01E06641
    • GetProcAddress.KERNEL32(00000000,WideCharToMultiByte), ref: 01E06652
    • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 01E06663
    • GetProcAddress.KERNEL32(00000000,GetTickCount), ref: 01E06674
    • GetProcAddress.KERNEL32(00000000,GetDriveTypeW), ref: 01E06685
    • GetProcAddress.KERNEL32(00000000,EnterCriticalSection), ref: 01E06696
    • GetProcAddress.KERNEL32(00000000,GetTempPathW), ref: 01E066A7
    • GetProcAddress.KERNEL32(00000000,SetFileTime), ref: 01E066B8
    • GetProcAddress.KERNEL32(00000000,InitializeCriticalSection), ref: 01E066C9
    • GetProcAddress.KERNEL32(00000000,HeapReAlloc), ref: 01E066DA
    • GetProcAddress.KERNEL32(00000000,GetCurrentThread), ref: 01E066EB
    • GetProcAddress.KERNEL32(00000000,HeapAlloc), ref: 01E066FC
    • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 01E0670D
    • GetProcAddress.KERNEL32(00000000,LeaveCriticalSection), ref: 01E0671E
    • GetProcAddress.KERNEL32(00000000,GetUserGeoID), ref: 01E0672F
    • GetProcAddress.KERNEL32(00000000,DeleteCriticalSection), ref: 01E06740
    • GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 01E06751
    • GetProcAddress.KERNEL32(00000000,CreateThread), ref: 01E06762
    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 01E06773
    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 01E06784
    • GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 01E06795
    • GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsW), ref: 01E067A6
    • GetProcAddress.KERNEL32(00000000,WaitForMultipleObjects), ref: 01E067B7
    • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 01E067C8
    • GetProcAddress.KERNEL32(00000000,SetErrorMode), ref: 01E067D9
    • GetProcAddress.KERNEL32(00000000,GetFileTime), ref: 01E067EA
    • GetProcAddress.KERNEL32(00000000,Sleep), ref: 01E067FB
    • GetProcAddress.KERNEL32(00000000,GetProcessHeap), ref: 01E0680C
    • GetProcAddress.KERNEL32(00000000,HeapFree), ref: 01E0681D
    • GetProcAddress.KERNEL32(00000000,FindClose), ref: 01E0682E
    • GetProcAddress.KERNEL32(00000000,SetThreadPriority), ref: 01E0683F
    • GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 01E06850
    • GetProcAddress.KERNEL32(00000000,MultiByteToWideChar), ref: 01E06861
    • GetProcAddress.KERNEL32(00000000,GetSystemTimeAsFileTime), ref: 01E06872
    • GetProcAddress.KERNEL32(00000000,HeapCreate), ref: 01E06883
    • GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 01E06894
    • GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 01E068A5
    • LoadLibraryA.KERNEL32(shell32.dll), ref: 01E068B5
    • GetProcAddress.KERNEL32(00000000,SHEmptyRecycleBinW), ref: 01E068C3
    • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 01E068D4
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E04721, Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 440
    APIs
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 01E0478D
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 01E047A9
    • MoveFileExW.KERNEL32(?,?,00000001), ref: 01E047C5
    • GetFileTime.KERNEL32(00000000,?,?,?,?,?,01E04FAC,?,?,?,?,?,00000000,?,?), ref: 01E047E0
    • GetFileSize.KERNEL32(00000000,00000000,?,01E04FAC,?,?,?,?,?,00000000,?,?), ref: 01E047E8
    • ReadFile.KERNEL32(?,?,Actx ,?,00000000), ref: 01E04807
    • GetSystemTimeAsFileTime.KERNEL32(?,?,01E04FAC,?,?,?,?,?,00000000,?,?), ref: 01E04811
    • GetTickCount.KERNEL32(?,01E04FAC,?,?,?,?,?,00000000,?,?), ref: 01E04835
    • SetFilePointer.KERNEL32(?,00000030,00000000,00000000,?,?,?,?,?,?,?), ref: 01E04928
    • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01E049BF
    • ReadFile.KERNEL32(?,?,Actx ,?,00000000), ref: 01E049D8
    • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01E049FF
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01E04A3F
    • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01E04A86
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01E04AC6
    • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01E04B28
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01E04B63
    • SetEndOfFile.KERNEL32(?), ref: 01E04B6F
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 01E04B7B
    • WriteFile.KERNEL32(?,?,00000030,?,00000000), ref: 01E04BB8
    • SetFileTime.KERNEL32(?,?,?,?), ref: 01E04BCD
    • CloseHandle.KERNEL32(?), ref: 01E04BD6
    • MoveFileExW.KERNEL32(?,000003E8,00000001), ref: 01E04BE7
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E04CE0, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 337
    APIs
    • GetCurrentThread.KERNEL32(000000F1), ref: 01E04CF2
    • SetThreadPriority.KERNEL32(00000000), ref: 01E04CF9
    • GetCurrentThreadId.KERNEL32 ref: 01E04CFF
    • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 01E04D1C
    • CryptGenRandom.ADVAPI32(?,00000020,?), ref: 01E04D2D
    • CryptGenRandom.ADVAPI32(?,00000020,?), ref: 01E04D3B
    • CryptGenRandom.ADVAPI32(?,00000004,?), ref: 01E04D4A
    • GetTickCount.KERNEL32 ref: 01E04D50
    • CryptReleaseContext.ADVAPI32(?,00000000,?), ref: 01E04D88
    • GetTempPathW.KERNEL32(00000100,?), ref: 01E04D9D
    • Sleep.KERNEL32(000003E8), ref: 01E04DD9
    • RtlAllocateHeap.NTDLL(00000008,00040100), ref: 01E04DFA
    • RtlAllocateHeap.NTDLL(00000008,00040100), ref: 01E04E11
    • RtlEnterCriticalSection.NTDLL(?), ref: 01E04E2F
    • GetTickCount.KERNEL32 ref: 01E04E4B
    • RtlLeaveCriticalSection.NTDLL(?), ref: 01E04F71
      • Part of subcall function 01E04721: MoveFileExW.KERNEL32(?,?,00000001), ref: 01E0478D
      • Part of subcall function 01E04721: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 01E047A9
      • Part of subcall function 01E04721: MoveFileExW.KERNEL32(?,?,00000001), ref: 01E047C5
      • Part of subcall function 01E04721: GetFileTime.KERNEL32(00000000,?,?,?,?,?,01E04FAC,?,?,?,?,?,00000000,?,?), ref: 01E047E0
      • Part of subcall function 01E04721: GetFileSize.KERNEL32(00000000,00000000,?,01E04FAC,?,?,?,?,?,00000000,?,?), ref: 01E047E8
      • Part of subcall function 01E04721: ReadFile.KERNEL32(?,?,Actx ,?,00000000), ref: 01E04807
      • Part of subcall function 01E04721: GetSystemTimeAsFileTime.KERNEL32(?,?,01E04FAC,?,?,?,?,?,00000000,?,?), ref: 01E04811
      • Part of subcall function 01E04721: GetTickCount.KERNEL32(?,01E04FAC,?,?,?,?,?,00000000,?,?), ref: 01E04835
      • Part of subcall function 01E04721: SetFilePointer.KERNEL32(?,00000030,00000000,00000000,?,?,?,?,?,?,?), ref: 01E04928
      • Part of subcall function 01E04721: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01E049BF
      • Part of subcall function 01E04721: ReadFile.KERNEL32(?,?,Actx ,?,00000000), ref: 01E049D8
      • Part of subcall function 01E04721: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01E049FF
      • Part of subcall function 01E04721: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01E04A3F
      • Part of subcall function 01E04721: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01E04A86
      • Part of subcall function 01E04721: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01E04AC6
      • Part of subcall function 01E04721: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01E04B28
      • Part of subcall function 01E04721: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01E04B63
      • Part of subcall function 01E04721: SetEndOfFile.KERNEL32(?), ref: 01E04B6F
      • Part of subcall function 01E04721: SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 01E04B7B
      • Part of subcall function 01E04721: WriteFile.KERNEL32(?,?,00000030,?,00000000), ref: 01E04BB8
      • Part of subcall function 01E04721: SetFileTime.KERNEL32(?,?,?,?), ref: 01E04BCD
      • Part of subcall function 01E04721: CloseHandle.KERNEL32(?), ref: 01E04BD6
      • Part of subcall function 01E04721: MoveFileExW.KERNEL32(?,000003E8,00000001), ref: 01E04BE7
    • RtlEnterCriticalSection.NTDLL(01E6D8BC), ref: 01E04FBF
      • Part of subcall function 01E04C24: CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,40000000,00000000,00000000,00000002,00000002,00000000), ref: 01E04C9F
      • Part of subcall function 01E04C24: Sleep.KERNEL32(00000064), ref: 01E04CAE
      • Part of subcall function 01E04C24: WriteFile.KERNEL32(00000000,?,0000028E,?,00000000), ref: 01E04CCE
      • Part of subcall function 01E04C24: CloseHandle.KERNEL32(00000000), ref: 01E04CD5
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,000007D0,00000000,00000000), ref: 01E05059
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,000003E8,00000000,00000000), ref: 01E050B0
    • CreateFileW.KERNEL32(01E6D958,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01E050FC
    • WriteFile.KERNEL32(01E6D8D4,01E2BC10,00000000,?,00000000), ref: 01E0511C
    • RtlLeaveCriticalSection.NTDLL(01E6D8BC), ref: 01E0512D
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E04277, Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 313
    APIs
    • FindFirstFileW.KERNEL32(?,?,00000000,?,01E046D0,?,?,00000000), ref: 01E042F6
    • RtlEnterCriticalSection.NTDLL(?), ref: 01E04520
    • RtlReAllocateHeap.NTDLL(00000008,?), ref: 01E045A2
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 01E04602
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 01E04641
    • RtlLeaveCriticalSection.NTDLL(?), ref: 01E0466F
      • Part of subcall function 01E03EB0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01E03F18
      • Part of subcall function 01E03EB0: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 01E03F7D
      • Part of subcall function 01E03EB0: CloseHandle.KERNEL32(00000000), ref: 01E03F84
      • Part of subcall function 01E03EB0: GetDesktopWindow.USER32 ref: 01E03FD0
      • Part of subcall function 01E03EB0: GetWindowRect.USER32(00000000,?), ref: 01E03FDE
      • Part of subcall function 01E03EB0: GetDC.USER32(?), ref: 01E03FF0
      • Part of subcall function 01E03EB0: CreateCompatibleDC.GDI32(00000000), ref: 01E03FFA
      • Part of subcall function 01E03EB0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 01E04008
      • Part of subcall function 01E03EB0: ReleaseDC.USER32(?,?), ref: 01E04017
      • Part of subcall function 01E03EB0: SelectObject.GDI32(?,?), ref: 01E04023
      • Part of subcall function 01E03EB0: CreateSolidBrush.GDI32(00000000), ref: 01E0402B
      • Part of subcall function 01E03EB0: FillRect.USER32(?,?,00000000), ref: 01E04039
      • Part of subcall function 01E03EB0: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 01E040C1
      • Part of subcall function 01E03EB0: GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 01E0411E
      • Part of subcall function 01E03EB0: WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 01E04159
      • Part of subcall function 01E03EB0: WriteFile.KERNEL32(?,?,00000028,?,00000000), ref: 01E0416A
      • Part of subcall function 01E03EB0: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01E0417C
      • Part of subcall function 01E03EB0: CloseHandle.KERNEL32(?), ref: 01E04183
    • FindNextFileW.KERNEL32(?,?,?,?,00000000), ref: 01E04684
    • FindClose.KERNEL32(?), ref: 01E04695
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E0391F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134
    APIs
    • SelectObject.GDI32(?), ref: 01E03932
    • SetTextColor.GDI32(?,00FFFFFF), ref: 01E0393E
    • SetBkMode.GDI32(?,00000001), ref: 01E03947
    • GetTextExtentPoint32W.GDI32(?,|{y!~^_,00000007,?), ref: 01E03959
    • SelectObject.GDI32(?), ref: 01E03A1C
    • GetTextExtentPoint32W.GDI32(?,|{y!~^_,00000007,?), ref: 01E03A2E
    • SetTextColor.GDI32(?), ref: 01E03A3E
      • Part of subcall function 01E03849: GetTextExtentPoint32W.GDI32(?,?,00000000,?), ref: 01E03871
      • Part of subcall function 01E03849: GetTextExtentPoint32W.GDI32(?,?,00000000,?), ref: 01E038B1
      • Part of subcall function 01E03849: TextOutW.GDI32(?,?,?,?,00000000), ref: 01E03914
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd
    Function 01E04C24, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
    APIs
    • CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,40000000,00000000,00000000,00000002,00000002,00000000), ref: 01E04C9F
    • Sleep.KERNEL32(00000064), ref: 01E04CAE
    • WriteFile.KERNEL32(00000000,?,0000028E,?,00000000), ref: 01E04CCE
    • CloseHandle.KERNEL32(00000000), ref: 01E04CD5
    Strings
    • C:\ProgramData\Adobe\hygrtse, xrefs: 01E04C9A
    Memory Dump Source
    • Source File: 00000006.00000002.870557473.01E00000.00000020.sdmp, Offset: 01E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_1e00000_explorer.jbxd

    Analysis Process: vssadmin.exe PID: 3908 Parent PID: 3220

    Executed Functions

    Non-executed Functions

    Analysis Process: inbdgml.exe PID: 2232 Parent PID: 3220

    Executed Functions

    Function 014BA1D3, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(0158DF48), ref: 014BA1D8
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0150811C, Relevance: 79.5, APIs: 37, Strings: 8, Instructions: 723
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 01508132
      • Part of subcall function 0153E2B1: RegOpenKeyExA.ADVAPI32(80000002,0161BB00,00000000,00000101,01508176,00000057), ref: 0153E2D9
      • Part of subcall function 0153E2B1: RegQueryValueExA.KERNEL32(01508176,0161BB20,00000000,00000000,041d84af-7e76-450d-8340-55db3c73c359,0000003F), ref: 0153E2F9
      • Part of subcall function 0153E2B1: RegCloseKey.KERNEL32(01508176), ref: 0153E302
    • OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 015081B2
    • ExitProcess.KERNEL32(00000000), ref: 015081BD
    • CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 015081CB
    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData\upbbxxl.html), ref: 015081E6
      • Part of subcall function 0153E07D: GetProcessHeap.KERNEL32(00000008,0000001C,.html,0159532C,?,00000000,01508232), ref: 0153E09B
      • Part of subcall function 0153E07D: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0153E0A2
      • Part of subcall function 0153ECC7: GetVersion.KERNEL32(0150825B), ref: 0153ECC7
      • Part of subcall function 0154435A: Sleep.KERNEL32(00002710,.html,0159532C,?,01508269), ref: 015443AC
      • Part of subcall function 0154435A: ExitProcess.KERNEL32(00000000,?,01508269), ref: 015443BD
      • Part of subcall function 0154435A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 01544423
      • Part of subcall function 0154435A: WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 01544439
      • Part of subcall function 01543BDA: FindFirstFileW.KERNELBASE(?,?,00000000,?,01508296,?,?,?), ref: 01543C55
      • Part of subcall function 01543BDA: CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,80000000,00000000,00000000,00000003,00000002,00000000), ref: 01543D37
      • Part of subcall function 01543BDA: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,01508296,?,?,?), ref: 01543D47
      • Part of subcall function 01543BDA: ReadFile.KERNEL32(00000000,0167A528,0000028E,?,00000000), ref: 01543D68
      • Part of subcall function 01543BDA: CloseHandle.KERNEL32(00000000), ref: 01543D7A
      • Part of subcall function 01543BDA: FindNextFileW.KERNEL32(?,?,?,01508296,?,?,?), ref: 01543D8A
      • Part of subcall function 01543BDA: FindClose.KERNEL32(?,?,01508296,?,?,?), ref: 01543D9B
      • Part of subcall function 01543BDA: CloseHandle.KERNEL32(00000000), ref: 01543DA9
      • Part of subcall function 01543BDA: FindClose.KERNELBASE(?,?,?,?,?,?,01508296,?,?,?), ref: 01543DB2
    • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 015082AF
    • GetTempPathW.KERNEL32(00000100,?), ref: 015083E3
    • GetTickCount.KERNEL32 ref: 01508412
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01508440
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 01508460
    • CloseHandle.KERNEL32(00000000), ref: 01508467
    • ShellExecuteW.SHELL32(00000000,0161C2DC,?,00000000,00000000,00000005), ref: 0150847F
    • CloseHandle.KERNEL32(?), ref: 0150848E
      • Part of subcall function 01543DBC: CreateToolhelp32Snapshot.KERNEL32(00000002,016B1094), ref: 01543DE4
      • Part of subcall function 01543DBC: Process32FirstW.KERNEL32 ref: 01543DFE
      • Part of subcall function 01543DBC: Process32NextW.KERNEL32(00000000,0000022C), ref: 01543E3E
      • Part of subcall function 01543DBC: CloseHandle.KERNEL32(00000000), ref: 01543E61
      • Part of subcall function 01542F9E: GetModuleFileNameW.KERNEL32(00000000,?,00000200,.html,?,00000000,?,015084B4,?), ref: 01542FBE
      • Part of subcall function 01542F9E: GetTempPathW.KERNEL32(00000200,?), ref: 01542FC9
      • Part of subcall function 01542F9E: GetFileSize.KERNEL32(00000000,00000000), ref: 01543040
      • Part of subcall function 01542F9E: ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0154305D
      • Part of subcall function 01542F9E: CloseHandle.KERNEL32(00000000), ref: 01543064
      • Part of subcall function 01542F9E: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 015430E2
      • Part of subcall function 01542F9E: CloseHandle.KERNEL32(?), ref: 015430EB
      • Part of subcall function 015430F5: GetVersion.KERNEL32(?,?,015084E8,?,00000000,00000001,?,?,?,?,?,?,?,?), ref: 015430F9
    • Sleep.KERNEL32(0002BF20), ref: 015084F4
      • Part of subcall function 015438C3: GetLogicalDriveStringsW.KERNEL32(00000400,?), ref: 0154391C
      • Part of subcall function 015438C3: RtlInitializeCriticalSection.NTDLL(0167CF2C), ref: 0154392D
      • Part of subcall function 015438C3: GetDriveTypeW.KERNEL32(?), ref: 015439A6
      • Part of subcall function 015438C3: wsprintfW.USER32(?,0161C148,?), ref: 015439C6
      • Part of subcall function 015438C3: GetFileAttributesW.KERNEL32(?), ref: 015439D8
      • Part of subcall function 015438C3: HeapCreate.KERNEL32(00000000,00010000,00000000), ref: 01543A48
      • Part of subcall function 015438C3: RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 01543A5F
      • Part of subcall function 015438C3: RtlInitializeCriticalSection.NTDLL(0167CC28), ref: 01543A89
      • Part of subcall function 015438C3: WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 01543AE6
      • Part of subcall function 015438C3: CloseHandle.KERNEL32(?), ref: 01543AF6
      • Part of subcall function 015438C3: HeapDestroy.KERNEL32 ref: 01543B1E
      • Part of subcall function 015438C3: CreateFileW.KERNEL32(0167FF98,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01543B86
      • Part of subcall function 015438C3: WriteFile.KERNEL32(0167CF28,0163AD28,?,00000000), ref: 01543BA8
      • Part of subcall function 015438C3: CloseHandle.KERNEL32 ref: 01543BB4
    • RegCloseKey.ADVAPI32(?), ref: 0150858F
    • RegCloseKey.ADVAPI32(?), ref: 015085E9
    • GetCurrentThread.KERNEL32(000000F1), ref: 01508604
    • SetThreadPriority.KERNEL32(00000000), ref: 0150860B
      • Part of subcall function 0153EFB8: GetSystemTimeAsFileTime.KERNEL32(?,.html,0159532C,00000000,?,01544376,.html,0159532C,?,01508269), ref: 0153EFCC
      • Part of subcall function 0153EFB8: RegisterClassExW.USER32 ref: 0153F03B
      • Part of subcall function 0153EFB8: CreateWindowExW.USER32(00000000,?,00000000,00000000,01544376,?,00000001,00000001,00000000,00000000,00000000), ref: 0153F08D
      • Part of subcall function 0153EFB8: UpdateWindow.USER32(00000000), ref: 0153F094
      • Part of subcall function 0153EFB8: TranslateMessage.USER32(?), ref: 0153F0A6
      • Part of subcall function 0153EFB8: DispatchMessageW.USER32(?), ref: 0153F0B0
      • Part of subcall function 0153EFB8: UnregisterClassW.USER32(?), ref: 0153F0D0
      • Part of subcall function 0153EFB8: GetUserGeoID.KERNEL32(00000010), ref: 0153F0D8
      • Part of subcall function 0153EFB8: GetTimeZoneInformation.KERNEL32(?,?,?,01544376,.html,0159532C,?,01508269), ref: 0153F109
      • Part of subcall function 0153EFB8: CryptAcquireContextW.ADVAPI32(0163AD20,00000000,00000000,00000001,F0000000,?,01544376,.html,0159532C,?,01508269), ref: 0153F156
    • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 01508685
    • AllocateAndInitializeSid.ADVAPI32 ref: 015086B2
    • GetLengthSid.ADVAPI32(00000000), ref: 015086C0
    • InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 015086DB
    • AddAccessAllowedAce.ADVAPI32(00000000,00000002,001F01FF,00000000), ref: 015086F4
    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 0150870A
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 01508795
    • CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,40000000,00000000,?,00000002,00000002,00000000), ref: 015087EC
    • CloseHandle.KERNEL32(00000000), ref: 015087FC
      • Part of subcall function 015411DA: CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,40000000,00000000,00000000,00000004,00000002,00000000), ref: 01541272
      • Part of subcall function 015411DA: Sleep.KERNEL32(00000064,?,01508807), ref: 01541281
      • Part of subcall function 015411DA: WriteFile.KERNEL32(00000000,?,0000028E,01508807,00000000), ref: 015412A1
      • Part of subcall function 015411DA: CloseHandle.KERNEL32(00000000), ref: 015412A8
      • Part of subcall function 0154426B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01544292
      • Part of subcall function 0154426B: Process32FirstW.KERNEL32 ref: 015442A8
      • Part of subcall function 0154426B: Process32NextW.KERNEL32(00000000,?), ref: 01544311
      • Part of subcall function 0154426B: Sleep.KERNEL32(000003E8), ref: 01544323
    • CreateThread.KERNEL32(00000000,00000000,01544344,00000000,00000000,00000000), ref: 01508859
    • Sleep.KERNEL32(000003E8), ref: 01508868
      • Part of subcall function 01541163: CreateFileW.KERNEL32(0167C7D8,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 01541183
      • Part of subcall function 01541163: GetFileSize.KERNEL32(00000000,00000000,?,?,?,015438E7,?), ref: 01541192
      • Part of subcall function 01541163: ReadFile.KERNEL32(00000000,?,0000028E,?,00000000), ref: 015411AF
      • Part of subcall function 01541163: CloseHandle.KERNEL32(00000000), ref: 015411C3
      • Part of subcall function 01541163: CloseHandle.KERNEL32(00000000), ref: 015411CE
    • CreateThread.KERNEL32(00000000,00000000,01544344,00000000,00000000,00000000), ref: 01508927
    • GetVersion.KERNEL32 ref: 01508939
      • Part of subcall function 01544449: Sleep.KERNEL32(000005DC,?,00000000,0150894B), ref: 01544466
      • Part of subcall function 01544449: SetProcessWindowStation.USER32(00000000), ref: 01544476
      • Part of subcall function 01544449: Sleep.KERNEL32(000005DC,?,00000000,0150894B), ref: 015444A1
      • Part of subcall function 01544449: SetThreadDesktop.USER32(00000000), ref: 015444B7
      • Part of subcall function 015441C0: OpenProcessToken.ADVAPI32(000000FF,00000028,00000002,00000000,00000001,?,015442FB,0000022C), ref: 015441DE
      • Part of subcall function 015441C0: LookupPrivilegeValueW.ADVAPI32(00000000,0161C230,00000040), ref: 015441F2
      • Part of subcall function 015441C0: AdjustTokenPrivileges.ADVAPI32(00000002,00000000,?,00000010,00000000,00000000,?,015442FB,0000022C), ref: 01544212
      • Part of subcall function 015441C0: OpenProcess.KERNEL32(001FFFFF,00000000,00000002,?,015442FB,0000022C), ref: 01544221
      • Part of subcall function 015441C0: CloseHandle.KERNEL32(00000000), ref: 0154425E
    • FindWindowExW.USER32(00000000,00000000,00000000,00000000), ref: 0150898C
    • CloseHandle.KERNEL32(?), ref: 015089A0
      • Part of subcall function 015444C2: Sleep.KERNEL32(000005DC,?,015089AB), ref: 01544524
      • Part of subcall function 0154453A: Sleep.KERNEL32(000005DC,?,015089B0), ref: 01544563
      • Part of subcall function 0154453A: DuplicateTokenEx.ADVAPI32(015089B0,02000000,00000000,00000001,00000001,?,?,015089B0), ref: 0154458C
      • Part of subcall function 0154453A: GetModuleFileNameW.KERNEL32 ref: 015445C5
      • Part of subcall function 0154453A: wsprintfW.USER32(?,0161C2C0,?), ref: 015445DE
      • Part of subcall function 0154453A: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000100), ref: 01544600
    • DeleteFileW.KERNEL32(C:\ProgramData\upbbxxl.html), ref: 01508A5C
      • Part of subcall function 014C258B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0151CD9B,00000000,015557C1,?,?,014D576F,000000FF,015556CA,?,?,014B2D13), ref: 014C2596
    • FindWindowW.USER32(0161C3A4,0161C3C0), ref: 015089ED
    • SendMessageW.USER32(00000000,00000111,000001A3,00000000), ref: 01508A03
    • CreateThread.KERNEL32(00000000,00000000,Function_000938C3,00000000,00000000,00000000), ref: 01508A19
      • Part of subcall function 01542609: GetDesktopWindow.USER32(000000FF,000000FF,01595198,?,01508A4E), ref: 0154261A
      • Part of subcall function 01542609: GetClientRect.USER32(00000000), ref: 01542621
      • Part of subcall function 01542609: CreateWindowExW.USER32(00000080,dgbngwk,0161C060,80000000,?,01508A4E,0167CF9C,0167CF98,00000000,00000000,00000000), ref: 01542679
      • Part of subcall function 01542609: ShowWindow.USER32(00000000,00000005), ref: 0154268B
      • Part of subcall function 01542609: UpdateWindow.USER32(00000000), ref: 01542692
      • Part of subcall function 01542609: TranslateMessage.USER32(?), ref: 015426A4
      • Part of subcall function 01542609: DispatchMessageW.USER32(?), ref: 015426AE
      • Part of subcall function 01542609: KiUserApcDispatcher.NTDLL(?,00000000,00000000,00000000,?,01508A4E), ref: 015426BB
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 015438C3, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
    APIs
    • Sleep.KERNELBASE(000003E8), ref: 015438D5
      • Part of subcall function 01541163: CreateFileW.KERNEL32(0167C7D8,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 01541183
      • Part of subcall function 01541163: GetFileSize.KERNEL32(00000000,00000000,?,?,?,015438E7,?), ref: 01541192
      • Part of subcall function 01541163: ReadFile.KERNEL32(00000000,?,0000028E,?,00000000), ref: 015411AF
      • Part of subcall function 01541163: CloseHandle.KERNEL32(00000000), ref: 015411C3
      • Part of subcall function 01541163: CloseHandle.KERNEL32(00000000), ref: 015411CE
    • ExitProcess.KERNEL32(00000000), ref: 015438FA
    • GetLogicalDriveStringsW.KERNEL32(00000400,?), ref: 0154391C
    • RtlInitializeCriticalSection.NTDLL(0167CF2C), ref: 0154392D
    • GetDriveTypeW.KERNEL32(?), ref: 015439A6
    • wsprintfW.USER32(?,0161C148,?), ref: 015439C6
    • GetFileAttributesW.KERNEL32(?), ref: 015439D8
    • HeapCreate.KERNEL32(00000000,00010000,00000000), ref: 01543A48
    • RtlAllocateHeap.NTDLL(00000000,00000008,00010000), ref: 01543A5F
    • RtlInitializeCriticalSection.NTDLL(0167CC28), ref: 01543A89
    • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 01543AE6
    • CloseHandle.KERNEL32(?), ref: 01543AF6
    • HeapDestroy.KERNEL32 ref: 01543B1E
    • CreateFileW.KERNEL32(0167FF98,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01543B86
    • WriteFile.KERNEL32(0167CF28,0163AD28,?,00000000), ref: 01543BA8
    • CloseHandle.KERNEL32 ref: 01543BB4
    Strings
    • C:\ProgramData\upbbxxl.html, xrefs: 01543B81
    • </table></body></html>, xrefs: 01543B67
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 015421ED, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 304
    APIs
    • GetUserGeoID.KERNEL32(00000010), ref: 015422AC
    • LoadLibraryA.KERNEL32 ref: 01542360
    • GetProcAddress.KERNEL32(00000000,0161C050,?,00000000,015089E3), ref: 0154236C
    • GetDesktopWindow.USER32(?,00000000,015089E3), ref: 01542374
    • GetDC.USER32(00000000), ref: 0154237F
      • Part of subcall function 014F8B33: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 014F8B78
      • Part of subcall function 01541DE2: GetDesktopWindow.USER32(00000000,000002BC,015421E7,00000000,00000000), ref: 01541DEE
      • Part of subcall function 01541DE2: GetDC.USER32(00000000), ref: 01541DF8
      • Part of subcall function 01541DE2: CreateCompatibleBitmap.GDI32(00000000,00000331,00000219), ref: 01541E04
      • Part of subcall function 01541DE2: CreateCompatibleDC.GDI32(00000000), ref: 01541E10
      • Part of subcall function 01541DE2: SelectObject.GDI32(00000000,?), ref: 01541E1D
      • Part of subcall function 01541DE2: SetDIBits.GDI32 ref: 01541E6E
      • Part of subcall function 01541DE2: ReleaseDC.USER32(?,?), ref: 01541E7A
    • ReleaseDC.USER32(?,?), ref: 01542561
    • CreateIconFromResource.USER32(015B1816,000025A8,00000001,00030000), ref: 01542593
    • GetLastError.KERNEL32 ref: 0154259B
    • LoadCursorW.USER32 ref: 015425D4
    • RegisterClassExW.USER32 ref: 015425FB
    Strings
    • dgbngwk, xrefs: 0154234F, 015425EF
    • 0, xrefs: 015425AC
    • Tahoma, xrefs: 01542201, 01542206, 0154221D, 01542254, 0154226F
    • netilnedvlse<screentext>%a1%%f3%%c3%I tuoi dati personali sono criptati da CTB-Locker.%f0%%c0%I tuoi documenti, foto, dati e altri file importanti sono stati criptati con la crittografia forte e chiave univoca, generati per questo computer.Chiave , xrefs: 0154232E
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01543BDA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
    APIs
    • FindFirstFileW.KERNELBASE(?,?,00000000,?,01508296,?,?,?), ref: 01543C55
    • CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,80000000,00000000,00000000,00000003,00000002,00000000), ref: 01543D37
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,01508296,?,?,?), ref: 01543D47
    • ReadFile.KERNEL32(00000000,0167A528,0000028E,?,00000000), ref: 01543D68
    • CloseHandle.KERNEL32(00000000), ref: 01543D7A
    • FindNextFileW.KERNEL32(?,?,?,01508296,?,?,?), ref: 01543D8A
    • FindClose.KERNEL32(?,?,01508296,?,?,?), ref: 01543D9B
    • CloseHandle.KERNEL32(00000000), ref: 01543DA9
    • FindClose.KERNELBASE(?,?,?,?,?,?,01508296,?,?,?), ref: 01543DB2
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153EA04, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
    APIs
    • GetCurrentProcess.KERNEL32(00000008,?,.html,00000000,?,0153ECEB), ref: 0153EA24
    • OpenProcessToken.ADVAPI32(00000000,?,0153ECEB), ref: 0153EA2B
    • GetTokenInformation.KERNELBASE(00000000,00000019,00000000,00000000,?,0159532C,?,0153ECEB), ref: 0153EA47
    • GetLastError.KERNEL32(?,0153ECEB), ref: 0153EA4D
    • LocalAlloc.KERNEL32(00000040,?,?,0153ECEB), ref: 0153EA62
    • GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?,?,0153ECEB), ref: 0153EA7B
    • GetSidSubAuthority.ADVAPI32(00000000,00000000,?,0153ECEB), ref: 0153EA84
    • CloseHandle.KERNEL32(?), ref: 0153EA9C
    • LocalFree.KERNEL32(00000000,?,0153ECEB), ref: 0153EAA7
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01542609, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
    APIs
    • GetDesktopWindow.USER32(000000FF,000000FF,01595198,?,01508A4E), ref: 0154261A
    • GetClientRect.USER32(00000000), ref: 01542621
    • CreateWindowExW.USER32(00000080,dgbngwk,0161C060,80000000,?,01508A4E,0167CF9C,0167CF98,00000000,00000000,00000000), ref: 01542679
      • Part of subcall function 0153FF19: GetDC.USER32(?), ref: 0153FF46
      • Part of subcall function 0153FF19: ReleaseDC.USER32(?,00000000), ref: 0153FF59
      • Part of subcall function 0153FF19: MoveWindow.USER32(0167CBD8,00000000,00000000,00000294,00000019,00000000), ref: 0153FF8B
      • Part of subcall function 0153FF19: SetWindowTextA.USER32(0167A5A6), ref: 0153FFEC
      • Part of subcall function 0153FF19: RedrawWindow.USER32(?,00000000,00000000,00000001), ref: 0154002B
    • ShowWindow.USER32(00000000,00000005), ref: 0154268B
    • UpdateWindow.USER32(00000000), ref: 01542692
    • TranslateMessage.USER32(?), ref: 015426A4
    • DispatchMessageW.USER32(?), ref: 015426AE
    • KiUserApcDispatcher.NTDLL(?,00000000,00000000,00000000,?,01508A4E), ref: 015426BB
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153F1F1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128
    APIs
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000001,?,00000040,00000000,?,01542687,00000000,?,01508A4E), ref: 0153F257
    • BitBlt.GDI32(?,?,00000000,00000000,00000000,00CC0020,?,01542687,00000000), ref: 0153F299
    • SetBkMode.GDI32(?,00000001), ref: 0153F2A4
    • SelectObject.GDI32(?), ref: 0153F2C3
    • GetTextExtentPointW.GDI32(?,?,?,?), ref: 0153F2D7
    • TextOutW.GDI32(?,0000005C,?,?,?), ref: 0153F317
    • TextOutW.GDI32(?,?,?,?,?), ref: 0153F354
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014DC6E8, Relevance: 13.6, APIs: 9, Instructions: 108
    APIs
    • GetModuleHandleW.KERNEL32(015B42B4), ref: 014DC6EE
    • TlsAlloc.KERNEL32 ref: 014DC787
    • RtlEncodePointer.NTDLL ref: 014DC7BD
    • RtlEncodePointer.NTDLL ref: 014DC7CA
    • RtlEncodePointer.NTDLL ref: 014DC7D7
    • RtlEncodePointer.NTDLL ref: 014DC7E4
      • Part of subcall function 014F3C0F: InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,00000000,015952A8,014DC7F0), ref: 014F3C37
    • RtlDecodePointer.NTDLL(Function_0005F3D5), ref: 014DC805
      • Part of subcall function 01508E62: Sleep.KERNEL32(00000000,01532184,00000001,00000214), ref: 01508E8A
    • RtlDecodePointer.NTDLL(00000000), ref: 014DC834
      • Part of subcall function 014E7A40: GetModuleHandleW.KERNEL32(015B42B4,016372C0,00000008,015321AD,00000000,00000000), ref: 014E7A51
      • Part of subcall function 014E7A40: InterlockedIncrement.KERNEL32(015958C0), ref: 014E7A92
    • GetCurrentThreadId.KERNEL32 ref: 014DC846
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014FB9B8, Relevance: 10.7, APIs: 7, Instructions: 195
    APIs
    • GetStartupInfoW.KERNEL32(?), ref: 014FB9C3
      • Part of subcall function 01508E62: Sleep.KERNEL32(00000000,01532184,00000001,00000214), ref: 01508E8A
    • GetFileType.KERNEL32(?), ref: 014FBAF6
    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 014FBB2C
    • GetStdHandle.KERNEL32(-000000F6), ref: 014FBB80
    • GetFileType.KERNEL32(00000000), ref: 014FBB92
    • InitializeCriticalSectionAndSpinCount.KERNEL32(-016388D4,00000FA0), ref: 014FBBC0
    • SetHandleCount.KERNEL32 ref: 014FBBE9
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01541163, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
    APIs
    • CreateFileW.KERNEL32(0167C7D8,C0000000,00000000,00000000,00000003,00000002,00000000), ref: 01541183
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,015438E7,?), ref: 01541192
    • ReadFile.KERNEL32(00000000,?,0000028E,?,00000000), ref: 015411AF
    • CloseHandle.KERNEL32(00000000), ref: 015411C3
    • CloseHandle.KERNEL32(00000000), ref: 015411CE
    Strings
    • C:\ProgramData\Adobe\hygrtse, xrefs: 0154117E
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153E2B1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,0161BB00,00000000,00000101,01508176,00000057), ref: 0153E2D9
    • RegQueryValueExA.KERNEL32(01508176,0161BB20,00000000,00000000,041d84af-7e76-450d-8340-55db3c73c359,0000003F), ref: 0153E2F9
    • RegCloseKey.KERNEL32(01508176), ref: 0153E302
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153FF19, Relevance: 7.6, APIs: 5, Instructions: 93
    APIs
    • GetDC.USER32(?), ref: 0153FF46
      • Part of subcall function 0153FADC: BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000), ref: 0153FB1A
      • Part of subcall function 0153FADC: BitBlt.GDI32(?,00000302,0000000F,5D0101D6,00000000,00000000,00CC0020,?,0153FF54), ref: 0153FB46
      • Part of subcall function 0153FADC: SetTextColor.GDI32(?,00FF80FF), ref: 0153FDEB
      • Part of subcall function 0153FADC: DrawTextW.USER32(?,0167D748,000000FF,?,00004024), ref: 0153FE31
      • Part of subcall function 0153FADC: SetTextColor.GDI32(?,00FF80FF), ref: 0153FE86
      • Part of subcall function 0153FADC: DrawTextW.USER32(?,0167D748,000000FF,?,00004024), ref: 0153FED0
    • ReleaseDC.USER32(?,00000000), ref: 0153FF59
    • MoveWindow.USER32(0167CBD8,00000000,00000000,00000294,00000019,00000000), ref: 0153FF8B
    • SetWindowTextA.USER32(0167A5A6), ref: 0153FFEC
      • Part of subcall function 0153F9C2: GetTickCount.KERNEL32(key,?,?,01542939,00000000,00000000,?,0159E29C,00000000,?,0154397A,00000000,0163AD28,0161C1AC), ref: 0153FA1D
    • RedrawWindow.USER32(?,00000000,00000000,00000001), ref: 0154002B
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0158ECE3, Relevance: 7.6, APIs: 5, Instructions: 74
    APIs
    • RtlDecodePointer.NTDLL(?,?,?,?,?,0150B1E3,?,01637410,0000000C,0152B1FB,?,?,0150AB8B,014BC59E), ref: 0158ECF8
    • RtlDecodePointer.NTDLL(?,?,?,?,?,0150B1E3,?,01637410,0000000C,0152B1FB,?,?,0150AB8B,014BC59E), ref: 0158ED05
      • Part of subcall function 01520F49: RtlSizeHeap.NTDLL(00000000,00000000), ref: 01520F74
      • Part of subcall function 014F1293: Sleep.KERNEL32(00000000), ref: 014F12BD
    • RtlEncodePointer.NTDLL(00000000), ref: 0158ED6A
    • RtlEncodePointer.NTDLL(?,?,?,?,?,?,0150B1E3,?,01637410,0000000C,0152B1FB,?,?,0150AB8B,014BC59E), ref: 0158ED7E
    • RtlEncodePointer.NTDLL(-00000004,?,?,?,?,?,0150B1E3,?,01637410,0000000C,0152B1FB,?,?,0150AB8B,014BC59E), ref: 0158ED86
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 00240081, Relevance: 6.1, APIs: 4, Instructions: 127
    APIs
      • Part of subcall function 002405D2: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00240096), ref: 002405DF
    • VirtualProtect.KERNELBASE(?,?,00000004,?,?), ref: 002400B6
    • VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,00000004,?,?), ref: 002400C6
    • VirtualProtect.KERNELBASE(?,?,00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004), ref: 0024010F
    • VirtualProtect.KERNELBASE(00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004,?,?), ref: 00240125
      • Part of subcall function 002401EC: VirtualProtect.KERNELBASE(?,?,00000004,?,00000000,?,00000000), ref: 0024022D
      • Part of subcall function 002401EC: VirtualProtect.KERNELBASE ref: 00240266
    Memory Dump Source
    • Source File: 0000000D.00000002.874821876.00240000.00000040.sdmp, Offset: 00240000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_240000_inbdgml.jbxd
    Function 014E329D, Relevance: 4.6, APIs: 3, Instructions: 100
    APIs
      • Part of subcall function 0150379D: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 015037D4
      • Part of subcall function 0150379D: GetCurrentProcessId.KERNEL32 ref: 015037E0
      • Part of subcall function 0150379D: GetCurrentThreadId.KERNEL32 ref: 015037E8
      • Part of subcall function 0150379D: GetTickCount.KERNEL32 ref: 015037F0
      • Part of subcall function 0150379D: QueryPerformanceCounter.KERNEL32(?), ref: 015037FC
    • GetStartupInfoW.KERNEL32(?,01637240,00000058), ref: 0158D13F
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 0158D154
      • Part of subcall function 014E94A0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0158D1A8), ref: 014E94A9
      • Part of subcall function 014DC6E6: GetModuleHandleW.KERNEL32(015B42B4), ref: 014DC6EE
      • Part of subcall function 014DC6E6: TlsAlloc.KERNEL32 ref: 014DC787
      • Part of subcall function 014DC6E6: RtlEncodePointer.NTDLL ref: 014DC7BD
      • Part of subcall function 014DC6E6: RtlEncodePointer.NTDLL ref: 014DC7CA
      • Part of subcall function 014DC6E6: RtlEncodePointer.NTDLL ref: 014DC7D7
      • Part of subcall function 014DC6E6: RtlEncodePointer.NTDLL ref: 014DC7E4
      • Part of subcall function 014DC6E6: RtlDecodePointer.NTDLL(Function_0005F3D5), ref: 014DC805
      • Part of subcall function 014DC6E6: RtlDecodePointer.NTDLL(00000000), ref: 014DC834
      • Part of subcall function 014DC6E6: GetCurrentThreadId.KERNEL32 ref: 014DC846
      • Part of subcall function 014FB9B6: GetStartupInfoW.KERNEL32(?), ref: 014FB9C3
      • Part of subcall function 014FB9B6: GetFileType.KERNEL32(?), ref: 014FBAF6
      • Part of subcall function 014FB9B6: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 014FBB2C
      • Part of subcall function 014FB9B6: GetStdHandle.KERNEL32(-000000F6), ref: 014FBB80
      • Part of subcall function 014FB9B6: GetFileType.KERNEL32(00000000), ref: 014FBB92
      • Part of subcall function 014FB9B6: InitializeCriticalSectionAndSpinCount.KERNEL32(-016388D4,00000FA0), ref: 014FBBC0
      • Part of subcall function 014FB9B6: SetHandleCount.KERNEL32 ref: 014FBBE9
    • GetCommandLineW.KERNEL32 ref: 0158D1DE
      • Part of subcall function 014D8ECD: GetEnvironmentStringsW.KERNEL32(00000000,0158D1EE), ref: 014D8ED0
      • Part of subcall function 014D8ECD: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 014D8F0C
      • Part of subcall function 014BBDA1: GetModuleFileNameW.KERNEL32(00000000,C:\Users\admin\AppData\Local\Temp\inbdgml.exe,00000104), ref: 014BBDC1
      • Part of subcall function 0150811C: GetModuleHandleW.KERNEL32(00000000), ref: 01508132
      • Part of subcall function 0150811C: OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 015081B2
      • Part of subcall function 0150811C: ExitProcess.KERNEL32(00000000), ref: 015081BD
      • Part of subcall function 0150811C: CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 015081CB
      • Part of subcall function 0150811C: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData\upbbxxl.html), ref: 015081E6
      • Part of subcall function 0150811C: GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 015082AF
      • Part of subcall function 0150811C: GetTempPathW.KERNEL32(00000100,?), ref: 015083E3
      • Part of subcall function 0150811C: GetTickCount.KERNEL32 ref: 01508412
      • Part of subcall function 0150811C: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01508440
      • Part of subcall function 0150811C: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 01508460
      • Part of subcall function 0150811C: CloseHandle.KERNEL32(00000000), ref: 01508467
      • Part of subcall function 0150811C: ShellExecuteW.SHELL32(00000000,0161C2DC,?,00000000,00000000,00000005), ref: 0150847F
      • Part of subcall function 0150811C: CloseHandle.KERNEL32(?), ref: 0150848E
      • Part of subcall function 0150811C: Sleep.KERNEL32(0002BF20), ref: 015084F4
      • Part of subcall function 0150811C: RegCloseKey.ADVAPI32(?), ref: 0150858F
      • Part of subcall function 0150811C: RegCloseKey.ADVAPI32(?), ref: 015085E9
      • Part of subcall function 0150811C: GetCurrentThread.KERNEL32(000000F1), ref: 01508604
      • Part of subcall function 0150811C: SetThreadPriority.KERNEL32(00000000), ref: 0150860B
      • Part of subcall function 0150811C: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 01508685
      • Part of subcall function 0150811C: AllocateAndInitializeSid.ADVAPI32 ref: 015086B2
      • Part of subcall function 0150811C: GetLengthSid.ADVAPI32(00000000), ref: 015086C0
      • Part of subcall function 0150811C: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 015086DB
      • Part of subcall function 0150811C: AddAccessAllowedAce.ADVAPI32(00000000,00000002,001F01FF,00000000), ref: 015086F4
      • Part of subcall function 0150811C: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 0150870A
      • Part of subcall function 0150811C: CreateDirectoryW.KERNEL32(?,00000000), ref: 01508795
      • Part of subcall function 0150811C: CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,40000000,00000000,?,00000002,00000002,00000000), ref: 015087EC
      • Part of subcall function 0150811C: CloseHandle.KERNEL32(00000000), ref: 015087FC
      • Part of subcall function 0150811C: CreateThread.KERNEL32(00000000,00000000,01544344,00000000,00000000,00000000), ref: 01508859
      • Part of subcall function 0150811C: Sleep.KERNEL32(000003E8), ref: 01508868
      • Part of subcall function 0150811C: CreateThread.KERNEL32(00000000,00000000,01544344,00000000,00000000,00000000), ref: 01508927
      • Part of subcall function 0150811C: GetVersion.KERNEL32 ref: 01508939
      • Part of subcall function 0150811C: FindWindowExW.USER32(00000000,00000000,00000000,00000000), ref: 0150898C
      • Part of subcall function 0150811C: CloseHandle.KERNEL32(?), ref: 015089A0
      • Part of subcall function 0150811C: FindWindowW.USER32(0161C3A4,0161C3C0), ref: 015089ED
      • Part of subcall function 0150811C: SendMessageW.USER32(00000000,00000111,000001A3,00000000), ref: 01508A03
      • Part of subcall function 0150811C: CreateThread.KERNEL32(00000000,00000000,Function_000938C3,00000000,00000000,00000000), ref: 01508A19
      • Part of subcall function 0150811C: DeleteFileW.KERNEL32(C:\ProgramData\upbbxxl.html), ref: 01508A5C
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 002401B9, Relevance: 3.1, APIs: 2, Instructions: 98
    APIs
    • VirtualProtect.KERNELBASE(?,?,00000004,?,00000000,?,00000000), ref: 0024022D
    • VirtualProtect.KERNELBASE ref: 00240266
    Memory Dump Source
    • Source File: 0000000D.00000002.874821876.00240000.00000040.sdmp, Offset: 00240000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_240000_inbdgml.jbxd
    Function 014F8B33, Relevance: 1.6, APIs: 1, Instructions: 58
    APIs
      • Part of subcall function 014F156E: GetModuleFileNameW.KERNEL32(00000000,01639AF2,00000104,00000001,00000000,?), ref: 014F160A
      • Part of subcall function 014F156E: GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 014F16BC
      • Part of subcall function 014F156E: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 014F1708
      • Part of subcall function 014B799B: ExitProcess.KERNEL32(?,?,014F8B62,000000FF,0000001E,00000001,00000000,00000000,?,014C246B,?,00000001,?,?,0153005B,00000018), ref: 014B79AC
    • RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 014F8B78
      • Part of subcall function 01531789: RtlDecodePointer.NTDLL ref: 01531794
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014B3871, Relevance: 1.6, APIs: 1, Instructions: 52
    APIs
    • RtlAllocateHeap.NTDLL(00000008,01532184,00000000), ref: 014B38B4
      • Part of subcall function 01531789: RtlDecodePointer.NTDLL ref: 01531794
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153ECC7, Relevance: 1.5, APIs: 1, Instructions: 31
    APIs
    • GetVersion.KERNEL32(0150825B), ref: 0153ECC7
      • Part of subcall function 0153EA04: GetCurrentProcess.KERNEL32(00000008,?,.html,00000000,?,0153ECEB), ref: 0153EA24
      • Part of subcall function 0153EA04: OpenProcessToken.ADVAPI32(00000000,?,0153ECEB), ref: 0153EA2B
      • Part of subcall function 0153EA04: GetTokenInformation.KERNELBASE(00000000,00000019,00000000,00000000,?,0159532C,?,0153ECEB), ref: 0153EA47
      • Part of subcall function 0153EA04: GetLastError.KERNEL32(?,0153ECEB), ref: 0153EA4D
      • Part of subcall function 0153EA04: LocalAlloc.KERNEL32(00000040,?,?,0153ECEB), ref: 0153EA62
      • Part of subcall function 0153EA04: GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?,?,0153ECEB), ref: 0153EA7B
      • Part of subcall function 0153EA04: GetSidSubAuthority.ADVAPI32(00000000,00000000,?,0153ECEB), ref: 0153EA84
      • Part of subcall function 0153EA04: CloseHandle.KERNEL32(?), ref: 0153EA9C
      • Part of subcall function 0153EA04: LocalFree.KERNEL32(00000000,?,0153ECEB), ref: 0153EAA7
      • Part of subcall function 0153EAB4: GetCurrentThread.KERNEL32(0000000A,00000001,?), ref: 0153EB0C
      • Part of subcall function 0153EAB4: OpenThreadToken.ADVAPI32(00000000), ref: 0153EB13
      • Part of subcall function 0153EAB4: GetLastError.KERNEL32 ref: 0153EB1D
      • Part of subcall function 0153EAB4: GetCurrentProcess.KERNEL32(0000000A,?), ref: 0153EB34
      • Part of subcall function 0153EAB4: OpenProcessToken.ADVAPI32(00000000), ref: 0153EB3B
      • Part of subcall function 0153EAB4: DuplicateToken.ADVAPI32(?,00000002,?), ref: 0153EB52
      • Part of subcall function 0153EAB4: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0153EB77
      • Part of subcall function 0153EAB4: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0153EB9E
      • Part of subcall function 0153EAB4: GetLengthSid.ADVAPI32(?), ref: 0153EBAF
      • Part of subcall function 0153EAB4: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0153EBCE
      • Part of subcall function 0153EAB4: AddAccessAllowedAce.ADVAPI32(?,00000002,00000003,?), ref: 0153EBE5
      • Part of subcall function 0153EAB4: SetSecurityDescriptorDacl.ADVAPI32(0159532C,00000001,?,00000000), ref: 0153EBFA
      • Part of subcall function 0153EAB4: SetSecurityDescriptorGroup.ADVAPI32(0159532C,?,00000000), ref: 0153EC0B
      • Part of subcall function 0153EAB4: SetSecurityDescriptorOwner.ADVAPI32(0159532C,?,00000000), ref: 0153EC18
      • Part of subcall function 0153EAB4: IsValidSecurityDescriptor.ADVAPI32(0159532C), ref: 0153EC21
      • Part of subcall function 0153EAB4: AccessCheck.ADVAPI32(0159532C,?,00000001,?,?,?,?,?), ref: 0153EC56
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014DC991, Relevance: 1.5, APIs: 1, Instructions: 13
    APIs
    • RtlEncodePointer.NTDLL(6526AEAF), ref: 014DC99D
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014E94A0, Relevance: 1.5, APIs: 1, Instructions: 10
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,0158D1A8), ref: 014E94A9
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01532B60, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • RtlEncodePointer.NTDLL(Function_000DEBD7), ref: 01532B65
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014ED31E, Relevance: 1.5, APIs: 1, Instructions: 3
    APIs
    • RtlEncodePointer.NTDLL(00000000), ref: 014ED320
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 00210000, Relevance: 1.3, APIs: 1, Instructions: 49
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00000674,00001000,00000040), ref: 00210068
    Memory Dump Source
    • Source File: 0000000D.00000002.874812680.00210000.00000040.sdmp, Offset: 00210000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_210000_inbdgml.jbxd
    Function 01508E62, Relevance: 1.3, APIs: 1, Instructions: 30
    APIs
      • Part of subcall function 014B3871: RtlAllocateHeap.NTDLL(00000008,01532184,00000000), ref: 014B38B4
    • Sleep.KERNEL32(00000000,01532184,00000001,00000214), ref: 01508E8A
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 002405D2, Relevance: 1.3, APIs: 1, Instructions: 8
    APIs
    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00240096), ref: 002405DF
    Memory Dump Source
    • Source File: 0000000D.00000002.874821876.00240000.00000040.sdmp, Offset: 00240000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_240000_inbdgml.jbxd

    Non-executed Functions

    Function 014BE372, Relevance: 12.2, APIs: 8, Instructions: 154
    APIs
    • htonl.WS2_32(7F000001), ref: 014BE3D6
    • bind.WS2_32(00000000,?,00000010), ref: 014BE3EE
    • listen.WS2_32(00000000,00000001), ref: 014BE400
    • connect.WS2_32(00000002,?,00000010), ref: 014BE44C
    • accept.WS2_32(00000000,?,?), ref: 014BE463
    • WSAGetLastError.WS2_32 ref: 014BE4C8
    • WSASetLastError.WS2_32(00000000), ref: 014BE4FB
      • Part of subcall function 0150EEE4: closesocket.WS2_32(?), ref: 0150EEE8
    • WSASetLastError.WS2_32(00002726), ref: 014BE50A
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014C53EA, Relevance: 7.6, APIs: 5, Instructions: 53
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 014C54A3
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 014C54B8
    • UnhandledExceptionFilter.KERNEL32(015B5718), ref: 014C54C3
    • GetCurrentProcess.KERNEL32(C0000409), ref: 014C54DF
    • TerminateProcess.KERNEL32(00000000), ref: 014C54E6
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0155791B, Relevance: 4.7, APIs: 3, Instructions: 205
    APIs
      • Part of subcall function 01515D80: htons.WS2_32(?), ref: 01515DAB
      • Part of subcall function 014D7627: socket.WS2_32(0152256E,0152256E,0152256E), ref: 014D7634
    • setsockopt.WS2_32(00000000,00000029,0000001B,015473F9,00000004), ref: 015579B0
    • bind.WS2_32(00000000,?,015473F9), ref: 015579C8
      • Part of subcall function 014FD432: WSAGetLastError.WS2_32(00000002,?,01522599,00000000), ref: 014FD445
      • Part of subcall function 014FD432: getsockopt.WS2_32(000000FF,0000FFFF,00001007,000000FF,00000004), ref: 014FD470
      • Part of subcall function 01505BBA: closesocket.WS2_32(?), ref: 01505BBF
    • getsockname.WS2_32(00000000,?,?), ref: 01557A12
      • Part of subcall function 01510184: ioctlsocket.WS2_32(014B875F,8004667E,00000000), ref: 015101A2
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014E1588, Relevance: 4.6, APIs: 3, Instructions: 75
    APIs
    • IsDebuggerPresent.KERNEL32(?,00000001,?), ref: 014E1672
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 014E167C
    • UnhandledExceptionFilter.KERNEL32(?), ref: 014E1689
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153EAB4, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 160
    APIs
    • GetCurrentThread.KERNEL32(0000000A,00000001,?), ref: 0153EB0C
    • OpenThreadToken.ADVAPI32(00000000), ref: 0153EB13
    • GetLastError.KERNEL32 ref: 0153EB1D
    • GetCurrentProcess.KERNEL32(0000000A,?), ref: 0153EB34
    • OpenProcessToken.ADVAPI32(00000000), ref: 0153EB3B
    • DuplicateToken.ADVAPI32(?,00000002,?), ref: 0153EB52
    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0153EB77
    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0153EB9E
    • GetLengthSid.ADVAPI32(?), ref: 0153EBAF
    • InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0153EBCE
    • AddAccessAllowedAce.ADVAPI32(?,00000002,00000003,?), ref: 0153EBE5
    • SetSecurityDescriptorDacl.ADVAPI32(0159532C,00000001,?,00000000), ref: 0153EBFA
    • SetSecurityDescriptorGroup.ADVAPI32(0159532C,?,00000000), ref: 0153EC0B
    • SetSecurityDescriptorOwner.ADVAPI32(0159532C,?,00000000), ref: 0153EC18
    • IsValidSecurityDescriptor.ADVAPI32(0159532C), ref: 0153EC21
    • AccessCheck.ADVAPI32(0159532C,?,00000001,?,?,?,?,?), ref: 0153EC56
      • Part of subcall function 0153EC80: LocalFree.KERNEL32(?,0153EC6C), ref: 0153EC88
      • Part of subcall function 0153EC80: LocalFree.KERNEL32(0159532C,0153EC6C), ref: 0153EC96
      • Part of subcall function 0153EC80: FreeSid.ADVAPI32(?,0153EC6C), ref: 0153ECA4
      • Part of subcall function 0153EC80: CloseHandle.KERNEL32(?), ref: 0153ECB2
      • Part of subcall function 0153EC80: CloseHandle.KERNEL32(?), ref: 0153ECC0
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01540762, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 219
    APIs
      • Part of subcall function 01540654: Sleep.KERNEL32(000003E8,015951A0,?,015407D4,00000001), ref: 0154066D
    • socket.WS2_32(00000002,00000001,00000006), ref: 015407E3
    • Sleep.KERNEL32(000000FA), ref: 015407F0
    • connect.WS2_32(00000000,0100007F,00000010), ref: 0154080B
    • send.WS2_32(00000000,?,00000020,00000000), ref: 01540851
    • recv.WS2_32(00000000,?,00000008,00000000), ref: 01540860
      • Part of subcall function 0153F9C2: GetTickCount.KERNEL32(key,?,?,01542939,00000000,00000000,?,0159E29C,00000000,?,0154397A,00000000,0163AD28,0161C1AC), ref: 0153FA1D
    • send.WS2_32(00000000,?,00000000,00000000), ref: 01540908
    • select.WS2_32(00000001,?,00000000,?,?), ref: 01540960
    • Sleep.KERNEL32(000000FA), ref: 0154096F
    • closesocket.WS2_32(00000000), ref: 01540978
    • ioctlsocket.WS2_32(00000000,4004667F,?), ref: 0154099A
    • recv.WS2_32(00000000,?,?,00000000), ref: 015409C1
    • closesocket.WS2_32(00000000), ref: 01540A0B
      • Part of subcall function 0154005C: OemToCharW.USER32(?,01680718), ref: 01540330
    • closesocket.WS2_32(00000000), ref: 01540A30
    • TerminateThread.KERNEL32(00000000), ref: 01540A3E
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153E5B9, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 325
    APIs
    • GetFileTime.KERNEL32(00000000,?,?,?,?,015437A4,?,?,?,00000000), ref: 0153E611
    • ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0153E626
    • GetFileSize.KERNEL32(?,00000000), ref: 0153E6CB
    • ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0153E6F7
    • ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0153E7C3
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0153E82E
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0153E88A
    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0153E8DD
    • SetFilePointer.KERNEL32(?,?,00000000,00000000,?,?,?,?), ref: 0153E8F2
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0153E904
    • SetFileTime.KERNEL32(?,?,?,?,?,?,?,?), ref: 0153E919
    • DeleteFileW.KERNEL32(00000001,?,?,?,?), ref: 0153E932
    • CloseHandle.KERNEL32(?), ref: 0153E952
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153EFB8, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 180
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(?,.html,0159532C,00000000,?,01544376,.html,0159532C,?,01508269), ref: 0153EFCC
    • RegisterClassExW.USER32 ref: 0153F03B
      • Part of subcall function 014C258B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0151CD9B,00000000,015557C1,?,?,014D576F,000000FF,015556CA,?,?,014B2D13), ref: 014C2596
      • Part of subcall function 0153ED1A: GetVersionExW.KERNEL32(?,?,?,01544376,.html,0159532C,?,01508269), ref: 0153ED53
      • Part of subcall function 0153ED1A: GetNativeSystemInfo.KERNEL32(?), ref: 0153ED5D
      • Part of subcall function 0153ED1A: RegOpenKeyExA.ADVAPI32(80000002,0161BC4C,00000000,00000101,?,?,01544376,.html,0159532C,?,01508269), ref: 0153ED77
      • Part of subcall function 0153ED1A: RegQueryValueExA.ADVAPI32(?,0161BC7C,00000000,00000000,?,?,?,01544376,.html,0159532C,?,01508269), ref: 0153EDA2
      • Part of subcall function 0153ED1A: RegCloseKey.ADVAPI32(?,?,01544376,.html,0159532C,?,01508269), ref: 0153EDAB
      • Part of subcall function 0153ED1A: GetModuleFileNameW.KERNEL32(00000000,?,000001FF,?,01544376,.html,0159532C,?,01508269), ref: 0153EDFE
      • Part of subcall function 0153ED1A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0153EE1A
      • Part of subcall function 0153ED1A: GetFileSize.KERNEL32(00000000,00000000,?,01544376,.html,0159532C,?,01508269), ref: 0153EE29
      • Part of subcall function 0153ED1A: CloseHandle.KERNEL32(00000000), ref: 0153EE32
    • CreateWindowExW.USER32(00000000,?,00000000,00000000,01544376,?,00000001,00000001,00000000,00000000,00000000), ref: 0153F08D
    • UpdateWindow.USER32(00000000), ref: 0153F094
    • TranslateMessage.USER32(?), ref: 0153F0A6
    • DispatchMessageW.USER32(?), ref: 0153F0B0
    • UnregisterClassW.USER32(?), ref: 0153F0D0
    • GetUserGeoID.KERNEL32(00000010), ref: 0153F0D8
    • GetTimeZoneInformation.KERNEL32(?,?,?,01544376,.html,0159532C,?,01508269), ref: 0153F109
    • CryptAcquireContextW.ADVAPI32(0163AD20,00000000,00000000,00000001,F0000000,?,01544376,.html,0159532C,?,01508269), ref: 0153F156
      • Part of subcall function 0153E13D: CryptGenRandom.ADVAPI32(00000014,?,0167A6DC,0167A58C,?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E156
      • Part of subcall function 0153E13D: GetSystemTimeAsFileTime.KERNEL32(?,?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E160
      • Part of subcall function 0153E13D: GetTickCount.KERNEL32(?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E166
      • Part of subcall function 0153E13D: GetCurrentThreadId.KERNEL32(?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E16F
      • Part of subcall function 0153E13D: GetCurrentProcessId.KERNEL32(?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E17A
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 015435E7, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 211
    APIs
    • Sleep.KERNEL32(000003E8), ref: 0154362C
    • RtlEnterCriticalSection.NTDLL(?), ref: 01543642
    • RtlLeaveCriticalSection.NTDLL(?), ref: 01543671
      • Part of subcall function 0153E503: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0153E524
      • Part of subcall function 0153E503: ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0153E53D
      • Part of subcall function 0153E503: CloseHandle.KERNEL32(00000000), ref: 0153E544
      • Part of subcall function 0153E5B9: GetFileTime.KERNEL32(00000000,?,?,?,?,015437A4,?,?,?,00000000), ref: 0153E611
      • Part of subcall function 0153E5B9: ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0153E626
      • Part of subcall function 0153E5B9: GetFileSize.KERNEL32(?,00000000), ref: 0153E6CB
      • Part of subcall function 0153E5B9: ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0153E6F7
      • Part of subcall function 0153E5B9: ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0153E7C3
      • Part of subcall function 0153E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0153E82E
      • Part of subcall function 0153E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0153E88A
      • Part of subcall function 0153E5B9: DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0153E8DD
      • Part of subcall function 0153E5B9: SetFilePointer.KERNEL32(?,?,00000000,00000000,?,?,?,?), ref: 0153E8F2
      • Part of subcall function 0153E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0153E904
      • Part of subcall function 0153E5B9: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?), ref: 0153E919
      • Part of subcall function 0153E5B9: DeleteFileW.KERNEL32(00000001,?,?,?,?), ref: 0153E932
      • Part of subcall function 0153E5B9: CloseHandle.KERNEL32(?), ref: 0153E952
      • Part of subcall function 0154462A: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,015437F2,?,?,?,00000400), ref: 01544644
    • RtlEnterCriticalSection.NTDLL(0167CF2C), ref: 01543861
    • CreateFileW.KERNEL32(0167FF98,40000000,00000000,00000000,00000002,00000000,00000000), ref: 01543883
    • WriteFile.KERNEL32(0167CF28,?,?,?,00000000), ref: 015438A6
    • RtlLeaveCriticalSection.NTDLL(0167CF2C), ref: 015438AD
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01543F0F, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 204
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,015951F8,00000000,00000000,015DAEA0,015DAEA0,00000000,015927F8,01637870,000000FF,?,01544254,00000000), ref: 01543F55
    • VirtualAllocEx.KERNEL32(00000002,00000000,?,00001000,00000004,015951F8,00000000,00000000,015DAEA0,015DAEA0,00000000,015927F8,01637870,000000FF,?,01544254), ref: 01543F60
      • Part of subcall function 0151A939: HeapFree.KERNEL32(00000000,00000000), ref: 0151A94F
      • Part of subcall function 0151A939: GetLastError.KERNEL32(00000000), ref: 0151A961
    • VirtualProtect.KERNEL32(?,?,00000020,?), ref: 01543FDC
    • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 01543FEE
    • WriteProcessMemory.KERNEL32(00000002,00000000,00000000,?,?), ref: 0154400B
    • VirtualProtectEx.KERNEL32(00000002,?,?,00000020,?), ref: 01544024
    • GetModuleHandleA.KERNEL32(0161C1F0,?,00000020,?), ref: 01544037
    • ResumeThread.KERNEL32(?,?,?,?,?,?,00000020,?), ref: 015440CE
    • ResumeThread.KERNEL32(?,?,00000020,?), ref: 0154414C
    • CloseHandle.KERNEL32(?), ref: 01544155
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014EB540, Relevance: 18.5, APIs: 12, Instructions: 494
    APIs
    • GetLastError.KERNEL32(?,014FDBE5,00000001,?,?,01637350,00000010,0151D8C7,?,00000001,00000001,?,?,?,?), ref: 014EBBA1
      • Part of subcall function 0151D8EE: SetFilePointer.KERNEL32(00000000,00000001,00000000,014CED28,00000001,00000001,?,?,?,014EB613,00000001,00000000,00000000,00000002,00000001,00000001), ref: 0151D930
      • Part of subcall function 0151D8EE: GetLastError.KERNEL32(?,014EB613,00000001,00000000,00000000,00000002,00000001,00000001,00000001,?,014FDBE5,00000001,?,?,01637350,00000010), ref: 0151D93D
    • GetConsoleMode.KERNEL32(00000001,?), ref: 014EB650
    • GetConsoleCP.KERNEL32(?,014FDBE5,00000001,?,?,01637350,00000010,0151D8C7,?,00000001,00000001,?,?,?,?), ref: 014EB670
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 014EB760
    • WriteFile.KERNEL32(00000001,?,00000000,?,00000000), ref: 014EB789
    • WriteFile.KERNEL32(00000001,?,00000001,?,00000000), ref: 014EB7E2
      • Part of subcall function 014F9069: WriteConsoleW.KERNEL32(01596590,00000001,00000001,00000000,00000000), ref: 014F909B
    • WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 014EB950
    • WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 014EBA2A
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 014EBAFA
    • WriteFile.KERNEL32(00000001,?,00000000,?,00000000), ref: 014EBB2B
    • GetLastError.KERNEL32 ref: 014EBB41
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 014EBB82
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01543129, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 278
    APIs
    • FindFirstFileW.KERNEL32(?,?), ref: 0154317A
    • RtlEnterCriticalSection.NTDLL(?), ref: 0154335D
    • RtlReAllocateHeap.NTDLL(00000008,?), ref: 015433DF
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 0154343F
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 01543489
    • RtlLeaveCriticalSection.NTDLL(?), ref: 015434A8
    • FindNextFileW.KERNEL32(?,?), ref: 015434B7
    • FindClose.KERNEL32(?), ref: 015434C9
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0154005C, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 271
    APIs
    • OemToCharW.USER32(?,01680718), ref: 01540330
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 015012A3, Relevance: 16.8, APIs: 11, Instructions: 314
    APIs
    • FindFirstFileExA.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0150134F
    • GetDriveTypeA.KERNEL32(00000000), ref: 015013B7
      • Part of subcall function 0151A939: HeapFree.KERNEL32(00000000,00000000), ref: 0151A94F
      • Part of subcall function 0151A939: GetLastError.KERNEL32(00000000), ref: 0151A961
      • Part of subcall function 0151A5A2: GetFileType.KERNEL32(?), ref: 0151A68B
      • Part of subcall function 0151A5A2: GetLastError.KERNEL32 ref: 0151A6AD
      • Part of subcall function 0151A5A2: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0151A71D
      • Part of subcall function 0151A5A2: GetFileInformationByHandle.KERNEL32(?,?), ref: 0151A755
      • Part of subcall function 0151A5A2: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0151A797
      • Part of subcall function 0151A5A2: FileTimeToSystemTime.KERNEL32(?,?), ref: 0151A7AD
      • Part of subcall function 0151A5A2: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0151A809
      • Part of subcall function 0151A5A2: FileTimeToSystemTime.KERNEL32(?,?), ref: 0151A81F
      • Part of subcall function 0151A5A2: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0151A87B
      • Part of subcall function 0151A5A2: FileTimeToSystemTime.KERNEL32(?,?), ref: 0151A891
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 015014D5
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 015014F1
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0150156B
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 01501587
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01501601
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0150161D
    • FindClose.KERNEL32(?), ref: 01501671
    • GetLastError.KERNEL32 ref: 015016CD
    • FindClose.KERNEL32(?), ref: 015016E0
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01542F9E, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 130
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000200,.html,?,00000000,?,015084B4,?), ref: 01542FBE
    • GetTempPathW.KERNEL32(00000200,?), ref: 01542FC9
    • GetFileSize.KERNEL32(00000000,00000000), ref: 01543040
      • Part of subcall function 014F8B33: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 014F8B78
    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0154305D
    • CloseHandle.KERNEL32(00000000), ref: 01543064
    • CloseHandle.KERNEL32(?), ref: 015430EB
      • Part of subcall function 0151A939: HeapFree.KERNEL32(00000000,00000000), ref: 0151A94F
      • Part of subcall function 0151A939: GetLastError.KERNEL32(00000000), ref: 0151A961
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 015430E2
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0151A5A2, Relevance: 15.3, APIs: 10, Instructions: 272
    APIs
      • Part of subcall function 0152CC07: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0,01637450,0000000C,014FDBCB,00000001,01637350,00000010,0151D8C7,?,00000001,00000001,?,?,?,?), ref: 0152CC51
      • Part of subcall function 0152CC07: RtlEnterCriticalSection.NTDLL(?), ref: 0152CC89
    • GetFileType.KERNEL32(?), ref: 0151A68B
    • GetLastError.KERNEL32 ref: 0151A6AD
    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0151A71D
    • GetFileInformationByHandle.KERNEL32(?,?), ref: 0151A755
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0151A797
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0151A7AD
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0151A809
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0151A81F
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0151A87B
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0151A891
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0152BB9D, Relevance: 15.2, APIs: 10, Instructions: 163
    APIs
      • Part of subcall function 01532159: GetLastError.KERNEL32(?,?,01517506,014F72D0,hours,00000000), ref: 0153215D
      • Part of subcall function 01532159: RtlDecodePointer.NTDLL(00000000), ref: 01532199
      • Part of subcall function 01532159: GetCurrentThreadId.KERNEL32 ref: 015321AF
      • Part of subcall function 01532159: SetLastError.KERNEL32(00000000), ref: 015321C7
      • Part of subcall function 014C245A: Sleep.KERNEL32(00000000,00000001,?,?,0153005B,00000018,01637370,0000000C,015003C4,?,?,?,014E7A8A,0000000D), ref: 014C247B
      • Part of subcall function 015003A9: RtlEnterCriticalSection.NTDLL(?), ref: 015003D3
    • SetConsoleCtrlHandler.KERNEL32(0158EC10,00000001), ref: 0152BCBC
    • GetLastError.KERNEL32(?,015812F3), ref: 0152BCD8
    • RtlDecodePointer.NTDLL(016373D0), ref: 0152BD0C
    • RtlEncodePointer.NTDLL(?), ref: 0152BD1A
    • RtlDecodePointer.NTDLL(016373D0), ref: 0152BD2D
    • RtlEncodePointer.NTDLL(?), ref: 0152BD3B
    • RtlDecodePointer.NTDLL(016373D0), ref: 0152BD4E
    • RtlEncodePointer.NTDLL(?), ref: 0152BD5C
    • RtlDecodePointer.NTDLL(016373D0), ref: 0152BD6F
    • RtlEncodePointer.NTDLL(?), ref: 0152BD7D
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 015885AD, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 487
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01540BEA, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 127
    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00090A4F,?,00000000,?), ref: 01540D0B
    • WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 01540D19
    • TerminateThread.KERNEL32(00000000,00000000), ref: 01540D25
    • CloseHandle.KERNEL32(00000000), ref: 01540D2C
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01540FA6, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 01540FC6
    • GetTempPathW.KERNEL32(00000200,?), ref: 01541013
    • DeleteFileW.KERNEL32(?), ref: 0154106E
    • GetVersion.KERNEL32 ref: 01541074
    • CoInitialize.OLE32(00000000), ref: 01541085
    • CoCreateInstance.OLE32(015B3EF8,00000000,00000001,015B3F50,?), ref: 015410A0
    • CoUninitialize.OLE32 ref: 015410CF
      • Part of subcall function 01540EAC: CoInitializeEx.OLE32(00000000,00000000), ref: 01540EBE
      • Part of subcall function 01540EAC: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 01540ED0
      • Part of subcall function 01540EAC: CoCreateInstance.OLE32(015B610C,00000000,00000001,015B5EFC,?), ref: 01540EEA
      • Part of subcall function 01540EAC: CoUninitialize.OLE32 ref: 01540F9B
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0154435A, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82
    APIs
      • Part of subcall function 0153EFB8: GetSystemTimeAsFileTime.KERNEL32(?,.html,0159532C,00000000,?,01544376,.html,0159532C,?,01508269), ref: 0153EFCC
      • Part of subcall function 0153EFB8: RegisterClassExW.USER32 ref: 0153F03B
      • Part of subcall function 0153EFB8: CreateWindowExW.USER32(00000000,?,00000000,00000000,01544376,?,00000001,00000001,00000000,00000000,00000000), ref: 0153F08D
      • Part of subcall function 0153EFB8: UpdateWindow.USER32(00000000), ref: 0153F094
      • Part of subcall function 0153EFB8: TranslateMessage.USER32(?), ref: 0153F0A6
      • Part of subcall function 0153EFB8: DispatchMessageW.USER32(?), ref: 0153F0B0
      • Part of subcall function 0153EFB8: UnregisterClassW.USER32(?), ref: 0153F0D0
      • Part of subcall function 0153EFB8: GetUserGeoID.KERNEL32(00000010), ref: 0153F0D8
      • Part of subcall function 0153EFB8: GetTimeZoneInformation.KERNEL32(?,?,?,01544376,.html,0159532C,?,01508269), ref: 0153F109
      • Part of subcall function 0153EFB8: CryptAcquireContextW.ADVAPI32(0163AD20,00000000,00000000,00000001,F0000000,?,01544376,.html,0159532C,?,01508269), ref: 0153F156
    • Sleep.KERNEL32(00002710,.html,0159532C,?,01508269), ref: 015443AC
    • ExitProcess.KERNEL32(00000000,?,01508269), ref: 015443BD
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 01544423
    • WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 01544439
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01541DE2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 61
    APIs
    • GetDesktopWindow.USER32(00000000,000002BC,015421E7,00000000,00000000), ref: 01541DEE
    • GetDC.USER32(00000000), ref: 01541DF8
    • CreateCompatibleBitmap.GDI32(00000000,00000331,00000219), ref: 01541E04
    • CreateCompatibleDC.GDI32(00000000), ref: 01541E10
    • SelectObject.GDI32(00000000,?), ref: 01541E1D
    • SetDIBits.GDI32 ref: 01541E6E
    • ReleaseDC.USER32(?,?), ref: 01541E7A
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153F4E6, Relevance: 13.8, APIs: 9, Instructions: 254
    APIs
    • SetTextColor.GDI32(?,00FFFFFF), ref: 0153F510
    • SetBkMode.GDI32(?,00000001), ref: 0153F519
    • GetTextExtentPoint32W.GDI32(?,0161BC94,00000007,?), ref: 0153F52B
    • SetTextColor.GDI32(?,00FFFFFF), ref: 0153F647
    • GetTextExtentPoint32W.GDI32(?,0161BC94,00000007,?), ref: 0153F6E3
    • SetTextColor.GDI32(?), ref: 0153F6F3
    • BitBlt.GDI32(?,?,00000000,00000000,00000000,00CC0020,?,01542687,00000000), ref: 0153F734
    • GetTextExtentPoint32W.GDI32(?,0161BC94,00000007,?), ref: 0153F769
    • SetTextColor.GDI32(?), ref: 0153F7A4
      • Part of subcall function 0153F3D8: GetTextExtentPoint32W.GDI32(?,?,-0000FFFF,0153F8B0), ref: 0153F43A
      • Part of subcall function 0153F3D8: GetTextExtentPoint32W.GDI32(?,?,-0000FFFF,0153F8B0), ref: 0153F468
      • Part of subcall function 0153F3D8: TextOutW.GDI32(?,0153F8B0,?,?,?), ref: 0153F4D1
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153ED1A, Relevance: 13.7, APIs: 9, Instructions: 165
    APIs
    • GetVersionExW.KERNEL32(?,?,?,01544376,.html,0159532C,?,01508269), ref: 0153ED53
    • GetNativeSystemInfo.KERNEL32(?), ref: 0153ED5D
    • RegOpenKeyExA.ADVAPI32(80000002,0161BC4C,00000000,00000101,?,?,01544376,.html,0159532C,?,01508269), ref: 0153ED77
    • RegQueryValueExA.ADVAPI32(?,0161BC7C,00000000,00000000,?,?,?,01544376,.html,0159532C,?,01508269), ref: 0153EDA2
    • RegCloseKey.ADVAPI32(?,?,01544376,.html,0159532C,?,01508269), ref: 0153EDAB
      • Part of subcall function 014C258B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0151CD9B,00000000,015557C1,?,?,014D576F,000000FF,015556CA,?,?,014B2D13), ref: 014C2596
    • GetModuleFileNameW.KERNEL32(00000000,?,000001FF,?,01544376,.html,0159532C,?,01508269), ref: 0153EDFE
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0153EE1A
    • GetFileSize.KERNEL32(00000000,00000000,?,01544376,.html,0159532C,?,01508269), ref: 0153EE29
    • CloseHandle.KERNEL32(00000000), ref: 0153EE32
      • Part of subcall function 0153E95F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0153E971
      • Part of subcall function 0153E95F: Process32FirstW.KERNEL32 ref: 0153E98B
      • Part of subcall function 0153E95F: Process32NextW.KERNEL32(00000000,0000022C), ref: 0153E9E2
      • Part of subcall function 0153E95F: CloseHandle.KERNEL32(00000000), ref: 0153E9ED
      • Part of subcall function 0153E95F: CloseHandle.KERNEL32(00000000), ref: 0153E9F9
      • Part of subcall function 0153ECC7: GetVersion.KERNEL32(0150825B), ref: 0153ECC7
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01542BA1, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 434
    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 01542BB5
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 01542BC7
    • CoCreateInstance.OLE32(015B610C,00000000,00000001,015B5EFC,?), ref: 01542BE1
    • CoUninitialize.OLE32 ref: 01542BEB
    • GetUserNameW.ADVAPI32(?,?), ref: 01542DC8
    • CoUninitialize.OLE32 ref: 01542F6C
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153FADC, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 332
    APIs
    • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000), ref: 0153FB1A
    • BitBlt.GDI32(?,00000302,0000000F,5D0101D6,00000000,00000000,00CC0020,?,0153FF54), ref: 0153FB46
      • Part of subcall function 0153F1F1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000001,?,00000040,00000000,?,01542687,00000000,?,01508A4E), ref: 0153F257
      • Part of subcall function 0153F1F1: BitBlt.GDI32(?,?,00000000,00000000,00000000,00CC0020,?,01542687,00000000), ref: 0153F299
      • Part of subcall function 0153F1F1: SetBkMode.GDI32(?,00000001), ref: 0153F2A4
      • Part of subcall function 0153F1F1: SelectObject.GDI32(?), ref: 0153F2C3
      • Part of subcall function 0153F1F1: GetTextExtentPointW.GDI32(?,?,?,?), ref: 0153F2D7
      • Part of subcall function 0153F1F1: TextOutW.GDI32(?,0000005C,?,?,?), ref: 0153F317
      • Part of subcall function 0153F1F1: TextOutW.GDI32(?,?,?,?,?), ref: 0153F354
    • SetTextColor.GDI32(?,00FF80FF), ref: 0153FDEB
    • DrawTextW.USER32(?,0167D748,000000FF,?,00004024), ref: 0153FE31
    • SetTextColor.GDI32(?,00FF80FF), ref: 0153FE86
    • DrawTextW.USER32(?,0167D748,000000FF,?,00004024), ref: 0153FED0
      • Part of subcall function 0153F835: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,?,00001000,?,01542687,00000000,?,01508A4E), ref: 0153F880
      • Part of subcall function 0153F8B7: SetTextColor.GDI32(?,00FFFFFF), ref: 0153F904
      • Part of subcall function 0153F8B7: SetTextColor.GDI32(?,0020FFFF), ref: 0153F91E
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0154453A, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76
    APIs
      • Part of subcall function 015444C2: Sleep.KERNEL32(000005DC,?,015089AB), ref: 01544524
    • Sleep.KERNEL32(000005DC,?,015089B0), ref: 01544563
    • DuplicateTokenEx.ADVAPI32(015089B0,02000000,00000000,00000001,00000001,?,?,015089B0), ref: 0154458C
    • GetModuleFileNameW.KERNEL32 ref: 015445C5
    • wsprintfW.USER32(?,0161C2C0,?), ref: 015445DE
    • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000100), ref: 01544600
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01540A4F, Relevance: 12.1, APIs: 8, Instructions: 138
    APIs
    • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 01540A75
    • InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 01540AAE
    • HttpOpenRequestA.WININET(00000000,0161BF30,0161BF14,0161BF24,?,0161BF14,84A83100,00000000), ref: 01540AE7
    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 01540B11
    • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 01540B35
    • HttpOpenRequestA.WININET(00000000,0161BF30,0161BF14,0161BF24,?,0161BF14,84080100,00000000), ref: 01540B6E
    • HttpSendRequestA.WININET(?,?,000000FF,00000000,00000000), ref: 01540B85
    • InternetReadFile.WININET(00000000,00000000,00001000,0161BF14), ref: 01540BCD
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014FB5E0, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 325
    APIs
    • htons.WS2_32(00000010), ref: 014FB730
    • htonl.WS2_32(0000012C), ref: 014FB783
    • htonl.WS2_32(00000000), ref: 014FB7FA
    • htons.WS2_32(?), ref: 014FB815
    • htons.WS2_32(00000000), ref: 014FB85D
      • Part of subcall function 014C258B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0151CD9B,00000000,015557C1,?,?,014D576F,000000FF,015556CA,?,?,014B2D13), ref: 014C2596
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 015426C5, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179
    APIs
    • CoInitialize.OLE32(00000000), ref: 015426D7
    • CoCreateInstance.OLE32(015B3EF8,00000000,00000001,015B3F50,00000001), ref: 015426F9
    • CoUninitialize.OLE32 ref: 01542703
    • GetUserNameW.ADVAPI32(?,?), ref: 0154279C
    • CoUninitialize.OLE32 ref: 0154288E
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0157B95A, Relevance: 10.6, APIs: 7, Instructions: 102
    APIs
    • LoadLibraryA.KERNEL32(01624900), ref: 0157B97A
    • CloseHandle.KERNEL32(00000000), ref: 0157B9E1
    • FreeLibrary.KERNEL32(00000000), ref: 0157B9E8
    • CloseHandle.KERNEL32(00000000), ref: 0157BA1B
    • FreeLibrary.KERNEL32(00000000), ref: 0157BA22
    • CloseHandle.KERNEL32(00000000), ref: 0157BA30
    • FreeLibrary.KERNEL32(00000000), ref: 0157BA37
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01544449, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
    APIs
    • Sleep.KERNEL32(000005DC,?,00000000,0150894B), ref: 01544466
    • SetProcessWindowStation.USER32(00000000), ref: 01544476
    • Sleep.KERNEL32(000005DC,?,00000000,0150894B), ref: 015444A1
    • SetThreadDesktop.USER32(00000000), ref: 015444B7
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014B8109, Relevance: 9.2, APIs: 6, Instructions: 155
    APIs
      • Part of subcall function 0151D8EE: SetFilePointer.KERNEL32(00000000,00000001,00000000,014CED28,00000001,00000001,?,?,?,014EB613,00000001,00000000,00000000,00000002,00000001,00000001), ref: 0151D930
      • Part of subcall function 0151D8EE: GetLastError.KERNEL32(?,014EB613,00000001,00000000,00000000,00000002,00000001,00000001,00000001,?,014FDBE5,00000001,?,?,01637350,00000010), ref: 0151D93D
    • GetProcessHeap.KERNEL32(00000008,00001000), ref: 014B8170
    • RtlAllocateHeap.NTDLL(00000000), ref: 014B8177
      • Part of subcall function 014EB540: GetConsoleMode.KERNEL32(00000001,?), ref: 014EB650
      • Part of subcall function 014EB540: GetConsoleCP.KERNEL32(?,014FDBE5,00000001,?,?,01637350,00000010,0151D8C7,?,00000001,00000001,?,?,?,?), ref: 014EB670
      • Part of subcall function 014EB540: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 014EB760
      • Part of subcall function 014EB540: WriteFile.KERNEL32(00000001,?,00000000,?,00000000), ref: 014EB789
      • Part of subcall function 014EB540: WriteFile.KERNEL32(00000001,?,00000001,?,00000000), ref: 014EB7E2
      • Part of subcall function 014EB540: WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 014EB950
      • Part of subcall function 014EB540: WriteFile.KERNEL32(00000001,?,?,?,00000000), ref: 014EBA2A
      • Part of subcall function 014EB540: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 014EBAFA
      • Part of subcall function 014EB540: WriteFile.KERNEL32(00000001,?,00000000,?,00000000), ref: 014EBB2B
      • Part of subcall function 014EB540: GetLastError.KERNEL32 ref: 014EBB41
      • Part of subcall function 014EB540: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 014EBB82
      • Part of subcall function 014EB540: GetLastError.KERNEL32(?,014FDBE5,00000001,?,?,01637350,00000010,0151D8C7,?,00000001,00000001,?,?,?,?), ref: 014EBBA1
    • GetProcessHeap.KERNEL32(00000000,?), ref: 014B81F3
    • HeapFree.KERNEL32(00000000), ref: 014B81FA
    • SetEndOfFile.KERNEL32(00000000), ref: 014B8255
    • GetLastError.KERNEL32 ref: 014B8282
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014CE2FC, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 386
    APIs
      • Part of subcall function 014B43E8: htonl.WS2_32(?), ref: 014B444E
    • htonl.WS2_32(014CCF0C), ref: 014CE3D8
      • Part of subcall function 015635A3: htonl.WS2_32(?), ref: 015636FF
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0152241E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162
    APIs
      • Part of subcall function 0154C6AB: GetProcAddress.KERNEL32(00000000,0161ED18,?,00000000,?,01522439,?,00000100,00000000,?,0152FBC5,00000002,?,00000100,?,014F7C60), ref: 0154C6D6
      • Part of subcall function 0154C6AB: FreeLibrary.KERNEL32(?,?,01522439,?,00000100,00000000,?,0152FBC5,00000002,?,00000100,?,014F7C60,?,?,00000000), ref: 0154C798
      • Part of subcall function 014D9CC1: htonl.WS2_32(?), ref: 014D9CF4
      • Part of subcall function 0151C4CB: htonl.WS2_32(?), ref: 0151C561
      • Part of subcall function 0151A939: HeapFree.KERNEL32(00000000,00000000), ref: 0151A94F
      • Part of subcall function 0151A939: GetLastError.KERNEL32(00000000), ref: 0151A961
    • htons.WS2_32(00000009), ref: 0152255A
      • Part of subcall function 014D7627: socket.WS2_32(0152256E,0152256E,0152256E), ref: 014D7634
    • htonl.WS2_32 ref: 01522585
      • Part of subcall function 014FD432: WSAGetLastError.WS2_32(00000002,?,01522599,00000000), ref: 014FD445
      • Part of subcall function 014FD432: getsockopt.WS2_32(000000FF,0000FFFF,00001007,000000FF,00000004), ref: 014FD470
      • Part of subcall function 01505BBA: closesocket.WS2_32(?), ref: 01505BBF
      • Part of subcall function 01515D80: htons.WS2_32(?), ref: 01515DAB
    • connect.WS2_32(00000000,?,?), ref: 015225A6
    • getsockname.WS2_32(00000000,?,?), ref: 015225C1
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014F7BDE, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 129
    APIs
    • gethostname.WS2_32(?,00000100), ref: 014F7BFD
      • Part of subcall function 014B43E8: htonl.WS2_32(?), ref: 014B444E
      • Part of subcall function 0152FBAE: htonl.WS2_32(00000000), ref: 0152FBDC
    • htonl.WS2_32(?), ref: 014F7C8F
      • Part of subcall function 014D032B: htonl.WS2_32(?), ref: 014D0339
      • Part of subcall function 015287B4: htonl.WS2_32(?), ref: 015287CA
      • Part of subcall function 0151A939: HeapFree.KERNEL32(00000000,00000000), ref: 0151A94F
      • Part of subcall function 0151A939: GetLastError.KERNEL32(00000000), ref: 0151A961
      • Part of subcall function 0150230E: htonl.WS2_32(?), ref: 01502333
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0157148D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110
    APIs
    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 015714EC
    • CryptSetHashParam.ADVAPI32(00000000,00000002,?,00000000), ref: 0157150B
      • Part of subcall function 01571624: GetLastError.KERNEL32(015712FF), ref: 01571624
    • CryptSignHashA.ADVAPI32(?,?,00000000,00000000,?,?), ref: 01571538
    • CryptDestroyHash.ADVAPI32(?), ref: 015715A3
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0154426B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01544292
    • Process32FirstW.KERNEL32 ref: 015442A8
      • Part of subcall function 015441C0: OpenProcessToken.ADVAPI32(000000FF,00000028,00000002,00000000,00000001,?,015442FB,0000022C), ref: 015441DE
      • Part of subcall function 015441C0: LookupPrivilegeValueW.ADVAPI32(00000000,0161C230,00000040), ref: 015441F2
      • Part of subcall function 015441C0: AdjustTokenPrivileges.ADVAPI32(00000002,00000000,?,00000010,00000000,00000000,?,015442FB,0000022C), ref: 01544212
      • Part of subcall function 015441C0: OpenProcess.KERNEL32(001FFFFF,00000000,00000002,?,015442FB,0000022C), ref: 01544221
      • Part of subcall function 015441C0: CloseHandle.KERNEL32(00000000), ref: 0154425E
    • Process32NextW.KERNEL32(00000000,?), ref: 01544311
    • Sleep.KERNEL32(000003E8), ref: 01544323
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 015411DA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
    APIs
    • CreateFileW.KERNEL32(C:\ProgramData\Adobe\hygrtse,40000000,00000000,00000000,00000004,00000002,00000000), ref: 01541272
    • Sleep.KERNEL32(00000064,?,01508807), ref: 01541281
    • WriteFile.KERNEL32(00000000,?,0000028E,01508807,00000000), ref: 015412A1
    • CloseHandle.KERNEL32(00000000), ref: 015412A8
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153E503, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0153E524
    • ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0153E53D
    • CloseHandle.KERNEL32(00000000), ref: 0153E544
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014E605B, Relevance: 7.7, APIs: 5, Instructions: 210
    APIs
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,?), ref: 014E6146
    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,?), ref: 014E617A
    • GetLastError.KERNEL32 ref: 014E619F
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,?), ref: 014E61CD
    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?), ref: 014E628B
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014BE9F6, Relevance: 7.6, APIs: 5, Instructions: 91
    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 014BEA10
    • GetProcAddress.KERNEL32(00000000,01624628), ref: 014BEA20
    • GetDesktopWindow.USER32 ref: 014BEA4A
    • GetProcessWindowStation.USER32 ref: 014BEA50
    • GetLastError.KERNEL32 ref: 014BEA72
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01589CAB, Relevance: 7.6, APIs: 5, Instructions: 86
    APIs
    • GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,?), ref: 01589CEA
    • RtlLeaveCriticalSection.NTDLL(?), ref: 01589D05
    • GetQueuedCompletionStatus.KERNEL32(?,?,000000FF,?,?), ref: 01589D4C
    • ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 01589D7E
    • RtlLeaveCriticalSection.NTDLL(?), ref: 01589D87
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 015441C0, Relevance: 7.6, APIs: 5, Instructions: 66
    APIs
    • OpenProcessToken.ADVAPI32(000000FF,00000028,00000002,00000000,00000001,?,015442FB,0000022C), ref: 015441DE
    • LookupPrivilegeValueW.ADVAPI32(00000000,0161C230,00000040), ref: 015441F2
    • AdjustTokenPrivileges.ADVAPI32(00000002,00000000,?,00000010,00000000,00000000,?,015442FB,0000022C), ref: 01544212
    • OpenProcess.KERNEL32(001FFFFF,00000000,00000002,?,015442FB,0000022C), ref: 01544221
      • Part of subcall function 01544177: GetModuleHandleA.KERNEL32(0161C210,?,01544237,?,015442FB,0000022C), ref: 01544194
      • Part of subcall function 01544177: GetProcAddress.KERNEL32(00000000,0161C220,?,01544237,?,015442FB,0000022C), ref: 015441A0
      • Part of subcall function 01543F0F: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,015951F8,00000000,00000000,015DAEA0,015DAEA0,00000000,015927F8,01637870,000000FF,?,01544254,00000000), ref: 01543F55
      • Part of subcall function 01543F0F: VirtualAllocEx.KERNEL32(00000002,00000000,?,00001000,00000004,015951F8,00000000,00000000,015DAEA0,015DAEA0,00000000,015927F8,01637870,000000FF,?,01544254), ref: 01543F60
      • Part of subcall function 01543F0F: VirtualProtect.KERNEL32(?,?,00000020,?), ref: 01543FDC
      • Part of subcall function 01543F0F: CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 01543FEE
      • Part of subcall function 01543F0F: WriteProcessMemory.KERNEL32(00000002,00000000,00000000,?,?), ref: 0154400B
      • Part of subcall function 01543F0F: VirtualProtectEx.KERNEL32(00000002,?,?,00000020,?), ref: 01544024
      • Part of subcall function 01543F0F: GetModuleHandleA.KERNEL32(0161C1F0,?,00000020,?), ref: 01544037
      • Part of subcall function 01543F0F: ResumeThread.KERNEL32(?,?,?,?,?,?,00000020,?), ref: 015440CE
      • Part of subcall function 01543F0F: ResumeThread.KERNEL32(?,?,00000020,?), ref: 0154414C
      • Part of subcall function 01543F0F: CloseHandle.KERNEL32(?), ref: 01544155
    • CloseHandle.KERNEL32(00000000), ref: 0154425E
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153E95F, Relevance: 7.6, APIs: 5, Instructions: 57
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0153E971
    • Process32FirstW.KERNEL32 ref: 0153E98B
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0153E9E2
    • CloseHandle.KERNEL32(00000000), ref: 0153E9ED
    • CloseHandle.KERNEL32(00000000), ref: 0153E9F9
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0150379F, Relevance: 7.6, APIs: 5, Instructions: 53
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 015037D4
    • GetCurrentProcessId.KERNEL32 ref: 015037E0
    • GetCurrentThreadId.KERNEL32 ref: 015037E8
    • GetTickCount.KERNEL32 ref: 015037F0
    • QueryPerformanceCounter.KERNEL32(?), ref: 015037FC
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153E13D, Relevance: 7.5, APIs: 5, Instructions: 48
    APIs
    • CryptGenRandom.ADVAPI32(00000014,?,0167A6DC,0167A58C,?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E156
    • GetSystemTimeAsFileTime.KERNEL32(?,?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E160
    • GetTickCount.KERNEL32(?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E166
    • GetCurrentThreadId.KERNEL32(?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E16F
    • GetCurrentProcessId.KERNEL32(?,0153F16B,0167A528,?,01544376,.html,0159532C,?,01508269), ref: 0153E17A
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153EC80, Relevance: 7.5, APIs: 5, Instructions: 21
    APIs
    • LocalFree.KERNEL32(?,0153EC6C), ref: 0153EC88
    • LocalFree.KERNEL32(0159532C,0153EC6C), ref: 0153EC96
    • FreeSid.ADVAPI32(?,0153EC6C), ref: 0153ECA4
    • CloseHandle.KERNEL32(?), ref: 0153ECB2
    • CloseHandle.KERNEL32(?), ref: 0153ECC0
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014D712A, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 193
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01543510, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70
    APIs
    • GetProcessHeap.KERNEL32 ref: 0154352A
    • wsprintfW.USER32(?,0161C170,0167D748,dzwyyul), ref: 01543578
      • Part of subcall function 0153E5B9: GetFileTime.KERNEL32(00000000,?,?,?,?,015437A4,?,?,?,00000000), ref: 0153E611
      • Part of subcall function 0153E5B9: ReadFile.KERNEL32(00000000,?,00000030,?,00000000), ref: 0153E626
      • Part of subcall function 0153E5B9: GetFileSize.KERNEL32(?,00000000), ref: 0153E6CB
      • Part of subcall function 0153E5B9: ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0153E6F7
      • Part of subcall function 0153E5B9: ReadFile.KERNEL32(?,?,00040000,?,00000000), ref: 0153E7C3
      • Part of subcall function 0153E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0153E82E
      • Part of subcall function 0153E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0153E88A
      • Part of subcall function 0153E5B9: DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0153E8DD
      • Part of subcall function 0153E5B9: SetFilePointer.KERNEL32(?,?,00000000,00000000,?,?,?,?), ref: 0153E8F2
      • Part of subcall function 0153E5B9: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0153E904
      • Part of subcall function 0153E5B9: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?), ref: 0153E919
      • Part of subcall function 0153E5B9: DeleteFileW.KERNEL32(00000001,?,?,?,?), ref: 0153E932
      • Part of subcall function 0153E5B9: CloseHandle.KERNEL32(?), ref: 0153E952
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153E07D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55
    APIs
    • GetProcessHeap.KERNEL32(00000008,0000001C,.html,0159532C,?,00000000,01508232), ref: 0153E09B
    • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0153E0A2
    Strings
    • .html, xrefs: 0153E092
    • pwm,kwm,txt,cer,crt,der,pem,doc,cpp,c,php,js,cs,pas,bas,pl,py,docx,rtf,docm,xls,xlsx,safe,groups,xlk,xlsb,xlsm,mdb,mdf,dbf,sql,md,, xrefs: 0153E088
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01571224, Relevance: 6.1, APIs: 4, Instructions: 118
    APIs
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 015712CC
    • CryptSetHashParam.ADVAPI32(?,00000002,?,00000000), ref: 015712EB
      • Part of subcall function 01571624: GetLastError.KERNEL32(015712FF), ref: 01571624
    • CryptSignHashA.ADVAPI32(?,?,00000000,00000000,?,?), ref: 0157131B
    • CryptDestroyHash.ADVAPI32(?), ref: 0157135F
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01540EAC, Relevance: 6.1, APIs: 4, Instructions: 111
    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 01540EBE
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 01540ED0
    • CoCreateInstance.OLE32(015B610C,00000000,00000001,015B5EFC,?), ref: 01540EEA
    • CoUninitialize.OLE32 ref: 01540F9B
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0154B6FC, Relevance: 6.1, APIs: 4, Instructions: 111
    APIs
    • htonl.WS2_32(?), ref: 0154B716
    • htonl.WS2_32(?), ref: 0154B763
      • Part of subcall function 014D032B: htonl.WS2_32(?), ref: 014D0339
      • Part of subcall function 0151A939: HeapFree.KERNEL32(00000000,00000000), ref: 0151A94F
      • Part of subcall function 0151A939: GetLastError.KERNEL32(00000000), ref: 0151A961
    • htonl.WS2_32(?), ref: 0154B7FE
    • htonl.WS2_32(00000000), ref: 0154B833
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0157BA7C, Relevance: 6.1, APIs: 4, Instructions: 67
    APIs
    • LoadLibraryA.KERNEL32(01624900), ref: 0157BA8F
    • FreeLibrary.KERNEL32(00000000), ref: 0157BAD5
    • CloseHandle.KERNEL32(00000000), ref: 0157BAFE
    • FreeLibrary.KERNEL32(00000000), ref: 0157BB05
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153EF14, Relevance: 6.1, APIs: 4, Instructions: 54
    APIs
    • DestroyWindow.USER32(?), ref: 0153EF7E
    • PostQuitMessage.USER32(00000000), ref: 0153EF88
    • SetTimer.USER32(?,00000032,00000032,00000000), ref: 0153EF99
    • DefWindowProcW.USER32(?,?,?,?), ref: 0153EFAB
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01543DBC, Relevance: 6.1, APIs: 4, Instructions: 53
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,016B1094), ref: 01543DE4
    • Process32FirstW.KERNEL32 ref: 01543DFE
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 01543E3E
    • CloseHandle.KERNEL32(00000000), ref: 01543E61
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01532159, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetLastError.KERNEL32(?,?,01517506,014F72D0,hours,00000000), ref: 0153215D
      • Part of subcall function 0153A606: TlsGetValue.KERNEL32(?,01532170), ref: 0153A60F
      • Part of subcall function 0153A606: RtlDecodePointer.NTDLL ref: 0153A621
      • Part of subcall function 0153A606: TlsSetValue.KERNEL32(00000000), ref: 0153A630
    • SetLastError.KERNEL32(00000000), ref: 015321C7
      • Part of subcall function 01508E62: Sleep.KERNEL32(00000000,01532184,00000001,00000214), ref: 01508E8A
    • RtlDecodePointer.NTDLL(00000000), ref: 01532199
    • GetCurrentThreadId.KERNEL32 ref: 015321AF
      • Part of subcall function 0151A939: HeapFree.KERNEL32(00000000,00000000), ref: 0151A94F
      • Part of subcall function 0151A939: GetLastError.KERNEL32(00000000), ref: 0151A961
      • Part of subcall function 014E7A40: GetModuleHandleW.KERNEL32(015B42B4,016372C0,00000008,015321AD,00000000,00000000), ref: 014E7A51
      • Part of subcall function 014E7A40: InterlockedIncrement.KERNEL32(015958C0), ref: 014E7A92
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 015225F2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01512ECB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151
    APIs
    • htons.WS2_32(00000000), ref: 01512F7F
      • Part of subcall function 0151A939: HeapFree.KERNEL32(00000000,00000000), ref: 0151A94F
      • Part of subcall function 0151A939: GetLastError.KERNEL32(00000000), ref: 0151A961
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 014D4BA0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 01553576, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
    APIs
    • htonl.WS2_32(43452D45), ref: 015535F8
    • htonl.WS2_32(00000000), ref: 0155362A
      • Part of subcall function 0151C4CB: htonl.WS2_32(?), ref: 0151C561
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd
    Function 0153D75F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000104,00000100,?,0154C6BC,00000000,?,01522439,?,00000100,00000000,?,0152FBC5,00000002,?,00000100), ref: 0153D77A
    • LoadLibraryW.KERNEL32(?), ref: 0153D7CF
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.874925722.014B0000.00000020.sdmp, Offset: 014B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_14b0000_inbdgml.jbxd

    Analysis Process: slui.exe PID: 2504 Parent PID: 588

    Executed Functions

    Non-executed Functions