Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report iexplore.exe

Overview

General Information

Sample Name:iexplore.exe
Analysis ID:530482
MD5:aa094de5b8ef17848a5926c13eb67e26
SHA1:72df0e64ad124ef9bdfa0ed66b3afe62d4364192
SHA256:9c530f1306aa1312fda938169e208a033341bc49ff956695c7616ad6c5d4bc94
Infos:

Most interesting Screenshot:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to search for IE or Outlook window (often done to steal information)

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • iexplore.exe (PID: 4524 cmdline: "C:\Users\user\Desktop\iexplore.exe" MD5: AA094DE5B8EF17848A5926C13EB67E26)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: iexplore.exeStatic PE information: certificate valid
Source: iexplore.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: iexplore.pdbUGP source: iexplore.exe
Source: Binary string: iexplore.pdb source: iexplore.exe
Source: iexplore.exe, 00000000.00000003.302461542.00000234392E1000.00000004.00000001.sdmp, iexplore.exe, 00000000.00000002.302823869.00000234392FB000.00000004.00000001.sdmp, iexplore.exe, 00000000.00000002.302816826.00000234392E1000.00000004.00000001.sdmp, iexplore.exe, 00000000.00000003.301339553.00000234392FB000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
Source: iexplore.exe, 00000000.00000003.302357533.0000023439306000.00000004.00000001.sdmp, iexplore.exe, 00000000.00000003.301196574.0000023439306000.00000004.00000001.sdmp, iexplore.exe, 00000000.00000002.302834850.0000023439306000.00000004.00000001.sdmpString found in binary or memory: https://login.live.coml%
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\iexplore.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\iexplore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Source: C:\Users\user\Desktop\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFBABF6BC7DA4D719B.TMPJump to behavior
Source: iexplore.exeString found in binary or memory: -startmanager
Source: iexplore.exeString found in binary or memory: kernelbase.dllRaiseFailFastExceptionwilonecore\internal\sdk\inc\wil\opensource\wil\resource.hWilError_03ntdll.dllRtlDisownModuleHeapAllocationRtlRegisterFeatureConfigurationChangeNotificationRtlUnregisterFeatureConfigurationChangeNotificationRtlNotifyFeatureUsageNtQueryWnfStateDataNtUpdateWnfStateDataRtlSubscribeWnfStateChangeNotificationRtlUnsubscribeWnfNotificationWaitForCompletiononecore\internal\sdk\inc\wil\Staging.hWilStaging_02SCODEF:CREDAT:-newtabIEFrame{28fb17e0-d393-439d-9a21-9474a070473a} -eval-new-nowaitkernel32.dllSetSearchPathModeInternet Explorer-ResetDestinationListResetDestinationList-embedding-startmanagerTerminateOnShutdownSoftware\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exeLocal\SM0:%d:%d:%hsm
Source: iexplore.exeString found in binary or memory: Application-Addon-Event-ProviderOPCOT
Source: classification engineClassification label: clean3.winEXE@1/4@0/0
Source: C:\Users\user\Desktop\iexplore.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: iexplore.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: iexplore.exeStatic PE information: certificate valid
Source: iexplore.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: iexplore.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: iexplore.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: iexplore.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: iexplore.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: iexplore.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: iexplore.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: iexplore.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: iexplore.pdbUGP source: iexplore.exe
Source: Binary string: iexplore.pdb source: iexplore.exe
Source: iexplore.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iexplore.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iexplore.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iexplore.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iexplore.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: iexplore.exeStatic PE information: section name: .didat
Source: iexplore.exeStatic PE information: 0xD40E0FD9 [Sat Sep 26 23:35:53 2082 UTC]
Source: C:\Users\user\Desktop\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: iexplore.exe, 00000000.00000003.302390030.0000023439270000.00000004.00000001.sdmp, iexplore.exe, 00000000.00000002.302757863.0000023439270000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo
Source: C:\Users\user\Desktop\iexplore.exeCode function: 0_2_00007FF7AB3320F0 InitializeCriticalSection,#798,CoCreateGuid,IsDebuggerPresent,#796,#797,#701,GetModuleHandleW,GetProcAddress,SetDllDirectoryW,SetErrorMode,GetCommandLineW,wcsncmp,LocalAlloc,StrStrIW,StrStrIW,StrStrIW,HeapSetInformation,#791,SetCurrentProcessExplicitAppUserModelID,StrStrIW,StrStrIW,FindWindowExW,GetWindowThreadProcessId,AllowSetForegroundWindow,StrStrIW,wcsncmp,iswspace,iswspace,iswspace,iswspace,wcsncmp,#796,StrStrIW,LocalFree,#650,#650,DeleteCriticalSection,RegGetValueW,GetCurrentProcess,TerminateProcess,0_2_00007FF7AB3320F0
Source: C:\Users\user\Desktop\iexplore.exeCode function: 0_2_00007FF7AB338858 GetProcessHeap,HeapFree,0_2_00007FF7AB338858
Source: C:\Users\user\Desktop\iexplore.exeCode function: 0_2_00007FF7AB332C20 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,0_2_00007FF7AB332C20
Source: C:\Users\user\Desktop\iexplore.exeCode function: 0_2_00007FF7AB3335F0 SetUnhandledExceptionFilter,0_2_00007FF7AB3335F0
Source: C:\Users\user\Desktop\iexplore.exeCode function: 0_2_00007FF7AB333324 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7AB333324
Source: C:\Users\user\Desktop\iexplore.exeCode function: 0_2_00007FF7AB3337C4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF7AB3337C4
Source: C:\Users\user\Desktop\iexplore.exeCode function: 0_2_00007FF7AB3320F0 InitializeCriticalSection,#798,CoCreateGuid,IsDebuggerPresent,#796,#797,#701,GetModuleHandleW,GetProcAddress,SetDllDirectoryW,SetErrorMode,GetCommandLineW,wcsncmp,LocalAlloc,StrStrIW,StrStrIW,StrStrIW,HeapSetInformation,#791,SetCurrentProcessExplicitAppUserModelID,StrStrIW,StrStrIW,FindWindowExW,GetWindowThreadProcessId,AllowSetForegroundWindow,StrStrIW,wcsncmp,iswspace,iswspace,iswspace,iswspace,wcsncmp,#796,StrStrIW,LocalFree,#650,#650,DeleteCriticalSection,RegGetValueW,GetCurrentProcess,TerminateProcess,0_2_00007FF7AB3320F0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionPath InterceptionMasquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsTimestomp1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
iexplore.exe0%MetadefenderBrowse
iexplore.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:530482
Start date:29.11.2021
Start time:16:40:53
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 8s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:iexplore.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean3.winEXE@1/4@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 58.6%)
  • Quality average: 41.8%
  • Quality standard deviation: 40.1%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.203.70.208, 20.82.210.154
  • Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, store-images.s-microsoft.com-c.edgekey.net, arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/530482/sample/iexplore.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{500588E2-5176-11EC-90E9-ECF4BB862DED}.dat
Process:C:\Users\user\Desktop\iexplore.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):5120
Entropy (8bit):2.017921290260243
Encrypted:false
SSDEEP:24:rNGo/QC/pGo/G/f879lWRB9RsZQ9lWRB9RsZo:rNGo4SGohCRBfsZdRBfsZo
MD5:095527D85A729FBE92013FA6C3E3D0B9
SHA1:4700748ECA5E5BDD6617ED7CB9ADC745CC48CBDC
SHA-256:B04CA94AB4CEA285CAFD33B01FF4CEDB63DD144E713EEF30B3A638F2F414282C
SHA-512:791D67923510DD27D5082D75279CE57779A307F136145F3C98DF2954829751F22B1440ED5679015E5FE319568402776CA110FC97D9E73269FDDF99F01FC8B3BB
Malicious:false
Reputation:low
Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................pC....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.4.4.g.F.U.H.Z.R.7.B.G.Q.6.e.z.0.u.4.Y.t.7.Q.=.=.........:.......................................
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{500588E4-5176-11EC-90E9-ECF4BB862DED}.dat
Process:C:\Users\user\Desktop\iexplore.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):4608
Entropy (8bit):1.6057063769354987
Encrypted:false
SSDEEP:12:rl0ZGFSCDrEgm8GL76Fk7rEgm8GT7qk9lYf0F9lQ8vjRYCDA1:r5G8E7G8m9lRF9lbjOB
MD5:00350B7C1B4B2C765362DCB0DCACA387
SHA1:CAEFE4CF3B0108E15EDB3EC19ECA6E6C0D0B2992
SHA-256:C5E5DE633DD965897BD6D31FBEBB7D3CDE994808A864D98CCB4596E241AEADFC
SHA-512:F6CE8CECE2F94FC0A4B3C5DDB6D501C5245A199DB032A558384DE0E8901609BAE15D694F6832F9AC88B5B8950B35D1430AFDA9A211BDEFA2E498925667BD2CDE
Malicious:false
Reputation:low
Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................pC....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\~DF185F14192541A715.TMP
Process:C:\Users\user\Desktop\iexplore.exe
File Type:data
Category:dropped
Size (bytes):16384
Entropy (8bit):0.08156071711048025
Encrypted:false
SSDEEP:3:alFXEAUolll/4llclllv/ntrl9l+ll1lRslkhlEkllM/llQllblRfReClRRly++Y:a/vllQ/UvlkxMGVEBf5YCDA1
MD5:47F4A552CB0EDD210EDA62B1DB0CE011
SHA1:7086A121D01FDC86CE09B1072C2250C1A922A8A4
SHA-256:FA911E9BD6FBC808026640A943278E2AD5BD7F431DA57F4A7FD67C7A0E8FC7CC
SHA-512:A21227E4DAED18386391E5E625D578FA5714438EEA009A15226EBFE638828A327F42FC0CB183BE2BE73FD53DC1BA627CE857DBCB78011F4FE9A22F03B27400DB
Malicious:false
Reputation:low
Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\~DFBABF6BC7DA4D719B.TMP
Process:C:\Users\user\Desktop\iexplore.exe
File Type:data
Category:dropped
Size (bytes):16384
Entropy (8bit):0.06992407246571296
Encrypted:false
SSDEEP:3:bDese0uollV//ll4kAt/6/lclllv/nt+lybltll1lRslkhlEkllAT0ese0w7se0I:acP/okAoUFAlkxIPB
MD5:11B49D0DFAC19978FEDB67F3BFEE45F9
SHA1:04CE73CA21F36C431D7AEA8B080DD7824CD92671
SHA-256:1D5A35C2E3A1D134EF5D73F0B12E8530715643ECADE1B3ADF5CA09DE17907289
SHA-512:7A9286A5F8A19D1E138040A5F08C228593D99492C923E97A1D2CC8F1C7B36C41AF53879BCD01CDF71616CF6F54BAAEFD5F93AE10A2D98B9A8E84A4BE06EFEC10
Malicious:false
Reputation:low
Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.502025712772339
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:iexplore.exe
File size:842208
MD5:aa094de5b8ef17848a5926c13eb67e26
SHA1:72df0e64ad124ef9bdfa0ed66b3afe62d4364192
SHA256:9c530f1306aa1312fda938169e208a033341bc49ff956695c7616ad6c5d4bc94
SHA512:c2fa9b5141efbba11345e3e4565ddf63b3c9446bb711267a69abeb52117b0eb35ce6c563d97cf0ced03c3c3c9ea8dbd94c2a31d579d4888f03654a75bd5e3b7b
SSDEEP:24576:SUf4lGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUMMVW:SKMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......EQ...0.L.0.L.0.L.HdL.0.L.[.M.0.L.[.M.0.L.[.M.0.L.[.M.0.L.0.L.0.L.[.M.0.L.[.L.0.L.[.M.0.LRich.0.L................PE..d..........

File Icon

Icon Hash:e1e8ccdecccdf136

Static PE Info

General

Entrypoint:0x1400032d0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0xD40E0FD9 [Sat Sep 26 23:35:53 2082 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:8d62b7253079493d3b3cc9d2d3d32a62

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 12/15/2020 1:24:20 PM 12/2/2021 1:24:20 PM
Subject Chain
  • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:4068B1B0494EFA79F5A751DCCA8111CD
Thumbprint SHA-1:914A09C2E02C696AF394048BCB8D95449BCD5B9E
Thumbprint SHA-256:4A838904E732A380E2856A9D6FEE926E5C57EB59336292AC5D9E47C9B2C1ED13
Serial:33000003DFFB6AE3F427ECB6A30000000003DF

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBE94AF5C00h
dec eax
add esp, 28h
jmp 00007FBE94AF5493h
int3
int3
int3
int3
int3
int3
jmp dword ptr [000081F2h]
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [0000BDF1h]
jne 00007FBE94AF5722h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FBE94AF5713h
ret
dec eax
ror ecx, 10h
jmp 00007FBE94AF5757h
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00007F2Bh]
dec eax
mov ecx, ebx
call dword ptr [00007F2Ah]
call dword ptr [00007FD4h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00007FD8h]
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [0000BE8Dh]
call dword ptr [00007F07h]
dec eax
mov eax, dword ptr [0000BF78h]
dec eax
mov dword ptr [esp+48h], eax
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+50h]
dec eax
mov ecx, dword ptr [esp+48h]
call dword ptr [00007EE0h]

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xd7400xc8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000xbd5a0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x100000xabc.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0xcb8000x21e0.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000x88.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xbed00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xb1a80x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb0800x118.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xb1d00x3c0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xd6700x60.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x95440x9600False0.535572916667data6.0486724667IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0xb0000x34100x3600False0.399377893519data4.86753322026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xf0000xb8c0x200False0.1640625data0.986135754532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x100000xabc0xc00False0.460286458333data4.16749125611IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x110000x380x200False0.06640625PGP\011Secret Key -0.345827309422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x120000xbd5a00xbd600False0.621480507426data6.46723549077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xd00000x880x200False0.251953125data1.64589807886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
EDPENLIGHTENEDAPPINFOID0x2e4a00x2dataEnglishUnited States
EDPPERMISSIVEAPPINFOID0x2e4a80x2dataEnglishUnited States
MUI0xcf4480x158dataEnglishUnited States
WEVT_TEMPLATE0x151300x1936adataEnglishUnited States
RT_ICON0x2e4b00x668dataEnglishUnited States
RT_ICON0x2eb180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4008635955, next used block 770286EnglishUnited States
RT_ICON0x2ee000x1e8dataEnglishUnited States
RT_ICON0x2efe80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x2f1100xea8dataEnglishUnited States
RT_ICON0x2ffb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16182429, next used block 16773761EnglishUnited States
RT_ICON0x308600x6c8dataEnglishUnited States
RT_ICON0x30f280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x314900xcbf1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
RT_ICON0x3e0880x25a8dataEnglishUnited States
RT_ICON0x406300x10a8dataEnglishUnited States
RT_ICON0x416d80x988dataEnglishUnited States
RT_ICON0x420600x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x425880x668dataEnglishUnited States
RT_ICON0x42bf00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3096152115, next used block 7829367EnglishUnited States
RT_ICON0x42ed80x1e8dataEnglishUnited States
RT_ICON0x430c00x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x431e80xea8dataEnglishUnited States
RT_ICON0x440900x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16251127, next used block 16185593EnglishUnited States
RT_ICON0x449380x6c8dataEnglishUnited States
RT_ICON0x450000x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x455680x97d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
RT_ICON0x4ed400x25a8dataEnglishUnited States
RT_ICON0x512e80x10a8dataEnglishUnited States
RT_ICON0x523900x988dataEnglishUnited States
RT_ICON0x52d180x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x532400x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4160290815, next used block 0EnglishUnited States
RT_ICON0x535280x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
RT_ICON0x53dd00x10a8dataEnglishUnited States
RT_ICON0x54ea80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2004318071, next used block 32888EnglishUnited States
RT_ICON0x551a80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3096152115, next used block 7829367EnglishUnited States
RT_ICON0x554900x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x555b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16120058, next used block 16120572EnglishUnited States
RT_ICON0x55e600x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x563c80x10a8dataEnglishUnited States
RT_ICON0x574700x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x579380x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1953286086, next used block 128EnglishUnited States
RT_ICON0x57c200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x57d480x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15265516, next used block 14937073EnglishUnited States
RT_ICON0x585f00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x58b580x10a8dataEnglishUnited States
RT_ICON0x59c000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x5a0c80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4177497999, next used block 7374984EnglishUnited States
RT_ICON0x5a3b00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
RT_ICON0x5ac580x10a8dataEnglishUnited States
RT_ICON0x5bd300x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4287627263, next used block 8947847EnglishUnited States
RT_ICON0x5c0180x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15724527, next used block 14870778EnglishUnited States
RT_ICON0x5c8c00x10a8dataEnglishUnited States
RT_ICON0x5d9980x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4177526783, next used block 15792376EnglishUnited States
RT_ICON0x5dc800x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x5dda80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14808529, next used block 15399129EnglishUnited States
RT_ICON0x5e6500x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x5ebb80x10a8dataEnglishUnited States
RT_ICON0x5fc600x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x601280x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 248, next used block 52302EnglishUnited States
RT_ICON0x604100x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x605600x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x606880x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x60bf00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x610880x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x611b00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x617180x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x61bb00x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x61cd80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x622400x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x626d80x668dataEnglishUnited States
RT_ICON0x62d400x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3096152115, next used block 7829367EnglishUnited States
RT_ICON0x630280x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x631500xea8dataEnglishUnited States
RT_ICON0x63ff80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16251127, next used block 16185593EnglishUnited States
RT_ICON0x648a00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x64e080x25a8dataEnglishUnited States
RT_ICON0x673b00x10a8dataEnglishUnited States
RT_ICON0x684580x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x689480x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4177497999, next used block 7374984EnglishUnited States
RT_ICON0x68c300x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x68d580x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
RT_ICON0x696000x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x69b680x10a8dataEnglishUnited States
RT_ICON0x6ac100x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x6b0d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3096152115, next used block 7829367EnglishUnited States
RT_ICON0x6b3c00x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x6b4e80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16709604, next used block 16118257EnglishUnited States
RT_ICON0x6bd900x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x6c2f80x10a8dataEnglishUnited States
RT_ICON0x6d3a00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x6d8680x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3096152115, next used block 7829367EnglishUnited States
RT_ICON0x6db500x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x6dc780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16709604, next used block 16118257EnglishUnited States
RT_ICON0x6e5200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x6ea880x10a8dataEnglishUnited States
RT_ICON0x6fb300x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x6fff80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3096152115, next used block 7829367EnglishUnited States
RT_ICON0x702e00x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x704080x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16709604, next used block 16118257EnglishUnited States
RT_ICON0x70cb00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x712180x10a8dataEnglishUnited States
RT_ICON0x722c00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x727880x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3337062286, next used block 28791EnglishUnited States
RT_ICON0x72a700x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x72b980x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 13036186, next used block 16055484EnglishUnited States
RT_ICON0x734400x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x739a80x10a8dataEnglishUnited States
RT_ICON0x74a500x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x74f180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 51, next used block 0EnglishUnited States
RT_ICON0x752000x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x753280x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
RT_ICON0x75bd00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x761380x10a8dataEnglishUnited States
RT_ICON0x771e00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x776a80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 16287887, next used block 0EnglishUnited States
RT_ICON0x779900x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16184819, next used block 16185078EnglishUnited States
RT_ICON0x782380x10a8dataEnglishUnited States
RT_ICON0x793100x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294967295, next used block 7899271EnglishUnited States
RT_ICON0x795f80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
RT_ICON0x79ea00x10a8dataEnglishUnited States
RT_ICON0x7af780x668dataEnglishUnited States
RT_ICON0x7b5e00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4160749567, next used block 8423559EnglishUnited States
RT_ICON0x7b8c80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x7b9f00xea8dataEnglishUnited States
RT_ICON0x7c8980x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
RT_ICON0x7d1400x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x7d6a80x414cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
RT_ICON0x817f80x25a8dataEnglishUnited States
RT_ICON0x83da00x10a8dataEnglishUnited States
RT_ICON0x84e480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x853480x668dataEnglishUnited States
RT_ICON0x859b00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4008635955, next used block 770286EnglishUnited States
RT_ICON0x85c980x1e8dataEnglishUnited States
RT_ICON0x85e800x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x85fa80xea8dataEnglishUnited States
RT_ICON0x86e500x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16182429, next used block 16773761EnglishUnited States
RT_ICON0x876f80x6c8dataEnglishUnited States
RT_ICON0x87dc00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x883280xcbf1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
RT_ICON0x94f200x25a8dataEnglishUnited States
RT_ICON0x974c80x10a8dataEnglishUnited States
RT_ICON0x985700x988dataEnglishUnited States
RT_ICON0x98ef80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x994200x668dataEnglishUnited States
RT_ICON0x99a880x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3096152115, next used block 7829367EnglishUnited States
RT_ICON0x99d700x1e8dataEnglishUnited States
RT_ICON0x99f580x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x9a0800xea8dataEnglishUnited States
RT_ICON0x9af280x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16251127, next used block 16185593EnglishUnited States
RT_ICON0x9b7d00x6c8dataEnglishUnited States
RT_ICON0x9be980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x9c4000x97d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
RT_ICON0xa5bd80x25a8dataEnglishUnited States
RT_ICON0xa81800x10a8dataEnglishUnited States
RT_ICON0xa92280x988dataEnglishUnited States
RT_ICON0xa9bb00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0xaa0d80x668dataEnglishUnited States
RT_ICON0xaa7400x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4008635955, next used block 770286EnglishUnited States
RT_ICON0xaaa280x1e8dataEnglishUnited States
RT_ICON0xaac100x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0xaad380xea8dataEnglishUnited States
RT_ICON0xabbe00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16182429, next used block 16773761EnglishUnited States
RT_ICON0xac4880x6c8dataEnglishUnited States
RT_ICON0xacb500x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0xad0b80xcbf1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
RT_ICON0xb9cb00x25a8dataEnglishUnited States
RT_ICON0xbc2580x10a8dataEnglishUnited States
RT_ICON0xbd3000x988dataEnglishUnited States
RT_ICON0xbdc880x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0xbe1b00x668dataEnglishUnited States
RT_ICON0xbe8180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3096152115, next used block 7829367EnglishUnited States
RT_ICON0xbeb000x1e8dataEnglishUnited States
RT_ICON0xbece80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0xbee100xea8dataEnglishUnited States
RT_ICON0xbfcb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16251127, next used block 16185593EnglishUnited States
RT_ICON0xc05600x6c8dataEnglishUnited States
RT_ICON0xc0c280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0xc11900x97d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
RT_ICON0xca9680x25a8dataEnglishUnited States
RT_ICON0xccf100x10a8dataEnglishUnited States
RT_ICON0xcdfb80x988dataEnglishUnited States
RT_ICON0xce9400x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_GROUP_ICON0xbe0f00xbcdataEnglishUnited States
RT_GROUP_ICON0x993600xbcdataEnglishUnited States
RT_GROUP_ICON0xceda80xbcdataEnglishUnited States
RT_GROUP_ICON0xaa0180xbcdataEnglishUnited States
RT_GROUP_ICON0x424c80xbcdataEnglishUnited States
RT_GROUP_ICON0x531800xbcdataEnglishUnited States
RT_GROUP_ICON0x54e780x30dataEnglishUnited States
RT_GROUP_ICON0x551900x14dataEnglishUnited States
RT_GROUP_ICON0x5a0680x5adataEnglishUnited States
RT_GROUP_ICON0x578d80x5adataEnglishUnited States
RT_GROUP_ICON0x5bd000x30dataEnglishUnited States
RT_GROUP_ICON0x5d9680x30dataEnglishUnited States
RT_GROUP_ICON0x605380x22dataEnglishUnited States
RT_GROUP_ICON0x600c80x5adataEnglishUnited States
RT_GROUP_ICON0x74eb80x5adataEnglishUnited States
RT_GROUP_ICON0x610580x30dataEnglishUnited States
RT_GROUP_ICON0x61b800x30dataEnglishUnited States
RT_GROUP_ICON0x626a80x30dataEnglishUnited States
RT_GROUP_ICON0x776480x5adataEnglishUnited States
RT_GROUP_ICON0x688c00x84dataEnglishUnited States
RT_GROUP_ICON0x6b0780x5adataEnglishUnited States
RT_GROUP_ICON0x6d8080x5adataEnglishUnited States
RT_GROUP_ICON0x6ff980x5adataEnglishUnited States
RT_GROUP_ICON0x727280x5adataEnglishUnited States
RT_GROUP_ICON0x792e00x30dataEnglishUnited States
RT_GROUP_ICON0x7af480x30dataEnglishUnited States
RT_GROUP_ICON0x852b00x92dataEnglishUnited States
RT_VERSION0xcee680x5e0dataEnglishUnited States
RT_MANIFEST0x149600x7c9XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
USER32.dllGetWindowThreadProcessId, AllowSetForegroundWindow, FindWindowExW, SendMessageTimeoutW, IsWindowVisible, SetUserObjectInformationW, IsWindowEnabled
msvcrt.dll_onexit, __dllonexit, _unlock, _lock, memset, _commode, __C_specific_handler, _vsnwprintf, memcpy_s, iswspace, ?terminate@@YAXXZ, _purecall, memmove_s, _fmode, _wcmdln, _initterm, __setusermatherr, _cexit, _exit, exit, __set_app_type, wcsncmp, free, _XcptFilter, _amsg_exit, __wgetmainargs, memcmp
KERNEL32.dllCreateThreadpoolTimer, ReleaseSRWLockShared, SetThreadpoolTimer, CloseHandle, HeapSetInformation, WaitForSingleObjectEx, DelayLoadFailureHook, ResolveDelayLoadedAPI, GetProcAddress, HeapAlloc, OpenSemaphoreW, SetDllDirectoryW, AcquireSRWLockExclusive, GetTickCount, GetSystemTimeAsFileTime, QueryPerformanceCounter, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetStartupInfoW, Sleep, IsDebuggerPresent, InitOnceComplete, DebugBreak, GetModuleHandleW, GetProcessHeap, GetCurrentProcessId, DeleteCriticalSection, AcquireSRWLockShared, LocalFree, GetModuleFileNameA, InitOnceBeginInitialize, CreateSemaphoreExW, HeapFree, SetLastError, EnterCriticalSection, GetCommandLineW, GetCurrentProcess, ReleaseSemaphore, GetModuleHandleExW, TerminateProcess, LeaveCriticalSection, InitializeCriticalSection, SetErrorMode, InitializeCriticalSectionEx, WaitForThreadpoolTimerCallbacks, WaitForSingleObject, LocalAlloc, GetCurrentThreadId, ReleaseMutex, FormatMessageW, GetLastError, ReleaseSRWLockExclusive, OutputDebugStringW, CloseThreadpoolTimer, CreateMutexExW
api-ms-win-downlevel-advapi32-l1-1-0.dllRegGetValueW, EventRegister, EventWriteTransfer, EventWriteEx, EventUnregister
api-ms-win-downlevel-shell32-l1-1-0.dllSetCurrentProcessExplicitAppUserModelID
ADVAPI32.dllEventSetInformation
iertutil.dll
api-ms-win-downlevel-shlwapi-l1-1-0.dllStrStrIW
api-ms-win-downlevel-ole32-l1-1-0.dllCoCreateGuid

Version Infos

DescriptionData
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNameiexplore
FileVersion11.00.19041.1202 (WinBuild.160101.0800)
CompanyNameMicrosoft Corporation
ProductNameInternet Explorer
ProductVersion11.00.19041.1202
FileDescriptionInternet Explorer
OriginalFilenameIEXPLORE.EXE
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNameiexplore
FileVersion11.00.19041.1202
CompanyNameMicrosoft Corporation
ProductNameInternet Explorer
ProductVersion11.00.19041.1202
FileDescriptionInternet Explorer
OriginalFilenameIEXPLORE.EXE
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 4524 Parent PID: 3452

General

Start time:16:41:53
Start date:29/11/2021
Path:C:\Users\user\Desktop\iexplore.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\iexplore.exe"
Imagebase:0x7ff7ab330000
File size:842208 bytes
MD5 hash:AA094DE5B8EF17848A5926C13EB67E26
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: iexplore.exe PID: 4524 Parent PID: 3452 iexplore.exeCOMMON

    Execution Graph

    Execution Coverage:6.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:11%
    Total number of Nodes:826
    Total number of Limit Nodes:3

    Graph

    execution_graph 2622 7ff7ab33655c 2623 7ff7ab3365e2 2622->2623 2624 7ff7ab336582 2622->2624 2633 7ff7ab3343e8 2624->2633 2627 7ff7ab33658b AcquireSRWLockExclusive 2641 7ff7ab334498 2627->2641 2632 7ff7ab3365d3 ReleaseSRWLockExclusive 2632->2623 2634 7ff7ab33447b 2633->2634 2635 7ff7ab334404 2633->2635 2634->2623 2634->2627 2636 7ff7ab33442f AcquireSRWLockExclusive 2635->2636 2652 7ff7ab334198 GetCurrentProcessId 2635->2652 2638 7ff7ab33445c 2636->2638 2638->2634 2639 7ff7ab334468 ReleaseSRWLockExclusive 2638->2639 2639->2634 2642 7ff7ab3344ff 2641->2642 2643 7ff7ab3344b4 2641->2643 2648 7ff7ab336600 2642->2648 2643->2642 2644 7ff7ab3344bb AcquireSRWLockExclusive 2643->2644 2645 7ff7ab336600 7 API calls 2644->2645 2646 7ff7ab3344eb 2645->2646 2646->2642 2647 7ff7ab3344f0 ReleaseSRWLockExclusive 2646->2647 2647->2642 2649 7ff7ab33662d 2648->2649 2651 7ff7ab3365bb 2649->2651 2767 7ff7ab336f20 2649->2767 2651->2623 2651->2632 2668 7ff7ab339eac 2652->2668 2657 7ff7ab33423f 2680 7ff7ab336d84 WaitForSingleObjectEx 2657->2680 2658 7ff7ab334236 2677 7ff7ab338d20 2658->2677 2661 7ff7ab33424e 2682 7ff7ab339fdc 2661->2682 2663 7ff7ab334263 2667 7ff7ab33423b 2663->2667 2685 7ff7ab334fc8 2663->2685 2664 7ff7ab333300 7 API calls 2665 7ff7ab3342d0 2664->2665 2665->2636 2667->2664 2669 7ff7ab339ed9 2668->2669 2671 7ff7ab3341ff CreateMutexExW 2668->2671 2694 7ff7ab339f5c _vsnwprintf 2669->2694 2672 7ff7ab33708c 2671->2672 2673 7ff7ab33422e 2672->2673 2674 7ff7ab3370a4 GetLastError 2672->2674 2673->2657 2673->2658 2675 7ff7ab3370d9 2674->2675 2696 7ff7ab338344 2675->2696 2699 7ff7ab338ca8 GetLastError 2677->2699 2679 7ff7ab338d3a 2679->2667 2681 7ff7ab336db2 2680->2681 2681->2661 2701 7ff7ab33a050 2682->2701 2684 7ff7ab339ffd 2684->2663 2744 7ff7ab3352dc GetProcessHeap HeapAlloc 2685->2744 2689 7ff7ab335005 2689->2667 2692 7ff7ab335049 2692->2689 2759 7ff7ab338858 GetProcessHeap HeapFree 2692->2759 2695 7ff7ab339f8f 2694->2695 2695->2671 2697 7ff7ab338349 SetLastError 2696->2697 2698 7ff7ab338358 2696->2698 2697->2698 2698->2673 2700 7ff7ab338ccf 2699->2700 2700->2679 2707 7ff7ab33a091 2701->2707 2702 7ff7ab33a10f OpenSemaphoreW 2703 7ff7ab33a139 GetLastError 2702->2703 2704 7ff7ab33a167 2702->2704 2705 7ff7ab33a14e 2703->2705 2709 7ff7ab33a160 2703->2709 2722 7ff7ab3390f0 WaitForSingleObject 2704->2722 2719 7ff7ab3399f8 2705->2719 2707->2702 2710 7ff7ab333300 7 API calls 2709->2710 2711 7ff7ab33a2e5 2710->2711 2711->2684 2712 7ff7ab33a21d OpenSemaphoreW 2714 7ff7ab33a247 2712->2714 2713 7ff7ab33a17c 2713->2709 2713->2712 2715 7ff7ab33a26d 2714->2715 2716 7ff7ab33a24b 2714->2716 2717 7ff7ab3390f0 9 API calls 2715->2717 2718 7ff7ab3399f8 GetLastError 2716->2718 2717->2709 2718->2709 2741 7ff7ab3398c8 2719->2741 2721 7ff7ab339a0b 2721->2709 2723 7ff7ab339127 2722->2723 2724 7ff7ab339113 2722->2724 2726 7ff7ab339149 ReleaseSemaphore 2723->2726 2727 7ff7ab3391b4 ReleaseSemaphore 2723->2727 2736 7ff7ab339122 2723->2736 2725 7ff7ab3399f8 GetLastError 2724->2725 2725->2736 2730 7ff7ab339161 2726->2730 2731 7ff7ab339175 ReleaseSemaphore 2726->2731 2728 7ff7ab3391d0 2727->2728 2729 7ff7ab3391e4 2727->2729 2733 7ff7ab3399f8 GetLastError 2728->2733 2734 7ff7ab3391f2 ReleaseSemaphore 2729->2734 2729->2736 2735 7ff7ab3399f8 GetLastError 2730->2735 2732 7ff7ab339193 GetLastError 2731->2732 2731->2736 2732->2736 2733->2736 2734->2736 2737 7ff7ab33920c GetLastError 2734->2737 2735->2736 2736->2713 2737->2736 2738 7ff7ab33921f WaitForSingleObject 2737->2738 2738->2736 2739 7ff7ab339235 2738->2739 2740 7ff7ab3399f8 GetLastError 2739->2740 2740->2736 2742 7ff7ab338ca8 GetLastError 2741->2742 2743 7ff7ab3398fa 2742->2743 2743->2721 2745 7ff7ab334ffd 2744->2745 2746 7ff7ab335318 GetProcessHeap 2744->2746 2745->2689 2747 7ff7ab3385b0 2745->2747 2746->2745 2749 7ff7ab3385e2 2747->2749 2760 7ff7ab336df8 CreateSemaphoreExW 2749->2760 2751 7ff7ab3386cb 2753 7ff7ab333300 7 API calls 2751->2753 2752 7ff7ab336df8 4 API calls 2752->2751 2754 7ff7ab335043 2753->2754 2754->2692 2755 7ff7ab333c28 memset 2754->2755 2756 7ff7ab333c79 2755->2756 2766 7ff7ab333d1c InitializeCriticalSectionEx 2756->2766 2758 7ff7ab333c85 2758->2692 2761 7ff7ab336e26 2760->2761 2762 7ff7ab336e33 2760->2762 2763 7ff7ab33708c 2 API calls 2761->2763 2764 7ff7ab338d20 GetLastError 2762->2764 2765 7ff7ab336e31 2763->2765 2764->2765 2765->2751 2765->2752 2766->2758 2772 7ff7ab336e50 2767->2772 2769 7ff7ab336f40 2770 7ff7ab336f71 2769->2770 2771 7ff7ab336f44 memcpy_s 2769->2771 2770->2651 2771->2770 2773 7ff7ab336e66 2772->2773 2775 7ff7ab336e6a 2772->2775 2773->2769 2774 7ff7ab336ffa 2774->2769 2775->2774 2776 7ff7ab3352dc 3 API calls 2775->2776 2777 7ff7ab336fc1 2776->2777 2777->2774 2778 7ff7ab336fc9 memcpy_s 2777->2778 2778->2774 2779 7ff7ab336ff5 2778->2779 2781 7ff7ab338858 GetProcessHeap HeapFree 2779->2781 2782 7ff7ab339a60 2783 7ff7ab339a97 2782->2783 2784 7ff7ab339a70 2782->2784 2787 7ff7ab33a324 2784->2787 2788 7ff7ab339a75 GetProcAddress 2787->2788 2789 7ff7ab33a334 GetModuleHandleW 2787->2789 2788->2783 2789->2788 2505 7ff7ab333060 GetStartupInfoW 2506 7ff7ab33309f 2505->2506 2507 7ff7ab3330b1 2506->2507 2508 7ff7ab3330ba Sleep 2506->2508 2509 7ff7ab3330d6 _amsg_exit 2507->2509 2512 7ff7ab3330e4 2507->2512 2508->2506 2510 7ff7ab333137 2509->2510 2511 7ff7ab33315a _initterm 2510->2511 2513 7ff7ab333177 _IsNonwritableInCurrentImage 2510->2513 2519 7ff7ab33313b 2510->2519 2511->2513 2512->2510 2512->2519 2521 7ff7ab3335f0 SetUnhandledExceptionFilter 2512->2521 2513->2519 2522 7ff7ab3320f0 2513->2522 2516 7ff7ab333238 exit 2517 7ff7ab333240 2516->2517 2518 7ff7ab333249 _cexit 2517->2518 2517->2519 2518->2519 2521->2512 2600 7ff7ab337ba4 2522->2600 2525 7ff7ab33211d InitializeCriticalSection 2603 7ff7ab331dc8 2525->2603 2528 7ff7ab332150 #798 2529 7ff7ab332ae8 2528->2529 2530 7ff7ab332164 CoCreateGuid 2528->2530 2531 7ff7ab332af0 DeleteCriticalSection 2529->2531 2532 7ff7ab332180 2530->2532 2533 7ff7ab337be4 EventUnregister 2531->2533 2595 7ff7ab3339a7 LdrResolveDelayLoadedAPI 2532->2595 2534 7ff7ab332b08 2533->2534 2536 7ff7ab331ddc EventUnregister 2534->2536 2535 7ff7ab332198 IsDebuggerPresent 2541 7ff7ab33225f #797 2535->2541 2550 7ff7ab3321e8 2535->2550 2537 7ff7ab332b14 RegGetValueW 2536->2537 2539 7ff7ab332b91 2537->2539 2540 7ff7ab332b73 GetCurrentProcess TerminateProcess 2537->2540 2539->2516 2539->2517 2540->2539 2542 7ff7ab332287 2541->2542 2543 7ff7ab332a5f #650 #650 2541->2543 2545 7ff7ab3322c3 2542->2545 2546 7ff7ab3322b3 #701 2542->2546 2549 7ff7ab337fc0 10 API calls 2543->2549 2547 7ff7ab332331 SetErrorMode GetCommandLineW wcsncmp 2545->2547 2548 7ff7ab3322e0 GetModuleHandleW 2545->2548 2546->2545 2546->2547 2556 7ff7ab332371 LocalAlloc 2547->2556 2551 7ff7ab3322f8 GetProcAddress 2548->2551 2552 7ff7ab33231e SetDllDirectoryW 2548->2552 2549->2529 2550->2541 2554 7ff7ab332211 #796 2550->2554 2551->2552 2553 7ff7ab332313 2551->2553 2552->2547 2553->2552 2555 7ff7ab33117c 9 API calls 2554->2555 2555->2541 2558 7ff7ab3325df HeapSetInformation 2556->2558 2574 7ff7ab332427 2556->2574 2559 7ff7ab332bb0 #701 GetCurrentProcess SetUserObjectInformationW 2558->2559 2560 7ff7ab3325fc #791 SetCurrentProcessExplicitAppUserModelID 2559->2560 2561 7ff7ab332630 2560->2561 2561->2561 2563 7ff7ab33263a StrStrIW 2561->2563 2562 7ff7ab3324a2 StrStrIW 2564 7ff7ab332502 StrStrIW 2562->2564 2562->2574 2567 7ff7ab3326cb 2563->2567 2568 7ff7ab33265a 2563->2568 2565 7ff7ab33255f StrStrIW 2564->2565 2564->2574 2566 7ff7ab3325d8 2565->2566 2565->2574 2566->2558 2569 7ff7ab3326e6 StrStrIW 2567->2569 2568->2567 2571 7ff7ab332687 2568->2571 2570 7ff7ab332829 wcsncmp 2569->2570 2578 7ff7ab332708 2569->2578 2572 7ff7ab33284d iswspace 2570->2572 2573 7ff7ab332980 2570->2573 2575 7ff7ab3380a0 10 API calls 2571->2575 2576 7ff7ab332865 2572->2576 2577 7ff7ab332883 iswspace 2572->2577 2573->2573 2583 7ff7ab332995 StrStrIW 2573->2583 2574->2558 2574->2562 2574->2564 2574->2565 2574->2566 2589 7ff7ab3326b3 2575->2589 2576->2577 2579 7ff7ab33286b iswspace 2576->2579 2580 7ff7ab3328ae wcsncmp 2577->2580 2581 7ff7ab332896 iswspace 2577->2581 2578->2570 2584 7ff7ab332740 FindWindowExW 2578->2584 2590 7ff7ab332793 2578->2590 2579->2576 2579->2577 2580->2573 2582 7ff7ab3328d2 2580->2582 2581->2580 2581->2581 2582->2589 2592 7ff7ab332911 #796 2582->2592 2593 7ff7ab3329b3 2583->2593 2585 7ff7ab332795 2584->2585 2586 7ff7ab332763 GetWindowThreadProcessId AllowSetForegroundWindow 2584->2586 2585->2570 2585->2590 2588 7ff7ab339b08 IsWindowEnabled IsWindowVisible SendMessageTimeoutW 2586->2588 2587 7ff7ab332a26 LocalFree 2587->2531 2587->2543 2588->2578 2589->2587 2590->2590 2591 7ff7ab3327aa StrStrIW 2590->2591 2591->2589 2594 7ff7ab331008 9 API calls 2592->2594 2593->2589 2596 7ff7ab333971 LdrResolveDelayLoadedAPI 2593->2596 2597 7ff7ab333995 LdrResolveDelayLoadedAPI 2593->2597 2598 7ff7ab3338e6 LdrResolveDelayLoadedAPI 2593->2598 2599 7ff7ab333983 LdrResolveDelayLoadedAPI 2593->2599 2594->2589 2595->2535 2596->2589 2597->2589 2598->2589 2599->2589 2601 7ff7ab33210f 2600->2601 2602 7ff7ab337bb3 EventRegister 2600->2602 2601->2525 2604 7ff7ab337c80 2601->2604 2602->2601 2609 7ff7ab337c18 2604->2609 2606 7ff7ab337ca2 2612 7ff7ab333300 2606->2612 2610 7ff7ab337c2f EventWriteTransfer 2609->2610 2610->2606 2613 7ff7ab333309 2612->2613 2614 7ff7ab333314 2613->2614 2615 7ff7ab333360 RtlCaptureContext RtlLookupFunctionEntry 2613->2615 2614->2525 2616 7ff7ab3333e7 2615->2616 2617 7ff7ab3333a5 RtlVirtualUnwind 2615->2617 2620 7ff7ab333324 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2616->2620 2617->2616 2790 7ff7ab334660 2811 7ff7ab336e80 InitOnceBeginInitialize 2790->2811 2793 7ff7ab334829 2794 7ff7ab3346ba 2815 7ff7ab335394 2794->2815 2795 7ff7ab33482e 2796 7ff7ab33483b 2795->2796 2797 7ff7ab334912 2795->2797 2799 7ff7ab335394 11 API calls 2796->2799 2797->2793 2800 7ff7ab335394 11 API calls 2797->2800 2804 7ff7ab334840 2799->2804 2805 7ff7ab334920 2800->2805 2801 7ff7ab33477a 2801->2793 2802 7ff7ab335394 11 API calls 2801->2802 2806 7ff7ab334791 2802->2806 2803 7ff7ab3346bf 2803->2801 2818 7ff7ab33168c 2803->2818 2804->2793 2823 7ff7ab3315b4 2804->2823 2805->2793 2828 7ff7ab3312d4 2805->2828 2806->2793 2807 7ff7ab33168c 9 API calls 2806->2807 2807->2793 2812 7ff7ab334697 2811->2812 2813 7ff7ab336ebc 2811->2813 2812->2793 2812->2794 2812->2795 2813->2812 2834 7ff7ab333e60 2813->2834 2816 7ff7ab336e80 11 API calls 2815->2816 2817 7ff7ab3353a4 2816->2817 2817->2803 2844 7ff7ab331ea8 2818->2844 2820 7ff7ab331735 2821 7ff7ab333300 7 API calls 2820->2821 2822 7ff7ab331741 2821->2822 2822->2801 2824 7ff7ab331ea8 2 API calls 2823->2824 2825 7ff7ab33166d 2824->2825 2826 7ff7ab333300 7 API calls 2825->2826 2827 7ff7ab331679 2826->2827 2827->2793 2829 7ff7ab33132f 2828->2829 2830 7ff7ab331ea8 2 API calls 2829->2830 2831 7ff7ab33158c 2830->2831 2832 7ff7ab333300 7 API calls 2831->2832 2833 7ff7ab331598 2832->2833 2833->2793 2835 7ff7ab333ea4 InitOnceComplete 2834->2835 2836 7ff7ab333e74 2834->2836 2839 7ff7ab331d18 EventRegister 2836->2839 2840 7ff7ab331d76 2839->2840 2841 7ff7ab331d83 EventSetInformation 2839->2841 2842 7ff7ab333300 7 API calls 2840->2842 2841->2840 2843 7ff7ab331daf 2842->2843 2843->2835 2845 7ff7ab331f48 #791 2844->2845 2846 7ff7ab331f6b EventWriteEx 2844->2846 2847 7ff7ab331f5d 2845->2847 2846->2820 2847->2846 2848 7ff7ab333a60 InitOnceBeginInitialize 2849 7ff7ab333a8a 2848->2849 2855 7ff7ab334160 2860 7ff7ab333ff0 2855->2860 2858 7ff7ab334181 2861 7ff7ab33401f 2860->2861 2862 7ff7ab334005 EventUnregister 2860->2862 2861->2858 2863 7ff7ab332f24 2861->2863 2862->2861 2863->2858 2864 7ff7ab33359c free 2863->2864 2865 7ff7ab335160 2866 7ff7ab335188 2865->2866 2867 7ff7ab335168 2865->2867 2868 7ff7ab33517a 2867->2868 2871 7ff7ab33516e 2867->2871 2868->2866 2873 7ff7ab33609c 2868->2873 2870 7ff7ab33608a 2871->2870 2877 7ff7ab331754 2871->2877 2874 7ff7ab3360b8 2873->2874 2875 7ff7ab3361ee 2873->2875 2883 7ff7ab331a0c 2874->2883 2875->2866 2878 7ff7ab33179d 2877->2878 2879 7ff7ab331ea8 2 API calls 2878->2879 2880 7ff7ab3319de 2879->2880 2881 7ff7ab333300 7 API calls 2880->2881 2882 7ff7ab3319ea 2881->2882 2882->2870 2884 7ff7ab331a56 2883->2884 2884->2884 2885 7ff7ab331ea8 2 API calls 2884->2885 2886 7ff7ab331ceb 2885->2886 2887 7ff7ab333300 7 API calls 2886->2887 2888 7ff7ab331cf7 2887->2888 2888->2875 2889 7ff7ab337ee3 _XcptFilter 2890 7ff7ab3396f0 ReleaseMutex 2891 7ff7ab339713 2890->2891 2892 7ff7ab339704 2890->2892 2894 7ff7ab33a304 2892->2894 2897 7ff7ab339830 2894->2897 2896 7ff7ab33a317 2896->2891 2898 7ff7ab338ca8 GetLastError 2897->2898 2899 7ff7ab339862 2898->2899 2899->2896 2900 7ff7ab336270 2901 7ff7ab336293 2900->2901 2904 7ff7ab3362ba 2900->2904 2902 7ff7ab33a324 GetModuleHandleW 2901->2902 2903 7ff7ab336298 GetProcAddress 2902->2903 2903->2904 3074 7ff7ab332f30 3077 7ff7ab332f42 3074->3077 3076 7ff7ab332fa9 __set_app_type 3078 7ff7ab332fe6 3076->3078 3081 7ff7ab333678 GetModuleHandleW 3077->3081 3079 7ff7ab332ffc 3078->3079 3080 7ff7ab332fef __setusermatherr 3078->3080 3080->3079 3082 7ff7ab33368d 3081->3082 3082->3076 3083 7ff7ab334130 3084 7ff7ab334148 3083->3084 3085 7ff7ab33414d 3083->3085 3086 7ff7ab332f24 _Ref_count free 3084->3086 3086->3085 3087 7ff7ab336930 3088 7ff7ab336987 3087->3088 3089 7ff7ab336950 3087->3089 3090 7ff7ab33698d 3088->3090 3091 7ff7ab3369a4 3088->3091 3089->3088 3098 7ff7ab336959 3089->3098 3111 7ff7ab3353b4 3090->3111 3093 7ff7ab3369cd 3091->3093 3094 7ff7ab3369b1 3091->3094 3139 7ff7ab33578c 3093->3139 3125 7ff7ab337164 3094->3125 3099 7ff7ab3343e8 35 API calls 3098->3099 3103 7ff7ab336985 3098->3103 3101 7ff7ab33696e 3099->3101 3101->3103 3104 7ff7ab335194 AcquireSRWLockShared 3101->3104 3105 7ff7ab3351d2 ReleaseSRWLockShared 3104->3105 3109 7ff7ab3351e1 3104->3109 3105->3109 3106 7ff7ab3351ec EnterCriticalSection AcquireSRWLockExclusive 3106->3109 3107 7ff7ab335296 3107->3103 3108 7ff7ab335259 ReleaseSRWLockExclusive 3108->3109 3109->3106 3109->3107 3109->3108 3110 7ff7ab33527e LeaveCriticalSection 3109->3110 3110->3109 3112 7ff7ab33548a 3111->3112 3113 7ff7ab3353e8 3111->3113 3114 7ff7ab333300 7 API calls 3112->3114 3113->3112 3116 7ff7ab3353f5 AcquireSRWLockExclusive 3113->3116 3115 7ff7ab335497 3114->3115 3115->3103 3117 7ff7ab336f20 7 API calls 3116->3117 3118 7ff7ab335431 3117->3118 3119 7ff7ab335476 3118->3119 3120 7ff7ab335440 CreateThreadpoolTimer 3118->3120 3121 7ff7ab335464 3118->3121 3119->3112 3122 7ff7ab33547b ReleaseSRWLockExclusive 3119->3122 3154 7ff7ab33702c 3120->3154 3160 7ff7ab3343a0 3121->3160 3122->3112 3126 7ff7ab33717c 3125->3126 3127 7ff7ab3369bb 3126->3127 3128 7ff7ab33a324 GetModuleHandleW 3126->3128 3127->3103 3130 7ff7ab3371d4 3127->3130 3129 7ff7ab337192 GetProcAddress 3128->3129 3129->3127 3164 7ff7ab3376a4 memset 3130->3164 3133 7ff7ab337235 3135 7ff7ab333300 7 API calls 3133->3135 3136 7ff7ab337247 3135->3136 3136->3103 3140 7ff7ab33584c 3139->3140 3141 7ff7ab3357b4 3139->3141 3140->3103 3142 7ff7ab3343e8 35 API calls 3141->3142 3143 7ff7ab3357b9 3142->3143 3143->3140 3188 7ff7ab3356bc 3143->3188 3145 7ff7ab3357d2 3145->3140 3146 7ff7ab3357df AcquireSRWLockExclusive 3145->3146 3147 7ff7ab335838 3146->3147 3148 7ff7ab3357fc 3146->3148 3147->3140 3151 7ff7ab33583d ReleaseSRWLockExclusive 3147->3151 3149 7ff7ab335802 CreateThreadpoolTimer 3148->3149 3150 7ff7ab335826 3148->3150 3152 7ff7ab33702c 5 API calls 3149->3152 3153 7ff7ab3343a0 SetThreadpoolTimer 3150->3153 3151->3140 3152->3150 3153->3147 3155 7ff7ab337049 GetLastError 3154->3155 3156 7ff7ab337070 3154->3156 3163 7ff7ab334354 SetThreadpoolTimer WaitForThreadpoolTimerCallbacks CloseThreadpoolTimer 3155->3163 3156->3121 3161 7ff7ab3343db 3160->3161 3162 7ff7ab3343b1 SetThreadpoolTimer 3160->3162 3161->3119 3162->3161 3165 7ff7ab337264 2 API calls 3164->3165 3170 7ff7ab337744 3165->3170 3166 7ff7ab337803 3169 7ff7ab337964 3166->3169 3175 7ff7ab337815 3166->3175 3167 7ff7ab3377a1 GetProcessHeap HeapAlloc 3167->3170 3177 7ff7ab3378aa 3167->3177 3168 7ff7ab337781 GetProcessHeap HeapFree 3168->3167 3171 7ff7ab337969 GetProcessHeap HeapFree 3169->3171 3169->3177 3170->3166 3170->3167 3170->3168 3172 7ff7ab337264 2 API calls 3170->3172 3171->3177 3172->3170 3173 7ff7ab333300 7 API calls 3174 7ff7ab337210 3173->3174 3174->3133 3178 7ff7ab3374b0 3174->3178 3176 7ff7ab337264 2 API calls 3175->3176 3175->3177 3176->3177 3177->3173 3183 7ff7ab3374d9 3178->3183 3179 7ff7ab337620 3180 7ff7ab333300 7 API calls 3179->3180 3181 7ff7ab337229 3180->3181 3185 7ff7ab33765c 3181->3185 3182 7ff7ab337264 2 API calls 3182->3183 3183->3179 3183->3182 3184 7ff7ab3372ec 2 API calls 3183->3184 3184->3183 3186 7ff7ab33766b GetProcessHeap HeapFree 3185->3186 3187 7ff7ab337696 3185->3187 3186->3187 3187->3133 3189 7ff7ab335768 3188->3189 3190 7ff7ab3356e8 3188->3190 3191 7ff7ab3358f0 17 API calls 3189->3191 3192 7ff7ab335704 AcquireSRWLockExclusive 3190->3192 3193 7ff7ab335700 3190->3193 3191->3193 3194 7ff7ab335715 3192->3194 3193->3145 3195 7ff7ab33573f 3194->3195 3196 7ff7ab33572a 3194->3196 3204 7ff7ab3358b8 3195->3204 3201 7ff7ab335880 3196->3201 3199 7ff7ab33573b 3199->3193 3200 7ff7ab335755 ReleaseSRWLockExclusive 3199->3200 3200->3193 3207 7ff7ab33595c 3201->3207 3205 7ff7ab33595c 14 API calls 3204->3205 3206 7ff7ab3358e4 3205->3206 3206->3199 3223 7ff7ab335a60 3207->3223 3210 7ff7ab3358a9 3210->3199 3211 7ff7ab3359b9 3214 7ff7ab336e50 6 API calls 3211->3214 3212 7ff7ab335a18 3213 7ff7ab335a16 3212->3213 3216 7ff7ab336e50 6 API calls 3212->3216 3217 7ff7ab335a60 8 API calls 3213->3217 3215 7ff7ab3359d9 3214->3215 3218 7ff7ab335a03 3215->3218 3219 7ff7ab3362e4 2 API calls 3215->3219 3216->3213 3217->3210 3218->3213 3238 7ff7ab338858 GetProcessHeap HeapFree 3218->3238 3220 7ff7ab3359f5 3219->3220 3222 7ff7ab334084 2 API calls 3220->3222 3222->3218 3225 7ff7ab335a9a 3223->3225 3233 7ff7ab33599d 3223->3233 3226 7ff7ab335bcc 3225->3226 3227 7ff7ab335b10 3225->3227 3239 7ff7ab3363f0 3225->3239 3247 7ff7ab3354ac 3225->3247 3263 7ff7ab334ac8 3226->3263 3230 7ff7ab335b91 memmove_s 3227->3230 3227->3233 3231 7ff7ab335bbd 3230->3231 3232 7ff7ab335c0b 3230->3232 3255 7ff7ab336c04 3231->3255 3234 7ff7ab335bca 3232->3234 3277 7ff7ab3368d8 3232->3277 3233->3210 3233->3211 3233->3212 3237 7ff7ab336c04 3 API calls 3234->3237 3237->3233 3240 7ff7ab33644d 3239->3240 3242 7ff7ab33641c 3239->3242 3241 7ff7ab336498 3240->3241 3244 7ff7ab3354ac 3 API calls 3240->3244 3245 7ff7ab3368d8 memcpy_s 3241->3245 3243 7ff7ab33643b 3242->3243 3246 7ff7ab3368d8 memcpy_s 3242->3246 3243->3225 3244->3240 3245->3243 3246->3243 3248 7ff7ab33550b 3247->3248 3249 7ff7ab3354d6 3247->3249 3250 7ff7ab335571 3248->3250 3252 7ff7ab335539 3248->3252 3253 7ff7ab33551f memcpy_s 3248->3253 3249->3250 3251 7ff7ab3354e3 memcpy_s 3249->3251 3250->3225 3251->3252 3252->3250 3254 7ff7ab335555 memcpy_s 3252->3254 3253->3252 3254->3250 3259 7ff7ab336c29 3255->3259 3256 7ff7ab336cbb 3256->3234 3257 7ff7ab336c7c 3257->3256 3260 7ff7ab336cad 3257->3260 3261 7ff7ab336c8b memcpy_s 3257->3261 3258 7ff7ab336c6a memcpy_s 3258->3257 3259->3256 3259->3257 3259->3258 3260->3256 3262 7ff7ab336cbf memcpy_s 3260->3262 3261->3260 3262->3256 3264 7ff7ab334b9c 3263->3264 3265 7ff7ab334b1f 3263->3265 3267 7ff7ab3354ac 3 API calls 3264->3267 3271 7ff7ab334be3 3264->3271 3274 7ff7ab334b88 3264->3274 3275 7ff7ab334c07 3264->3275 3266 7ff7ab334b3e 3265->3266 3268 7ff7ab3368d8 memcpy_s 3265->3268 3281 7ff7ab334dc8 3266->3281 3267->3264 3268->3266 3273 7ff7ab3368d8 memcpy_s 3271->3273 3272 7ff7ab3354ac 3 API calls 3272->3274 3273->3274 3274->3275 3276 7ff7ab3368d8 memcpy_s 3274->3276 3275->3227 3276->3275 3278 7ff7ab336920 3277->3278 3279 7ff7ab3368e5 3277->3279 3278->3234 3279->3278 3280 7ff7ab336910 memcpy_s 3279->3280 3280->3278 3282 7ff7ab334b67 3281->3282 3284 7ff7ab334e16 3281->3284 3282->3272 3282->3275 3283 7ff7ab3354ac 3 API calls 3283->3284 3284->3282 3284->3283 3285 7ff7ab3335b0 3286 7ff7ab3335e2 3285->3286 3287 7ff7ab3335bf 3285->3287 3287->3286 3288 7ff7ab3335db ?terminate@ 3287->3288 3288->3286 2905 7ff7ab333279 2906 7ff7ab333288 _exit 2905->2906 2907 7ff7ab333291 2905->2907 2906->2907 2908 7ff7ab33329a _cexit 2907->2908 2909 7ff7ab3332a6 2907->2909 2908->2909 3289 7ff7ab33a4bd #597 3290 7ff7ab336b3c 3291 7ff7ab336b5a memset 3290->3291 3292 7ff7ab336b54 3290->3292 3293 7ff7ab336b99 3291->3293 3292->3291 2910 7ff7ab338580 CloseHandle 2911 7ff7ab338594 2910->2911 2913 7ff7ab3385a3 2910->2913 2912 7ff7ab33a304 GetLastError 2911->2912 2912->2913 2914 7ff7ab333b00 2915 7ff7ab333b17 AcquireSRWLockExclusive 2914->2915 2916 7ff7ab333b65 2914->2916 2917 7ff7ab333b3e 2915->2917 2920 7ff7ab333b46 2915->2920 2921 7ff7ab3379b8 2917->2921 2919 7ff7ab333b56 ReleaseSRWLockExclusive 2919->2916 2920->2916 2920->2919 2927 7ff7ab3379e1 2921->2927 2922 7ff7ab337b52 2923 7ff7ab333300 7 API calls 2922->2923 2925 7ff7ab337b68 2923->2925 2925->2920 2927->2922 2928 7ff7ab337264 2927->2928 2933 7ff7ab3372ec 2927->2933 2929 7ff7ab337280 2928->2929 2932 7ff7ab3372aa 2928->2932 2930 7ff7ab33a324 GetModuleHandleW 2929->2930 2931 7ff7ab337285 GetProcAddress 2930->2931 2931->2932 2932->2927 2934 7ff7ab33733a 2933->2934 2935 7ff7ab337310 2933->2935 2934->2927 2936 7ff7ab33a324 GetModuleHandleW 2935->2936 2937 7ff7ab337315 GetProcAddress 2936->2937 2937->2934 2938 7ff7ab333b80 2939 7ff7ab333bcb 2938->2939 2940 7ff7ab333b92 AcquireSRWLockExclusive 2938->2940 2941 7ff7ab333bbd 2940->2941 2942 7ff7ab333bae ReleaseSRWLockExclusive 2940->2942 2941->2939 2944 7ff7ab3358f0 2941->2944 2942->2941 2955 7ff7ab333d58 2944->2955 2946 7ff7ab335906 AcquireSRWLockExclusive 2957 7ff7ab336200 2946->2957 2949 7ff7ab335927 ReleaseSRWLockExclusive 2950 7ff7ab335936 2949->2950 2965 7ff7ab3355ac 2950->2965 2956 7ff7ab333d7b 2955->2956 2956->2946 2958 7ff7ab336216 2957->2958 2960 7ff7ab336222 2957->2960 2983 7ff7ab336698 2958->2983 2961 7ff7ab336698 2 API calls 2960->2961 2962 7ff7ab336238 2960->2962 2961->2962 2963 7ff7ab335922 2962->2963 2964 7ff7ab336698 2 API calls 2962->2964 2963->2949 2963->2950 2964->2963 2966 7ff7ab335602 2965->2966 2967 7ff7ab3355d0 2965->2967 2969 7ff7ab33563b 2966->2969 2970 7ff7ab335c60 15 API calls 2966->2970 2996 7ff7ab335c60 2967->2996 2971 7ff7ab33569b 2969->2971 2972 7ff7ab335c60 15 API calls 2969->2972 2970->2969 2973 7ff7ab333300 7 API calls 2971->2973 2972->2971 2974 7ff7ab3356a7 2973->2974 2975 7ff7ab33402c 2974->2975 2976 7ff7ab334049 2975->2976 2977 7ff7ab33404e 2975->2977 3020 7ff7ab338858 GetProcessHeap HeapFree 2976->3020 2979 7ff7ab334061 2977->2979 3021 7ff7ab338858 GetProcessHeap HeapFree 2977->3021 2980 7ff7ab334074 2979->2980 3022 7ff7ab338858 GetProcessHeap HeapFree 2979->3022 2980->2939 2990 7ff7ab334084 2983->2990 2986 7ff7ab334084 2 API calls 2987 7ff7ab336716 2986->2987 2988 7ff7ab336725 2987->2988 2994 7ff7ab338858 GetProcessHeap HeapFree 2987->2994 2988->2960 2991 7ff7ab33409f 2990->2991 2992 7ff7ab3340a4 2990->2992 2995 7ff7ab338858 GetProcessHeap HeapFree 2991->2995 2992->2986 3005 7ff7ab335c7e 2996->3005 2997 7ff7ab337264 2 API calls 2997->3005 2999 7ff7ab335e18 3001 7ff7ab335e2b 2999->3001 3018 7ff7ab338858 GetProcessHeap HeapFree 2999->3018 3002 7ff7ab333300 7 API calls 3001->3002 3004 7ff7ab335e3a 3002->3004 3004->2966 3005->2997 3005->2999 3005->3001 3007 7ff7ab3372ec GetProcAddress GetModuleHandleW 3005->3007 3008 7ff7ab3362e4 3005->3008 3013 7ff7ab334c8c 3005->3013 3017 7ff7ab338858 GetProcessHeap HeapFree 3005->3017 3007->3005 3009 7ff7ab3363df 3008->3009 3010 7ff7ab336313 3008->3010 3012 7ff7ab336328 3010->3012 3019 7ff7ab338858 GetProcessHeap HeapFree 3010->3019 3012->3005 3015 7ff7ab334cf3 3013->3015 3014 7ff7ab3354ac memcpy_s memcpy_s memcpy_s 3014->3015 3015->3014 3016 7ff7ab334d94 3015->3016 3016->3005 3294 7ff7ab333ac0 3295 7ff7ab333ad9 3294->3295 3296 7ff7ab333ac9 3294->3296 3297 7ff7ab335194 6 API calls 3296->3297 3297->3295 3298 7ff7ab3340c0 3299 7ff7ab3340d9 3298->3299 3300 7ff7ab334105 3298->3300 3301 7ff7ab33595c 14 API calls 3299->3301 3301->3300 3302 7ff7ab333a40 3305 7ff7ab3352b8 3302->3305 3306 7ff7ab333a4c 3305->3306 3307 7ff7ab3352c1 3305->3307 3308 7ff7ab335194 6 API calls 3307->3308 3308->3306 3309 7ff7ab336a40 3310 7ff7ab336a4e 3309->3310 3311 7ff7ab336a8c 3310->3311 3313 7ff7ab3367b4 3310->3313 3314 7ff7ab33683b 3313->3314 3315 7ff7ab3367bd EnterCriticalSection AcquireSRWLockExclusive 3313->3315 3314->3311 3316 7ff7ab336808 3315->3316 3317 7ff7ab336827 3316->3317 3318 7ff7ab336818 ReleaseSRWLockExclusive 3316->3318 3317->3314 3319 7ff7ab33682c LeaveCriticalSection 3317->3319 3318->3317 3319->3314 3320 7ff7ab331fc0 3323 7ff7ab332db4 3320->3323 3322 7ff7ab331fc9 3328 7ff7ab333d1c InitializeCriticalSectionEx 3323->3328 3325 7ff7ab332e0e 3329 7ff7ab333d1c InitializeCriticalSectionEx 3325->3329 3327 7ff7ab332e1a 3327->3322 3328->3325 3329->3327 3330 7ff7ab332e44 3331 7ff7ab332e66 3330->3331 3332 7ff7ab332e6e GetProcessHeap HeapFree 3331->3332 3333 7ff7ab332eaa 3331->3333 3332->3331 3332->3332 3334 7ff7ab3364c4 3335 7ff7ab336537 3334->3335 3336 7ff7ab3364f2 AcquireSRWLockExclusive 3334->3336 3342 7ff7ab334518 3336->3342 3339 7ff7ab336523 3339->3335 3341 7ff7ab336528 ReleaseSRWLockExclusive 3339->3341 3340 7ff7ab336600 7 API calls 3340->3339 3341->3335 3343 7ff7ab334530 3342->3343 3346 7ff7ab334542 3342->3346 3350 7ff7ab337388 3343->3350 3345 7ff7ab334574 3345->3339 3345->3340 3346->3345 3355 7ff7ab334590 3346->3355 3349 7ff7ab334590 13 API calls 3349->3345 3351 7ff7ab3373d3 3350->3351 3352 7ff7ab3373ac 3350->3352 3351->3346 3353 7ff7ab33a324 GetModuleHandleW 3352->3353 3354 7ff7ab3373b1 GetProcAddress 3353->3354 3354->3351 3356 7ff7ab3345bd 3355->3356 3365 7ff7ab33462d 3355->3365 3357 7ff7ab337264 2 API calls 3356->3357 3359 7ff7ab3345e1 3357->3359 3358 7ff7ab333300 7 API calls 3360 7ff7ab33455d 3358->3360 3361 7ff7ab3345e9 GetLastError 3359->3361 3362 7ff7ab33460d 3359->3362 3360->3345 3360->3349 3368 7ff7ab336884 3361->3368 3373 7ff7ab337404 3362->3373 3365->3358 3367 7ff7ab338344 SetLastError 3367->3362 3369 7ff7ab336899 3368->3369 3370 7ff7ab334604 3368->3370 3371 7ff7ab33a324 GetModuleHandleW 3369->3371 3370->3367 3372 7ff7ab33689e GetProcAddress 3371->3372 3372->3370 3374 7ff7ab337430 3373->3374 3377 7ff7ab33745a 3373->3377 3375 7ff7ab33a324 GetModuleHandleW 3374->3375 3376 7ff7ab337435 GetProcAddress 3375->3376 3376->3377 3377->3365 3023 7ff7ab339288 3024 7ff7ab3392dd 3023->3024 3025 7ff7ab33937d GetCurrentThreadId 3024->3025 3026 7ff7ab3393ef 3025->3026 3027 7ff7ab339535 3026->3027 3028 7ff7ab339475 3026->3028 3029 7ff7ab339480 IsDebuggerPresent 3026->3029 3030 7ff7ab3394f2 OutputDebugStringW 3028->3030 3032 7ff7ab339490 3028->3032 3033 7ff7ab338a20 3028->3033 3029->3028 3030->3032 3034 7ff7ab338c55 3033->3034 3040 7ff7ab338a50 3033->3040 3035 7ff7ab333300 7 API calls 3034->3035 3036 7ff7ab338c93 3035->3036 3036->3030 3037 7ff7ab338ada FormatMessageW 3038 7ff7ab338b2e 3037->3038 3039 7ff7ab338b53 3037->3039 3062 7ff7ab339544 3038->3062 3042 7ff7ab339544 _vsnwprintf 3039->3042 3040->3034 3040->3037 3043 7ff7ab338b51 3042->3043 3044 7ff7ab338b8b GetCurrentThreadId 3043->3044 3045 7ff7ab339544 _vsnwprintf 3043->3045 3046 7ff7ab339544 _vsnwprintf 3044->3046 3047 7ff7ab338b88 3045->3047 3048 7ff7ab338bc8 3046->3048 3047->3044 3048->3034 3049 7ff7ab339544 _vsnwprintf 3048->3049 3050 7ff7ab338bfb 3049->3050 3051 7ff7ab338c16 3050->3051 3052 7ff7ab339544 _vsnwprintf 3050->3052 3053 7ff7ab338c31 3051->3053 3056 7ff7ab339544 _vsnwprintf 3051->3056 3052->3051 3054 7ff7ab338c57 3053->3054 3055 7ff7ab338c41 3053->3055 3058 7ff7ab338c6d 3054->3058 3059 7ff7ab338c5f 3054->3059 3057 7ff7ab339544 _vsnwprintf 3055->3057 3056->3053 3057->3034 3061 7ff7ab339544 _vsnwprintf 3058->3061 3060 7ff7ab339544 _vsnwprintf 3059->3060 3060->3034 3061->3034 3063 7ff7ab339574 3062->3063 3065 7ff7ab339587 3062->3065 3064 7ff7ab339f5c _vsnwprintf 3063->3064 3064->3065 3065->3043 3066 7ff7ab337f07 _unlock 3378 7ff7ab333ec8 3379 7ff7ab33702c 5 API calls 3378->3379 3380 7ff7ab333ee8 3379->3380 3381 7ff7ab33702c 5 API calls 3380->3381 3382 7ff7ab333ef3 3381->3382 3383 7ff7ab333f0c 3382->3383 3401 7ff7ab338858 GetProcessHeap HeapFree 3382->3401 3402 7ff7ab333fb8 3383->3402 3403 7ff7ab333fcf 3402->3403 3404 7ff7ab333fd4 DeleteCriticalSection 3402->3404 3406 7ff7ab338858 GetProcessHeap HeapFree 3403->3406 3407 7ff7ab332ec8 3408 7ff7ab332ed8 3407->3408 3410 7ff7ab33965c 3407->3410 3409 7ff7ab33966e 3410->3409 3411 7ff7ab336d84 WaitForSingleObjectEx 3410->3411 3412 7ff7ab339689 3411->3412 3413 7ff7ab3396cf 3412->3413 3420 7ff7ab3387f4 3412->3420 3421 7ff7ab33708c 2 API calls 3420->3421 3422 7ff7ab338804 3421->3422 3423 7ff7ab338950 3431 7ff7ab33888c 3423->3431 3426 7ff7ab3389a3 3427 7ff7ab338974 3427->3426 3437 7ff7ab339094 3427->3437 3432 7ff7ab3388b9 3431->3432 3436 7ff7ab3388e5 GetCurrentThreadId 3431->3436 3449 7ff7ab338d54 GetCurrentThreadId 3432->3449 3436->3426 3436->3427 3438 7ff7ab3390a2 3437->3438 3441 7ff7ab338993 3437->3441 3455 7ff7ab338f2c 3438->3455 3441->3426 3443 7ff7ab339ce4 3441->3443 3444 7ff7ab339d05 3443->3444 3448 7ff7ab339d1a 3443->3448 3445 7ff7ab339dce 3444->3445 3447 7ff7ab3352dc 3 API calls 3444->3447 3445->3426 3447->3448 3448->3445 3487 7ff7ab339b90 3448->3487 3450 7ff7ab3388c3 3449->3450 3450->3436 3451 7ff7ab338f90 3450->3451 3452 7ff7ab339074 3451->3452 3453 7ff7ab338fbf 3451->3453 3452->3436 3453->3452 3453->3453 3454 7ff7ab33904d memcpy_s 3453->3454 3454->3452 3456 7ff7ab338f4a 3455->3456 3457 7ff7ab338f5c 3455->3457 3461 7ff7ab338360 GetCurrentProcessId 3456->3461 3457->3441 3459 7ff7ab338dc0 GetCurrentThreadId 3457->3459 3460 7ff7ab338dfe 3459->3460 3460->3441 3462 7ff7ab339eac _vsnwprintf 3461->3462 3463 7ff7ab3383be CreateMutexExW 3462->3463 3464 7ff7ab33708c 2 API calls 3463->3464 3465 7ff7ab3383f0 3464->3465 3466 7ff7ab3383f8 3465->3466 3467 7ff7ab338401 3465->3467 3468 7ff7ab338d20 GetLastError 3466->3468 3469 7ff7ab336d84 WaitForSingleObjectEx 3467->3469 3476 7ff7ab3383fd 3468->3476 3470 7ff7ab338410 3469->3470 3471 7ff7ab339fdc 19 API calls 3470->3471 3472 7ff7ab338428 3471->3472 3472->3476 3477 7ff7ab334e94 3472->3477 3473 7ff7ab333300 7 API calls 3474 7ff7ab338483 3473->3474 3474->3457 3476->3473 3478 7ff7ab3352dc 3 API calls 3477->3478 3479 7ff7ab334ec0 3478->3479 3480 7ff7ab334ecd 3479->3480 3481 7ff7ab3385b0 11 API calls 3479->3481 3480->3476 3482 7ff7ab334f0f 3481->3482 3483 7ff7ab334f29 memset memset 3482->3483 3484 7ff7ab334f15 3482->3484 3483->3484 3484->3480 3486 7ff7ab338858 GetProcessHeap HeapFree 3484->3486 3488 7ff7ab339bff 3487->3488 3489 7ff7ab339c6a 3488->3489 3490 7ff7ab3352dc 3 API calls 3488->3490 3492 7ff7ab339cc7 3489->3492 3500 7ff7ab338148 3489->3500 3491 7ff7ab339c39 3490->3491 3491->3489 3493 7ff7ab339c41 GetProcessHeap HeapFree 3491->3493 3492->3445 3493->3489 3495 7ff7ab339c93 3496 7ff7ab338148 memcpy_s 3495->3496 3497 7ff7ab339ca5 3496->3497 3505 7ff7ab3381d4 3497->3505 3499 7ff7ab339cb7 memset 3499->3492 3501 7ff7ab3381af 3500->3501 3502 7ff7ab338162 3500->3502 3501->3495 3502->3501 3503 7ff7ab338180 memcpy_s 3502->3503 3504 7ff7ab338197 3503->3504 3504->3495 3506 7ff7ab33823c 3505->3506 3507 7ff7ab3381ee 3505->3507 3506->3499 3507->3506 3508 7ff7ab33820d memcpy_s 3507->3508 3509 7ff7ab338224 3508->3509 3509->3499 3510 7ff7ab3389d0 3511 7ff7ab3389e1 3510->3511 3513 7ff7ab3389ff 3510->3513 3514 7ff7ab338e28 3511->3514 3515 7ff7ab338e5e GetModuleHandleExW 3514->3515 3516 7ff7ab338e8a 3514->3516 3515->3516 3520 7ff7ab338e7b 3515->3520 3517 7ff7ab338ea2 GetModuleFileNameA 3516->3517 3516->3520 3517->3520 3518 7ff7ab333300 7 API calls 3519 7ff7ab338f19 3518->3519 3519->3513 3520->3518 2621 7ff7ab333010 __wgetmainargs 3067 7ff7ab332c90 StrStrIW 3068 7ff7ab332ccd 3067->3068 3521 7ff7ab3332d0 3524 7ff7ab3337c4 3521->3524 3525 7ff7ab3337f0 6 API calls 3524->3525 3526 7ff7ab3332d9 3524->3526 3525->3526 3527 7ff7ab336ad0 GetModuleHandleW GetProcAddress 3528 7ff7ab336b16 3527->3528

    Executed Functions

    Function 00007FF7AB3320F0, Relevance: 103.9, APIs: 41, Strings: 18, Instructions: 634memoryregistrylibraryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: Processiswspace$Windowwcsncmp$#650#796CriticalCurrentLocalSection$#701#791#797#798AddressAllocAllowCommandCreateDebuggerDeleteDirectoryErrorEventExplicitFindForegroundFreeGuidHandleHeapInformationInitializeLineModeModelModulePresentProcRegisterTerminateThreadUserValue
    • String ID: -ResetDestinationList$-embedding$-eval$-new$-newtab$-nowait$-startmanager$CREDAT:$IEFrame$Internet Explorer$Microsoft.InternetExplorer.Default$Microsoft.InternetExplorer.Preview$SCODEF:$SetSearchPathMode$Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe$TerminateOnShutdown$kernel32.dll${28fb17e0-d393-439d-9a21-9474a070473a}
    • API String ID: 1949848870-2116736064
    • Opcode ID: 5cbf7e3b62b0e1b2dd0339fa934ce8da59108eb7c585c4458d5ad134622346d7
    • Instruction ID: 15120eb97e55223d8a971591a682dbd3d922d9f4ba94c244a9f82d985e686366
    • Opcode Fuzzy Hash: 5cbf7e3b62b0e1b2dd0339fa934ce8da59108eb7c585c4458d5ad134622346d7
    • Instruction Fuzzy Hash: 64526625A0AE4286E7586B18E4102BAF7A0FF45B45FC68139CA5E437B4EF3DE45DC720
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB332C20, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 257 7ff7ab332c20-7ff7ab332c5b LdrResolveDelayLoadedAPI
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: DelayLoadedResolve
    • String ID:
    • API String ID: 841769287-0
    • Opcode ID: eea864d283906364419ae6e519fdaa41bf6c95a093a1099331d4b2ad11d967b4
    • Instruction ID: 3ea78e8685a88538be67e633f9d95eef38453e7dfe87bb9e662a9b7ba7ec9cea
    • Opcode Fuzzy Hash: eea864d283906364419ae6e519fdaa41bf6c95a093a1099331d4b2ad11d967b4
    • Instruction Fuzzy Hash: 35E0ECB4909E41D6D614AF09E84016AFBA0FB49784FC1423ADD4C87330DF3CE119CB20
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB3335F0, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 258 7ff7ab3335f0-7ff7ab333607 SetUnhandledExceptionFilter
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 6001aa6e275cb08d08a7307cc9a0546da0be092fc9bf1e545be47e08ac8f896d
    • Instruction ID: 9a8882f9af7548b62f4117541b5c6d7c792c14f61085bccf8dbe49154a423ac1
    • Opcode Fuzzy Hash: 6001aa6e275cb08d08a7307cc9a0546da0be092fc9bf1e545be47e08ac8f896d
    • Instruction Fuzzy Hash: 57B09210E2A846C1E608BB25DCC506652A0BB58300FC20474C00DC1130EF6C919F8710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB333060, Relevance: 10.6, APIs: 7, Instructions: 143sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 196 7ff7ab333060-7ff7ab33309c GetStartupInfoW 197 7ff7ab33309f-7ff7ab3330aa 196->197 198 7ff7ab3330c7 197->198 199 7ff7ab3330ac-7ff7ab3330af 197->199 202 7ff7ab3330cc-7ff7ab3330d4 198->202 200 7ff7ab3330ba-7ff7ab3330c5 Sleep 199->200 201 7ff7ab3330b1-7ff7ab3330b8 199->201 200->197 201->202 203 7ff7ab3330d6-7ff7ab3330e2 _amsg_exit 202->203 204 7ff7ab3330e4-7ff7ab3330ec 202->204 205 7ff7ab333150-7ff7ab333158 203->205 206 7ff7ab3330ee-7ff7ab33310a 204->206 207 7ff7ab333145 204->207 210 7ff7ab33315a-7ff7ab33316d _initterm 205->210 211 7ff7ab333177-7ff7ab333179 205->211 208 7ff7ab33310e-7ff7ab333111 206->208 209 7ff7ab33314b 207->209 214 7ff7ab333137-7ff7ab333139 208->214 215 7ff7ab333113-7ff7ab333115 208->215 209->205 210->211 212 7ff7ab33317b-7ff7ab33317e 211->212 213 7ff7ab333185-7ff7ab33318c 211->213 212->213 216 7ff7ab3331b8-7ff7ab3331c5 213->216 217 7ff7ab33318e-7ff7ab33319c call 7ff7ab333730 213->217 214->209 219 7ff7ab33313b-7ff7ab333140 214->219 218 7ff7ab333117-7ff7ab33311a 215->218 215->219 223 7ff7ab3331c7-7ff7ab3331cc 216->223 224 7ff7ab3331d1-7ff7ab3331d6 216->224 217->216 228 7ff7ab33319e-7ff7ab3331ae 217->228 221 7ff7ab33312c-7ff7ab333135 218->221 222 7ff7ab33311c-7ff7ab333126 call 7ff7ab3335f0 218->222 225 7ff7ab3332a6-7ff7ab3332c3 219->225 221->208 229 7ff7ab333128 222->229 223->225 227 7ff7ab3331da-7ff7ab3331e1 224->227 230 7ff7ab333257-7ff7ab33325b 227->230 231 7ff7ab3331e3-7ff7ab3331e6 227->231 228->216 229->221 232 7ff7ab33325d-7ff7ab333267 230->232 233 7ff7ab33326b-7ff7ab333274 230->233 234 7ff7ab3331e8-7ff7ab3331ea 231->234 235 7ff7ab3331ec-7ff7ab3331f2 231->235 232->233 233->227 234->230 234->235 236 7ff7ab333202-7ff7ab333236 call 7ff7ab3320f0 235->236 237 7ff7ab3331f4-7ff7ab333200 235->237 240 7ff7ab333238-7ff7ab33323a exit 236->240 241 7ff7ab333240-7ff7ab333247 236->241 237->235 240->241 242 7ff7ab333249-7ff7ab33324f _cexit 241->242 243 7ff7ab333255 241->243 242->243 243->225
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
    • String ID:
    • API String ID: 642454821-0
    • Opcode ID: bb44e4616eb5c65ff88db3840147a3e2a0d5ed5ed27fd7d857889ee307af0b61
    • Instruction ID: 7663b1b09a135fa5f988470e16b5bf3a952b71e4ba0680743dcd3b3886ea149d
    • Opcode Fuzzy Hash: bb44e4616eb5c65ff88db3840147a3e2a0d5ed5ed27fd7d857889ee307af0b61
    • Instruction Fuzzy Hash: 67612E25E0AE4282F768BB19E54023BB2A1FF44740FD6907DDA4D972B4DF3DE8498720
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB332BB0, Relevance: 4.5, APIs: 3, Instructions: 38COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 245 7ff7ab332bb0-7ff7ab332bc8 246 7ff7ab332bca-7ff7ab332bd8 #701 245->246 247 7ff7ab332beb-7ff7ab332bed 245->247 248 7ff7ab332bfd 246->248 250 7ff7ab332bda 246->250 247->248 249 7ff7ab332bef-7ff7ab332bf7 247->249 252 7ff7ab332c01-7ff7ab332c06 248->252 249->248 251 7ff7ab337f76-7ff7ab337fa8 GetCurrentProcess SetUserObjectInformationW 249->251 253 7ff7ab332c08-7ff7ab332c0d 250->253 254 7ff7ab332bdc 250->254 251->252 255 7ff7ab332bde-7ff7ab332be4 253->255 254->255 255->247
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: #701
    • String ID:
    • API String ID: 1014962704-0
    • Opcode ID: 375732511076648e0a83a30ea8489711de65745c5fbe41c3a49013bee76c81e9
    • Instruction ID: 11e09f650584ac5a6ef24ec82d1d5885dee3cc981524fcc2b1a29b79e7844fb8
    • Opcode Fuzzy Hash: 375732511076648e0a83a30ea8489711de65745c5fbe41c3a49013bee76c81e9
    • Instruction Fuzzy Hash: 9E012535A0AE4287E718AF1DA84027AF6A0FB48740FC6813DD65D83270DF3DE54C9660
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB333010, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 256 7ff7ab333010-7ff7ab333058 __wgetmainargs
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: __wgetmainargs
    • String ID:
    • API String ID: 1709950718-0
    • Opcode ID: 84a41f47b81593a0fce2650ce5227a3a3db9e5ba608a78087453a4b2b347f97e
    • Instruction ID: e59df67772dbf6425c8c880c20509d826661525e85410dd48af037a3b9167852
    • Opcode Fuzzy Hash: 84a41f47b81593a0fce2650ce5227a3a3db9e5ba608a78087453a4b2b347f97e
    • Instruction Fuzzy Hash: 15E07574E0AE43D6EA08AB19F9448AAB7B0FB54314FC2013AD40C52330DE7CA18ECB20
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 00007FF7AB3337C4, Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
    • String ID:
    • API String ID: 4104442557-0
    • Opcode ID: 9c0ad25faf5b7ff3877069055f39c091cdf0618391105c93fa88f110419690c0
    • Instruction ID: f3948bb20edebf75636f01d938430f52dad7e54ac62b4459a06f9e88ddba3bd2
    • Opcode Fuzzy Hash: 9c0ad25faf5b7ff3877069055f39c091cdf0618391105c93fa88f110419690c0
    • Instruction Fuzzy Hash: 3C115421A05F4186EB04EF74E8441A973A4FB48758F810B39EA6D87774EF7CD1A98350
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB338858, Relevance: 1.3, APIs: 1, Instructions: 11memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7AB332F15), ref: 00007FF7AB338861
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: e456fe8bafceeb06a2a5256b0ef70a585623336f29cce5542d887ee989b1686f
    • Instruction ID: 29abb7f1388adbb05262cd94fd441bf61302d0ac2ca5aa81c2652a9637836012
    • Opcode Fuzzy Hash: e456fe8bafceeb06a2a5256b0ef70a585623336f29cce5542d887ee989b1686f
    • Instruction Fuzzy Hash: E0C01211A45E46C2E61857976440079D691E74EB50B4A9234CE1D49331AD3D50D64700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB338A20, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 284 7ff7ab338a20-7ff7ab338a4a 285 7ff7ab338c81-7ff7ab338c9e call 7ff7ab333300 284->285 286 7ff7ab338a50-7ff7ab338a53 284->286 286->285 288 7ff7ab338a59-7ff7ab338a70 286->288 290 7ff7ab338a72-7ff7ab338a79 288->290 291 7ff7ab338a94-7ff7ab338aa7 288->291 290->291 294 7ff7ab338a7b-7ff7ab338a8e 290->294 292 7ff7ab338aa9-7ff7ab338aac 291->292 293 7ff7ab338ad3 291->293 295 7ff7ab338aca-7ff7ab338ad1 292->295 296 7ff7ab338aae-7ff7ab338ab1 292->296 297 7ff7ab338ada-7ff7ab338b2c FormatMessageW 293->297 294->291 303 7ff7ab338c79 294->303 295->297 298 7ff7ab338ac1-7ff7ab338ac8 296->298 299 7ff7ab338ab3-7ff7ab338ab6 296->299 300 7ff7ab338b2e-7ff7ab338b51 call 7ff7ab339544 297->300 301 7ff7ab338b53-7ff7ab338b62 call 7ff7ab339544 297->301 298->297 299->297 304 7ff7ab338ab8-7ff7ab338abf 299->304 308 7ff7ab338b67-7ff7ab338b74 300->308 301->308 303->285 304->297 309 7ff7ab338b8b-7ff7ab338bd5 GetCurrentThreadId call 7ff7ab339544 308->309 310 7ff7ab338b76-7ff7ab338b88 call 7ff7ab339544 308->310 315 7ff7ab338be9-7ff7ab338c02 call 7ff7ab339544 309->315 316 7ff7ab338bd7-7ff7ab338bdc 309->316 310->309 320 7ff7ab338c16-7ff7ab338c1d 315->320 321 7ff7ab338c04-7ff7ab338c11 call 7ff7ab339544 315->321 316->315 317 7ff7ab338bde-7ff7ab338be3 316->317 317->303 317->315 323 7ff7ab338c31-7ff7ab338c3f 320->323 324 7ff7ab338c1f-7ff7ab338c2c call 7ff7ab339544 320->324 321->320 325 7ff7ab338c57-7ff7ab338c5d 323->325 326 7ff7ab338c41-7ff7ab338c55 call 7ff7ab339544 323->326 324->323 329 7ff7ab338c6d-7ff7ab338c74 call 7ff7ab339544 325->329 330 7ff7ab338c5f-7ff7ab338c6b call 7ff7ab339544 325->330 326->303 329->303 330->303
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: CurrentFormatMessageThread
    • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
    • API String ID: 2411632146-3173542853
    • Opcode ID: 9fc4017353fe67f11798250c32e7db4edb151911d2ec7257e57637a89284ec48
    • Instruction ID: 470c6dc440923a639520153588517d67ef27d873d456e6f374d3eaa8db9b8f04
    • Opcode Fuzzy Hash: 9fc4017353fe67f11798250c32e7db4edb151911d2ec7257e57637a89284ec48
    • Instruction Fuzzy Hash: 1D61A265A0AE82C5EB58EF59A4142BAE7A0FF48B84F86013AD94D077B4DF3DE548C710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB3390F0, Relevance: 12.1, APIs: 8, Instructions: 102synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • WaitForSingleObject.KERNEL32(?,?,00000000,00007FF7AB33A17C), ref: 00007FF7AB339102
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: ObjectSingleWait
    • String ID:
    • API String ID: 24740636-0
    • Opcode ID: 0c1801d4bfbbe64a610bb6b346ba12615d999605ac4b3a98c56ddeb84a1ca479
    • Instruction ID: 1e1d1784035f16ba1f65aceb9edb94f25609cca8baf792062e1a43636c32d1b0
    • Opcode Fuzzy Hash: 0c1801d4bfbbe64a610bb6b346ba12615d999605ac4b3a98c56ddeb84a1ca479
    • Instruction Fuzzy Hash: 4441A531A0DE46C6E7686B19D4802BBF661EF89750F968339E90F826B4DF3CD44C8621
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB335194, Relevance: 9.1, APIs: 6, Instructions: 76COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • AcquireSRWLockShared.KERNEL32(?,?,?,?,?,00007FF7AB3352CE,?,?,?,?,00007FF7AB333A4C), ref: 00007FF7AB3351B5
    • ReleaseSRWLockShared.KERNEL32(?,?,?,?,?,00007FF7AB3352CE,?,?,?,?,00007FF7AB333A4C), ref: 00007FF7AB3351D5
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF7AB3352CE,?,?,?,?,00007FF7AB333A4C), ref: 00007FF7AB3351F5
    • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF7AB3352CE,?,?,?,?,00007FF7AB333A4C), ref: 00007FF7AB335204
    • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF7AB3352CE,?,?,?,?,00007FF7AB333A4C), ref: 00007FF7AB33525C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF7AB3352CE,?,?,?,?,00007FF7AB333A4C), ref: 00007FF7AB335281
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
    • String ID:
    • API String ID: 3221859647-0
    • Opcode ID: b74106ef34727cbeeb8ca6eac2aa107dbfef2bfc16bafddf444444188dfa1644
    • Instruction ID: e62b6f0023d605ea1525df2b817fe53b6f15991a8d5c6d6ecbc92d3be8c5996c
    • Opcode Fuzzy Hash: b74106ef34727cbeeb8ca6eac2aa107dbfef2bfc16bafddf444444188dfa1644
    • Instruction Fuzzy Hash: FC318432B0AE5186EA199F15A54417EE760FB89FD0B8B9138DE4E07B34DF3CD5498710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB3376A4, Relevance: 9.0, APIs: 7, Instructions: 208memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: Heap$Process$Free$AddressAllocProcmemset
    • String ID:
    • API String ID: 2515388404-0
    • Opcode ID: 77dd1b63861ac2c121acc4bc35a2e1d272bb385a75f5ea7bfda7dd15e39da4ae
    • Instruction ID: 03d54849c2b8a8a42c13b9e0dbc6abd0ca41ea208c446b53dfece7d6df06af57
    • Opcode Fuzzy Hash: 77dd1b63861ac2c121acc4bc35a2e1d272bb385a75f5ea7bfda7dd15e39da4ae
    • Instruction Fuzzy Hash: 06916F32A05B51CAEB24DF69E4409BEB7A0FB48B48B854239DE8E53775DF38D158C710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB33A050, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: OpenSemaphore$ErrorLast
    • String ID: _p0
    • API String ID: 3042991519-2437413317
    • Opcode ID: f1557c01e47004c206fddc2ff79dcc276a62b6e2d5fe048c7d4d16b74e49add2
    • Instruction ID: 03ceec36f56291b043f15e222e3b58a24d2c046f818163190b53d696adefa12d
    • Opcode Fuzzy Hash: f1557c01e47004c206fddc2ff79dcc276a62b6e2d5fe048c7d4d16b74e49add2
    • Instruction Fuzzy Hash: DA616322A0AF8182EA24EB59D4501BFB2A0EF85780F964239DA4E43775EF3DD509C710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB338360, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: CreateCurrentErrorLastMutexProcess
    • String ID: Local\SM0:%d:%d:%hs$x
    • API String ID: 3298007088-4178846994
    • Opcode ID: eed129f301d97677bb2cf519e8c9fed1401f1f4c784b69d40b472d6bc9c183bf
    • Instruction ID: becd1eb281292be6eefe9b9bb4c3f7bd218ae2eba7a874220a1a56da1f420e79
    • Opcode Fuzzy Hash: eed129f301d97677bb2cf519e8c9fed1401f1f4c784b69d40b472d6bc9c183bf
    • Instruction Fuzzy Hash: F7313F3261DE8286EB54AB18E4943ABE7A0FB84780F815139E64E87AB5DF7DD44CC710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB336AD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: RaiseFailFastException$kernelbase.dll
    • API String ID: 1646373207-919018592
    • Opcode ID: 703b9dd24187f84f0de25b2be785225a5ba47570205fcf22a8756aecd0cb3ac2
    • Instruction ID: d04f8f31ddd3dbf88ee5621bdc8ab62d066f75c4b5e584d3d96ba624267641be
    • Opcode Fuzzy Hash: 703b9dd24187f84f0de25b2be785225a5ba47570205fcf22a8756aecd0cb3ac2
    • Instruction Fuzzy Hash: 53F0DA21A1AA9582EA08AB06F48407AEB60FB4DBC0B859179DA4E47B34DF3DD4498710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB333300, Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
    • String ID:
    • API String ID: 140117192-0
    • Opcode ID: c3605477168591f32072404740094eeac01a539d823a42f8c0cbe2a5677cf524
    • Instruction ID: fb391ea05062a593811eb8afd222d0cc1328f72f270764a7ea946e0abd8aaadc
    • Opcode Fuzzy Hash: c3605477168591f32072404740094eeac01a539d823a42f8c0cbe2a5677cf524
    • Instruction Fuzzy Hash: F941A739A0AF0681EB58AB1CF48036AA3A4FB88754FD25139D98D83774EF3DD459C710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB3367B4, Relevance: 6.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00007FF7AB336878,?,?,?,?,?,?,?,?,00007FF7AB332F15), ref: 00007FF7AB3367D5
    • AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7AB336878,?,?,?,?,?,?,?,?,00007FF7AB332F15), ref: 00007FF7AB3367E4
    • ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF7AB336878,?,?,?,?,?,?,?,?,00007FF7AB332F15), ref: 00007FF7AB33681B
    • LeaveCriticalSection.KERNEL32(?,?,?,00007FF7AB336878,?,?,?,?,?,?,?,?,00007FF7AB332F15), ref: 00007FF7AB33682F
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
    • String ID:
    • API String ID: 1115728412-0
    • Opcode ID: 8391a76983001ce7ec0c0613e5031f26ca276cef02c7e08464134f76d5270d2b
    • Instruction ID: 808d79db14996fcdc85b0c8687bea51c6f40b3029097ac922c5acff82a9173f5
    • Opcode Fuzzy Hash: 8391a76983001ce7ec0c0613e5031f26ca276cef02c7e08464134f76d5270d2b
    • Instruction Fuzzy Hash: 76019262A09F8287DA189F1AA14007AEB60FB8DFC07999234DE4F07734DF3CE4858300
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB334198, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: CreateCurrentErrorLastMutexProcess
    • String ID: Local\SM0:%d:%d:%hs
    • API String ID: 3298007088-4162240545
    • Opcode ID: 57e6b2b6b536e6cb3a11466b4c63530b0d15f79a4f948366dd0a4cc071021c69
    • Instruction ID: c276879704d0b6659d56898d1cbe4d39330e7b44e59baf84a3aeaa4b6ab6eedc
    • Opcode Fuzzy Hash: 57e6b2b6b536e6cb3a11466b4c63530b0d15f79a4f948366dd0a4cc071021c69
    • Instruction Fuzzy Hash: 51419432619F4696EB54AF19E4807ABA3A0FB88780FC15139EA4E87779DF3CD548C710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00007FF7AB3384CC, Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF7AB3382B0,?,?,?,00007FF7AB3396AF), ref: 00007FF7AB338501
    • HeapFree.KERNEL32(?,?,00000000,00007FF7AB3382B0,?,?,?,00007FF7AB3396AF), ref: 00007FF7AB338515
    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF7AB3382B0,?,?,?,00007FF7AB3396AF), ref: 00007FF7AB338539
    • HeapFree.KERNEL32(?,?,00000000,00007FF7AB3382B0,?,?,?,00007FF7AB3396AF), ref: 00007FF7AB33854D
    Memory Dump Source
    • Source File: 00000000.00000002.303888721.00007FF7AB331000.00000020.00020000.sdmp, Offset: 00007FF7AB330000, based on PE: true
    • Associated: 00000000.00000002.303884753.00007FF7AB330000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303903109.00007FF7AB33B000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303915158.00007FF7AB33F000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.303921541.00007FF7AB340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.303927069.00007FF7AB342000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7ab330000_iexplore.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: 27b511609f7e960dede6fe8eae7d8f684c03b10bcf8c944611764fd804f379c4
    • Instruction ID: d36991308593199a7a9b7821b114ba75f8bdcff58a71fb0a2570a4fd394fd11e
    • Opcode Fuzzy Hash: 27b511609f7e960dede6fe8eae7d8f684c03b10bcf8c944611764fd804f379c4
    • Instruction Fuzzy Hash: A5110A72A05F51C6E7049F56E4400ADBBA0F749F94B9A8229DF4D47728EF38E496C740
    Uniqueness

    Uniqueness Score: -1.00%