Edit tour

Windows Analysis Report
test.msi

Overview

General Information

Sample name:	test.msi
Analysis ID:	1394928
MD5:	54c2f6b177e71ec4c262930566a282d1
SHA1:	b39e90c76e1fb6e4dc6f2d4ed034ba7b9c82bf23
SHA256:	3ed9bc94879d6db3f296f8b948645a6ea9f9d4201d0209a71fbc62bf73e2e848
Tags:	85-195-115-20msi
Infos:

Detection

DarkGate, MailPassView

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DarkGate

Yara detected MailPassView

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Machine Learning detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries device information via Setup API

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious MsiExec Embedding Parent

Tries to load missing DLLs

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

msiexec.exe (PID: 2844 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\test.msi" MD5: AC2E7152124CEED36846BD1B6592A00F)

msiexec.exe (PID: 236 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)

msiexec.exe (PID: 3352 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5F18B271DCB7565374F8A7B6F18643C9 MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

icacls.exe (PID: 3396 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)

expand.exe (PID: 3424 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 659CED6D7BDA047BCC6048384231DB9F)

iTunesHelper.exe (PID: 3456 cmdline: "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe" MD5: ED6A1C72A75DEE15A6FA75873CD64975)

Autoit3.exe (PID: 3468 cmdline: "c:\temp\Autoit3.exe" c:\temp\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

cmd.exe (PID: 3828 cmdline: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files" MD5: AD7B9C14083B52BC532FBA5948342B98)

icacls.exe (PID: 3852 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkGate	First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.	No Attribution	https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/ https://blog.sekoia.io/darkgate-internals/ https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/ https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response https://decoded.avast.io/janrubin/complex-obfuscation-meh/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Process Memory Space: Autoit3.exe PID: 3468	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Autoit3.exe PID: 3468	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security

Sigma Signatures

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files", CommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 5F18B271DCB7565374F8A7B6F18643C9, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3352, ParentProcessName: msiexec.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files", ProcessId: 3828, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\642bddc38bf301459161108c3729c2ed.tmp	Virustotal: Detection: 19%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\CoreFoundation.dll (copy)	Virustotal: Detection: 19%			Perma Link

Multi AV Scanner detection for submitted file

Source: test.msi

ReversingLabs: Detection: 15%

Machine Learning detection for dropped file

Source: C:\temp\Autoit3.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Unpacked PE file: 10.2.iTunesHelper.exe.2080000.0.unpack

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Source:	Binary string: D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\BuildResults\Production64\bin\iTunesHelper.pdb source: iTunesHelper.exe, 0000000A.00000000.411297227.000000013FBFE000.00000002.00000001.01000000.00000007.sdmp, iTunesHelper.exe, 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmp, test.msi, files.cab.5.dr
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: test.msi, MSI7956.tmp.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_0208F2A0 FindFirstFileW,	10_2_0208F2A0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_6BE54DD0 FindFirstFileW,FindClose,	10_2_6BE54DD0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_6BE54650 FindFirstFileW,FindClose,lstrlenW,lstrlenW,	10_2_6BE54650
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD4790 WideCharToMultiByte,WideCharToMultiByte,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,	10_2_000000013FBD4790
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF43C4 FindFirstFileExW,	10_2_000000013FBF43C4
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FE494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_00FE494A
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_00FE4005
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_00FEC2FF
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_00FECD9F
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FECD14 FindFirstFileW,FindClose,	11_2_00FECD14
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00FEF5D8
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00FEF735
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_00FEFA36
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_00FE3CE2
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C6A68C FindFirstFileW,FindNextFileW,FindClose,	11_2_04C6A68C
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C692A4 FindFirstFileW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,	11_2_04C692A4

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FF29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

11_2_00FF29BA

Source: test.msi, files.cab.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: files.cab.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://www.apple.com/
Source: iTunesHelper.exe, 0000000A.00000002.510465990.000000000039F000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000B.00000000.412214150.0000000001049000.00000002.00000001.01000000.00000009.sdmp, Autoit3.exe.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: test.msi, files.cab.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Autoit3.exe, 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/#inbox
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Autoit3.exe.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FF4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

11_2_00FF4632

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FF4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

11_2_00FF4830

Source: C:\temp\Autoit3.exe

11_2_00FF4632

Source: C:\temp\Autoit3.exe

Code function: 11_2_04C4B220 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

11_2_04C4B220

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FE0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

11_2_00FE0508

Source: C:\temp\Autoit3.exe

Code function: 11_2_0100D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

11_2_0100D164

Source: C:\temp\Autoit3.exe

Code function: 11_2_04C62180 CreateDesktopA,SetThreadDesktop,CreateProcessA,

11_2_04C62180

Source: C:\Windows\SysWOW64\icacls.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\temp\Autoit3.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\temp\Autoit3.exe	Code function: 11_2_04C62CC4 NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,	11_2_04C62CC4
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C62C1C NtQueryObject,	11_2_04C62C1C
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C62F68 Sleep,NtClose,NtClose,	11_2_04C62F68
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C62BE8 NtDuplicateObject,NtClose,	11_2_04C62BE8
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C39934 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	11_2_04C39934

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBD51D0: CreateFileW,DeviceIoControl,CloseHandle,

10_2_000000013FBD51D0

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FD8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

11_2_00FD8F2E

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FE5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

11_2_00FE5778

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\78bc1f.msi

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\78bc20.ipi

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_0208ED60	10_2_0208ED60
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_02092AA0	10_2_02092AA0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_6BE54890	10_2_6BE54890
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_6BE6F350	10_2_6BE6F350
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD1720	10_2_000000013FBD1720
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF2F4C	10_2_000000013FBF2F4C
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD3670	10_2_000000013FBD3670
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE9EC8	10_2_000000013FBE9EC8
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE46C0	10_2_000000013FBE46C0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE6EAC	10_2_000000013FBE6EAC
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE2E0C	10_2_000000013FBE2E0C
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD2E00	10_2_000000013FBD2E00
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE25EC	10_2_000000013FBE25EC
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF0E34	10_2_000000013FBF0E34
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF351C	10_2_000000013FBF351C
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD5510	10_2_000000013FBD5510
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE8CE4	10_2_000000013FBE8CE4
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF2CD0	10_2_000000013FBF2CD0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE2C08	10_2_000000013FBE2C08
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF73F8	10_2_000000013FBF73F8
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE23E8	10_2_000000013FBE23E8
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBEA3D4	10_2_000000013FBEA3D4
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD53D0	10_2_000000013FBD53D0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF43C4	10_2_000000013FBF43C4
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBFC308	10_2_000000013FBFC308
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBEC300	10_2_000000013FBEC300
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF12C8	10_2_000000013FBF12C8
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE42BC	10_2_000000013FBE42BC
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD92B0	10_2_000000013FBD92B0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE29FC	10_2_000000013FBE29FC
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD51D0	10_2_000000013FBD51D0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF1948	10_2_000000013FBF1948
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBEC940	10_2_000000013FBEC940
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE3928	10_2_000000013FBE3928
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD40A0	10_2_000000013FBD40A0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBEF068	10_2_000000013FBEF068
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBE27F8	10_2_000000013FBE27F8
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD5830	10_2_000000013FBD5830
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FA33B7	11_2_00FA33B7
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F894E0	11_2_00F894E0
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F81663	11_2_00F81663
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F89C80	11_2_00F89C80
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FA23F5	11_2_00FA23F5
Source: C:\temp\Autoit3.exe	Code function: 11_2_01008400	11_2_01008400
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FB6502	11_2_00FB6502
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F8E6F0	11_2_00F8E6F0
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FB265E	11_2_00FB265E
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FA282A	11_2_00FA282A
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FB89BF	11_2_00FB89BF
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FB6A74	11_2_00FB6A74
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F90BE0	11_2_00F90BE0
Source: C:\temp\Autoit3.exe	Code function: 11_2_01000A3A	11_2_01000A3A
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FDEDB2	11_2_00FDEDB2
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FACD51	11_2_00FACD51
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FE8E44	11_2_00FE8E44
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FB6FE6	11_2_00FB6FE6
Source: C:\temp\Autoit3.exe	Code function: 11_2_01000EB7	11_2_01000EB7
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F8B020	11_2_00F8B020
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F9D45D	11_2_00F9D45D
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FAF409	11_2_00FAF409
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FA16B4	11_2_00FA16B4
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F8F6A0	11_2_00F8F6A0
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F9F628	11_2_00F9F628
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FA78C3	11_2_00FA78C3
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FA1BA8	11_2_00FA1BA8
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FADBA5	11_2_00FADBA5
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FB9CE5	11_2_00FB9CE5
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F9DD28	11_2_00F9DD28
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FABFD6	11_2_00FABFD6
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FA1FC0	11_2_00FA1FC0
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C4EC98	11_2_04C4EC98
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C38E2C	11_2_04C38E2C
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C35610	11_2_04C35610
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C5B250	11_2_04C5B250
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C59C68	11_2_04C59C68

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\4cd6e0f52e7043469984c6056cd7318a.tmp 0D8878CCA08903777888B3681F90E4A07C7AEF7D9600A67DFA985844D4BF5EDA

Source: C:\temp\Autoit3.exe	Code function: String function: 04C444F8 appears 31 times
Source: C:\temp\Autoit3.exe	Code function: String function: 00FA8B30 appears 42 times
Source: C:\temp\Autoit3.exe	Code function: String function: 04C16A4C appears 111 times
Source: C:\temp\Autoit3.exe	Code function: String function: 00FA0D17 appears 70 times
Source: C:\temp\Autoit3.exe	Code function: String function: 00F91A36 appears 34 times
Source: C:\temp\Autoit3.exe	Code function: String function: 04C14724 appears 52 times
Source: C:\temp\Autoit3.exe	Code function: String function: 04C14450 appears 104 times
Source: C:\temp\Autoit3.exe	Code function: String function: 04C149C0 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: String function: 000000013FBD5F60 appears 32 times

Source: 642bddc38bf301459161108c3729c2ed.tmp.8.dr

Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: test.msi

Binary or memory string: OriginalFilenameiTunesHelper.exe. vs test.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Section loaded: corefoundation.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\temp\Autoit3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: wow64cpu.dll	Jump to behavior

Source: metadata-2.2.dr	Binary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.dr	Binary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.dr	Binary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Source: classification engine

Classification label: mal96.troj.spyw.evad.winMSI@16/23@0/0

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FEA6AD GetLastError,FormatMessageW,

11_2_00FEA6AD

Source: C:\temp\Autoit3.exe	Code function: 11_2_00FD8DE9 AdjustTokenPrivileges,CloseHandle,		11_2_00FD8DE9
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FD9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		11_2_00FD9399

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FEB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

11_2_00FEB976

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FE4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

11_2_00FE4148

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBD1E80 CoCreateInstance,SysAllocString,SysFreeString,

10_2_000000013FBD1E80

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FE443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

11_2_00FE443D

Source: C:\temp\Autoit3.exe

File created: C:\Users\user\AppData\Roaming\cBDKKEc

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\~DFF9711021A423063A.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\icacls.exe	Console Write: ......................$......... 4......(.P.....L.......T.......................................0...............................p. ....... .....	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Console Write: ......................$......... 4......(.P.....L.......T...............%.......................0.......................v.................$.....	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Console Write: ................P.......................(.P..............................$......................................................N..s............	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Console Write: ................P...............:. .....(.P..............................$......................................x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Console Write: ................................ 4#.....(.P..............................$..............................................X.......................	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Console Write: ................................ 4#.....(.P..............................$..............................................v.......................	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\temp\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\msiwrapper.ini

Jump to behavior

Source: C:\Windows\SysWOW64\icacls.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: test.msi

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\test.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F18B271DCB7565374F8A7B6F18643C9
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Process created: C:\temp\Autoit3.exe "c:\temp\Autoit3.exe" c:\temp\script.a3x
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F18B271DCB7565374F8A7B6F18643C9	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Process created: C:\temp\Autoit3.exe "c:\temp\Autoit3.exe" c:\temp\script.a3x	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\msiwrapper.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: test.msi

Static file information: File size 4038656 > 1048576

Source:	Binary string: D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\BuildResults\Production64\bin\iTunesHelper.pdb source: iTunesHelper.exe, 0000000A.00000000.411297227.000000013FBFE000.00000002.00000001.01000000.00000007.sdmp, iTunesHelper.exe, 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmp, test.msi, files.cab.5.dr
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: test.msi, MSI7956.tmp.2.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Unpacked PE file: 10.2.iTunesHelper.exe.2080000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBD9780 GetModuleFileNameW,PathRemoveFileSpecW,PathAppendW,LoadLibraryW,GetProcAddress,GetProcAddress,GetLastError,MultiByteToWideChar,FreeLibrary,

10_2_000000013FBD9780

Source: 642bddc38bf301459161108c3729c2ed.tmp.8.dr	Static PE information: section name: .didata
Source: 4cd6e0f52e7043469984c6056cd7318a.tmp.8.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FC150E0 push rbx; retf	10_2_000000013FC150E1
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FA8B75 push ecx; ret	11_2_00FA8B88
Source: C:\temp\Autoit3.exe	Code function: 11_2_0381E7B9 push 0381E7E7h; ret	11_2_0381E7DF
Source: C:\temp\Autoit3.exe	Code function: 11_2_0381E7C1 push 0381E7E7h; ret	11_2_0381E7DF
Source: C:\temp\Autoit3.exe	Code function: 11_2_0381DFDD push 0381E009h; ret	11_2_0381E001
Source: C:\temp\Autoit3.exe	Code function: 11_2_0381DF19 push 0381DF51h; ret	11_2_0381DF49
Source: C:\temp\Autoit3.exe	Code function: 11_2_0381DF5D push 0381DF89h; ret	11_2_0381DF81
Source: C:\temp\Autoit3.exe	Code function: 11_2_0381DD75 push 0381DDAFh; ret	11_2_0381DDA7
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C3C4D8 push 04C3C504h; ret	11_2_04C3C4FC
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C3E4B8 push 04C3E504h; ret	11_2_04C3E4FC
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C20418 push 04C20444h; ret	11_2_04C2043C
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C165D0 push 04C16621h; ret	11_2_04C16619
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C64588 push 04C645BBh; ret	11_2_04C645B3
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C68538 push 04C68564h; ret	11_2_04C6855C
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C68690 push 04C686BCh; ret	11_2_04C686B4
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C64604 push 04C64630h; ret	11_2_04C64628
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C68620 push 04C6864Ch; ret	11_2_04C68644
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C38634 push 04C3869Ch; ret	11_2_04C38694
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C627D8 push 04C62804h; ret	11_2_04C627FC
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C267A8 push 04C26850h; ret	11_2_04C26848
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C3C710 push 04C3C73Ch; ret	11_2_04C3C734
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C6C71C push 04C6C742h; ret	11_2_04C6C73A
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C26730 push 04C267A6h; ret	11_2_04C2679E
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C2E034 push 04C2E0A3h; ret	11_2_04C2E09B
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C2C034 push ecx; mov dword ptr [esp], 0000001Ch	11_2_04C2C035
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C4215C push 04C42194h; ret	11_2_04C4218C
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C68158 push 04C681AFh; ret	11_2_04C681A7
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C62114 push 04C6217Ch; ret	11_2_04C62174
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C683BC push 04C683FEh; ret	11_2_04C683F6
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C2A308 push ecx; mov dword ptr [esp], edx	11_2_04C2A30A
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C3CCC0 push 04C3CD02h; ret	11_2_04C3CCFA

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	File created: C:\temp\Autoit3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\CoreFoundation.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\642bddc38bf301459161108c3729c2ed.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\4cd6e0f52e7043469984c6056cd7318a.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7956.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI7956.tmp

Jump to dropped file

Source: metadata-2.2.dr	Binary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.2.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\temp\Autoit3.exe	Code function: 11_2_010059B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		11_2_010059B3
Source: C:\temp\Autoit3.exe	Code function: 11_2_00F95EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		11_2_00F95EDA

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FA33B7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_00FA33B7

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\temp\Autoit3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Autoit3.exe, Autoit3.exe, 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SUPERANTISPYWARE.EXE

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBD5510 SetupDiGetClassDevsW,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,SetupDiGetDeviceInterfaceDetailW,SetupDiGetDeviceRegistryPropertyW,SetupDiDestroyDeviceInfoList,

10_2_000000013FBD5510

Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\642bddc38bf301459161108c3729c2ed.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7956.tmp			Jump to dropped file

Source: C:\temp\Autoit3.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_11-140071

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Evasive API call chain: RegQueryValue,DecisionNodes,Sleep

graph_10-30833

Source: C:\temp\Autoit3.exe

API coverage: 4.1 %

Source: C:\Windows\System32\msiexec.exe TID: 2308	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3896	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 1660	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3372	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3884	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_0208F2A0 FindFirstFileW,	10_2_0208F2A0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_6BE54DD0 FindFirstFileW,FindClose,	10_2_6BE54DD0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_6BE54650 FindFirstFileW,FindClose,lstrlenW,lstrlenW,	10_2_6BE54650
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBD4790 WideCharToMultiByte,WideCharToMultiByte,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,	10_2_000000013FBD4790
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBF43C4 FindFirstFileExW,	10_2_000000013FBF43C4
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FE494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_00FE494A
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_00FE4005
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_00FEC2FF
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_00FECD9F
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FECD14 FindFirstFileW,FindClose,	11_2_00FECD14
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00FEF5D8
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00FEF735
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_00FEFA36
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_00FE3CE2
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C6A68C FindFirstFileW,FindNextFileW,FindClose,	11_2_04C6A68C
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C692A4 FindFirstFileW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,	11_2_04C692A4

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_02091BB0 GetSystemInfo,

10_2_02091BB0

Source: Autoit3.exe, 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Autoit3.exe, Autoit3.exe, 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: metadata-2.2.dr	Binary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.2.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.2.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.2.dr	Binary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\temp\Autoit3.exe

API call chain: ExitProcess graph end node

graph_11-138047

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FF45D5 BlockInput,

11_2_00FF45D5

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBDACA4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_000000013FBDACA4

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBD9A08 GetLastError,IsDebuggerPresent,OutputDebugStringW,

10_2_000000013FBD9A08

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBD9780 GetModuleFileNameW,PathRemoveFileSpecW,PathAppendW,LoadLibraryW,GetProcAddress,GetProcAddress,GetLastError,MultiByteToWideChar,FreeLibrary,

10_2_000000013FBD9780

Source: C:\temp\Autoit3.exe	Code function: 11_2_0382618A mov eax, dword ptr fs:[00000030h]	11_2_0382618A
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C38E2C mov eax, dword ptr fs:[00000030h]	11_2_04C38E2C
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C38E2C mov eax, dword ptr fs:[00000030h]	11_2_04C38E2C
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C43184 mov eax, dword ptr fs:[00000030h]	11_2_04C43184

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBF5E3C GetProcessHeap,

10_2_000000013FBF5E3C

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBDAE8C SetUnhandledExceptionFilter,	10_2_000000013FBDAE8C
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBDACA4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000000013FBDACA4
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBDA2F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_000000013FBDA2F0
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: 10_2_000000013FBED8B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000000013FBED8B8
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FAA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00FAA385
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FAA354 SetUnhandledExceptionFilter,	11_2_00FAA354

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\temp\Autoit3.exe

Code function: 11_2_04C3C510 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

11_2_04C3C510

Contains functionality to inject threads in other processes

Source: C:\temp\Autoit3.exe

Code function: 11_2_04C3C510 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

11_2_04C3C510

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FD9369 LogonUserW,

11_2_00FD9369

Source: C:\temp\Autoit3.exe

Code function: 11_2_00F95240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_00F95240

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FE1AC6 SendInput,keybd_event,

11_2_00FE1AC6

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FE51E2 mouse_event,

11_2_00FE51E2

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F18B271DCB7565374F8A7B6F18643C9	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Process created: C:\temp\Autoit3.exe "c:\temp\Autoit3.exe" c:\temp\script.a3x	Jump to behavior

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FD88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

11_2_00FD88CD

Source: C:\temp\Autoit3.exe

Code function: 11_2_00FE4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

11_2_00FE4F1C

Source: iTunesHelper.exe, 0000000A.00000002.510862324.000007FFFF725000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000B.00000000.412195529.0000000001036000.00000002.00000001.01000000.00000009.sdmp, Autoit3.exe.10.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Autoit3.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBFBE00 cpuid

10_2_000000013FBFBE00

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	10_2_6BE54F80
Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_6BE54060
Source: C:\temp\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_04C15C08
Source: C:\temp\Autoit3.exe	Code function: GetLocaleInfoA,	11_2_04C1655C
Source: C:\temp\Autoit3.exe	Code function: GetLocaleInfoA,	11_2_04C1CC4C
Source: C:\temp\Autoit3.exe	Code function: GetLocaleInfoA,	11_2_04C1B630
Source: C:\temp\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_04C15D12

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

10_2_000000013FBD5510

Source: C:\temp\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\temp\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\temp\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior
Source: C:\temp\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBDAEF8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_000000013FBDAEF8

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBD1310 GetUserNameA,CreateEventA,GetLastError,CloseHandle,CoInitialize,GetModuleHandleA,GetCommandLineA,CoUninitialize,CloseHandle,

10_2_000000013FBD1310

Source: C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe

Code function: 10_2_000000013FBF2F4C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

10_2_000000013FBF2F4C

Source: C:\temp\Autoit3.exe

Code function: 11_2_00F95D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00F95D13

Source: Autoit3.exe, Autoit3.exe, 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: Autoit3.exe, Autoit3.exe, 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: superantispyware.exe

Stealing of Sensitive Information

Yara detected DarkGate

Source: Yara match	File source: 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 3468, type: MEMORYSTR

Yara detected MailPassView

Source: Yara match	File source: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 3468, type: MEMORYSTR

Source: Autoit3.exe	Binary or memory string: WIN_81
Source: Autoit3.exe	Binary or memory string: WIN_XP
Source: Autoit3.exe	Binary or memory string: WIN_XPe
Source: Autoit3.exe	Binary or memory string: WIN_VISTA
Source: Autoit3.exe	Binary or memory string: WIN_7
Source: Autoit3.exe	Binary or memory string: WIN_8
Source: Autoit3.exe.10.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected DarkGate

Source: Yara match	File source: 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 3468, type: MEMORYSTR

Source: C:\temp\Autoit3.exe	Code function: 11_2_00FF696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	11_2_00FF696E
Source: C:\temp\Autoit3.exe	Code function: 11_2_00FF6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	11_2_00FF6E32
Source: C:\temp\Autoit3.exe	Code function: 11_2_04C2BE98 bind,	11_2_04C2BE98

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Windows Service	21 Access Token Manipulation	1 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	2 Windows Service	1 DLL Side-Loading	LSA Secrets	66 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Services File Permissions Weakness	212 Process Injection	1 File Deletion	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Services File Permissions Weakness	21 Masquerading	DCSync	241 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	3 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	212 Process Injection	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Services File Permissions Weakness	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
test.msi	16%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Link
C:\temp\Autoit3.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\4cd6e0f52e7043469984c6056cd7318a.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\4cd6e0f52e7043469984c6056cd7318a.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\642bddc38bf301459161108c3729c2ed.tmp	20%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\CoreFoundation.dll (copy)	20%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe (copy)	0%	Virustotal	Browse
C:\Windows\Installer\MSI7956.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7956.tmp	1%	Virustotal	Browse
C:\temp\Autoit3.exe	3%	ReversingLabs
C:\temp\Autoit3.exe	4%	Virustotal	Browse

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/J	iTunesHelper.exe, 0000000A.00000002.510465990.000000000039F000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000B.00000000.412214150.0000000001049000.00000002.00000001.01000000.00000009.sdmp, Autoit3.exe.10.dr	false	high
https://mail.google.com/mail/u/0/#inbox	Autoit3.exe, 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/autoit3/	iTunesHelper.exe, 0000000A.00000003.411992213.000007FFFE663000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.10.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1394928
Start date and time:	2024-02-20 03:24:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	test.msi
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winMSI@16/23@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 85 Number of non-executed functions: 120
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, VSSVC.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.93
Excluded domains from analysis (whitelisted): onedsblobprdcus07.centralus.cloudapp.azure.com, watson.microsoft.com, legacywatson.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:25:06	API Interceptor	7047x Sleep call for process: msiexec.exe modified
03:25:30	API Interceptor	2x Sleep call for process: icacls.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\4cd6e0f52e7043469984c6056cd7318a.tmp	build-x64.msi	Get hash	malicious	DarkGate, MailPassView	Browse
	build-x64.msi	Get hash	malicious	DarkGate, MailPassView	Browse
	build-x64.msi	Get hash	malicious	DarkGate, MailPassView	Browse
	build-x64.msi	Get hash	malicious	DarkGate, MailPassView	Browse
	pullofmaster.msi	Get hash	malicious	MailPassView	Browse
	reincarnation.msi	Get hash	malicious	MailPassView	Browse
	reincarnation.msi	Get hash	malicious	MailPassView	Browse
	http://5.181.159.23/Downloads/reincarnation.zip	Get hash	malicious	MailPassView	Browse
	prtyhguafelif.msi	Get hash	malicious	MailPassView	Browse
	prtyhguafelif.msi	Get hash	malicious	MailPassView	Browse

Created / dropped Files

C:\System Volume Information\SPP\OnlineMetadataCache\{7d5179c7-4762-4530-acc6-35e44f91e313}_OnDiskSnapshotProp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3168
Entropy (8bit):	3.6846407675176867
Encrypted:	false
SSDEEP:	48:oGG0jT9N38RN3xp/7wP8c1SFjwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6Rey8H:pGQD4PUiF8fHzbOHXOHB9BpiV
MD5:	5CFA075FF4295278B4D69E15551B640F
SHA1:	71CFDF0BC80780F4DF273C3AFB1205D3D1A84255
SHA-256:	E12D5050DEF9E3C4F0788EDC3AE2A9E6944B41F62411E39EFAC570D50B20313B
SHA-512:	E75C6E9786E69EB94C9B537D89269D2A21866B9984A0AC48E633839E719D02B3278DB6EA3691442FE3D5828F1EC6DE09C4FA72E35E3BF8FA5FF590216FAD3FBD
Malicious:	false
Reputation:	low
Preview:	.D.....M..,....c.a..............8........yQ}bG0E..5.O...9..........$.c..........M..0.<fK...; ...............................$.......8...P.......P...I.n.s.t.a.l.l.e.d. .i.T.u.n.e.s. .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m...............C.:.\.W.i.n.d.o.w.s.\...............6.1.0.9.3.0.................W.O.R.K.G.R.O.U.P.......DB.U...J.m...l....................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...\|...........%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.

C:\System Volume Information\SPP\metadata-2

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	SysEx File - Twister
Category:	dropped
Size (bytes):	9068216
Entropy (8bit):	3.679389294170859
Encrypted:	false
SSDEEP:	12288:OF4TY0YEzT4G09wqLB9K43gd8caDtDIY8/mhjTLQSI5JnJYKnAOYlTL9VZYbEIIw:k6jq9g8caP7y0ljdAGmm/rmHp
MD5:	3CAD0E7A19023FE26028C7C7A7778471
SHA1:	626EA2D838E52DEA102D3E01607A7370D580A515
SHA-256:	78237D535C6E13FA99B5F2D2D722FDFD982E661A1649E46D696E49BC81F816CE
SHA-512:	43A0E8A48B2C6052D82A90CB709E3002937A8FEDA82D342B08999943A4DB641CEEB9FC19DC4CA0FAAB7E356578796F0AF4BF048554C6CB84E74F60270E356D2D
Malicious:	false
Reputation:	low
Preview:	.%..=..J.....>.(.l.h............^...................... ...Y.......Y...<.B.A.C.K.U.P._.C.O.M.P.O.N.E.N.T.S. .x.m.l.n.s.=.".x.-.s.c.h.e.m.a.:.#.V.s.s.C.o.m.p.o.n.e.n.t.M.e.t.a.d.a.t.a.". .v.e.r.s.i.o.n.=.".1...2.". .b.o.o.t.a.b.l.e.S.y.s.t.e.m.S.t.a.t.e.B.a.c.k.u.p.=.".y.e.s.". .s.e.l.e.c.t.C.o.m.p.o.n.e.n.t.s.=.".y.e.s.". .b.a.c.k.u.p.T.y.p.e.=.".f.u.l.l.". .p.a.r.t.i.a.l.F.i.l.e.S.u.p.p.o.r.t.=.".y.e.s.". .s.n.a.p.s.h.o.t.S.e.t.I.d.=.".7.d.5.1.7.9.c.7.-.4.7.6.2.-.4.5.3.0.-.a.c.c.6.-.3.5.e.4.4.f.9.1.e.3.1.3.".>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.n.s.t.a.n.c.e.I.d.=.".5.9.8.9.2.0.4.9.-.a.3.c.8.-.4.0.3.4.-.9.3.6.9.-.8.a.0.8.c.9.4.0.6.e.4.7.". .w.r.i.t.e.r.I.d.=.".e.8.1.3.2.9.7.5.-.6.f.9.3.-.4.4.6.4.-.a.5.3.e.-.1.0.5.0.2.5.3.a.e.2.2.0.". .b.a.c.k.u.p.S.c.h.e.m.a.=.".0.".>.<.C.O.M.P.O.N.E.N.T. .c.o.m.p.o.n.e.n.t.N.a.m.e.=.".S.y.s.t.e.m. .F.i.l.e.s.". .c.o.m.p.o.n.e.n.t.T.y.p.e.=.".f.i.l.e.g.r.o.u.p."./.>.<./.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S.>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.

C:\System Volume Information\SPP\snapshot-2

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3168
Entropy (8bit):	3.6846407675176867
Encrypted:	false
SSDEEP:	48:oGG0jT9N38RN3xp/7wP8c1SFjwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6Rey8H:pGQD4PUiF8fHzbOHXOHB9BpiV
MD5:	5CFA075FF4295278B4D69E15551B640F
SHA1:	71CFDF0BC80780F4DF273C3AFB1205D3D1A84255
SHA-256:	E12D5050DEF9E3C4F0788EDC3AE2A9E6944B41F62411E39EFAC570D50B20313B
SHA-512:	E75C6E9786E69EB94C9B537D89269D2A21866B9984A0AC48E633839E719D02B3278DB6EA3691442FE3D5828F1EC6DE09C4FA72E35E3BF8FA5FF590216FAD3FBD
Malicious:	false
Reputation:	low
Preview:	.D.....M..,....c.a..............8........yQ}bG0E..5.O...9..........$.c..........M..0.<fK...; ...............................$.......8...P.......P...I.n.s.t.a.l.l.e.d. .i.T.u.n.e.s. .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m...............C.:.\.W.i.n.d.o.w.s.\...............6.1.0.9.3.0.................W.O.R.K.G.R.O.U.P.......DB.U...J.m...l....................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...\|...........%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files.cab

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, many, 3787661 bytes, 3 files, at 0x2c +A "CoreFoundation.dll" +A "iTunesHelper.exe", ID 3031, number 1, 116 datablocks, 0 compression
Category:	dropped
Size (bytes):	3787661
Entropy (8bit):	7.088009022003999
Encrypted:	false
SSDEEP:	49152:bhGczyqOSKGLcLxxYuYLRlJ7lzkiBVlR3/BzuAPeJx3B+JLilx:DqM9LDEKXVuAPMuWx
MD5:	C6DB776A99F2CF475C5E8F21AFC03E24
SHA1:	3AC870CACD414130E84CF91816762A6E19BE81E4
SHA-256:	A5CC24AD961584E5508235A15284ABD912B3FDE4A2A145D4DC11281C1F9C9EAB
SHA-512:	91A3D9AE6340E26EC177ADD69A2C9DF3D06F683EB7E71E4F0F183B691C12F4376FCD80D30CC6763F002B3F85C992BEA6492511A8E81D3C5EF6AF6CE391A8E919
Malicious:	false
Reputation:	low
Preview:	MSCF......9.....,.......................t....<........SX.i .CoreFoundation.dll.`....<....SX.i .iTunesHelper.exe.....`.....SX.i .sqlite3.dll..c......MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...Y..e.........." ................PI........@..............................P............`.......................... ...................,........... ...........1...................................................................................................text...d........................... ..`.data...............................@....bss.....................................idata..............................@....didata.............................@....edata...,..........................@..@.rdata..E...........................@..@.reloc..............................@..B.pdata...1..

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\4cd6e0f52e7043469984c6056cd7318a.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	366944
Entropy (8bit):	6.80696281718998
Encrypted:	false
SSDEEP:	6144:TjZtNtzxEFQVLEhZbblN4W6ZDNFfEai23+FM2+zIv+98vS:ZRxMQLEhZXybF8Ut4o8a
MD5:	ED6A1C72A75DEE15A6FA75873CD64975
SHA1:	67A15CA72E3156F8BE6C46391E184087E47F4A0D
SHA-256:	0D8878CCA08903777888B3681F90E4A07C7AEF7D9600A67DFA985844D4BF5EDA
SHA-512:	256C2EBFEB42C2D3340D8BB423EF0AE48D5FB9FE5CA09C363595F51A03007482B67A777E4CAE7A8194F69BC3A3FBCDB9ABB5C9F92097925272431BB9D50F5C03
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: build-x64.msi, Detection: malicious, Browse Filename: build-x64.msi, Detection: malicious, Browse Filename: build-x64.msi, Detection: malicious, Browse Filename: build-x64.msi, Detection: malicious, Browse Filename: pullofmaster.msi, Detection: malicious, Browse Filename: reincarnation.msi, Detection: malicious, Browse Filename: reincarnation.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: prtyhguafelif.msi, Detection: malicious, Browse Filename: prtyhguafelif.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S7...V...V...V..\....V..X...V..X...V..\....V..\....V..\....V...?...V...V...V..X..)V......V...@..V......V..Rich.V..................PE..d...c.^d.........."...."............T..........@....................................o.....`..........................................................`...5... ...%...J..`O......x.......T.......................(.......@............................................text............................... ..`.rdata..............................@..@.data...$(..........................@....pdata...%... ...&..................@..@_RDATA..\....P......................@..@.rsrc....5...`...6..................@..@.reloc..x............B..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\642bddc38bf301459161108c3729c2ed.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1719296
Entropy (8bit):	6.055171532365611
Encrypted:	false
SSDEEP:	24576:AQ/h+rgAzii/l7Zn3bUgxgH37CcALvMSdFLmEx239t:Ph4ZzJtMSdFLmEx23
MD5:	55AC845A22243538FCA3A1852858749F
SHA1:	A1973049289A3492355EC42FDA3C653A7A1F289C
SHA-256:	DD3B108D0BDB49D5AD268C65D01A39A4A832F4C49B07CFEC4FF74AD4E869A112
SHA-512:	E5DA92A1321C6A3D262A3B0E8F308E5DCA4CE8F5F8389F09882197C5245001269F612D2121A541E7B6C6BC3E819E5EB3F06C54C541CC1E44EAE57337A2DEA965
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 20%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...Y..e.........." ................PI........@..............................P............`.......................... ...................,........... ...........1...................................................................................................text...d........................... ..`.data...............................@....bss.....................................idata..............................@....didata.............................@....edata...,..........................@..@.rdata..E...........................@..@.reloc..............................@..B.pdata...1.......2..................@..@.rsrc........ ......................@..@.............P.......<..............@..@........................................

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\7435303a8a57ec42bc473d49b21b1a7e.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	data
Category:	dropped
Size (bytes):	1700353
Entropy (8bit):	7.442687329839771
Encrypted:	false
SSDEEP:	24576:ilz6vgGSKeJy5QuxYPFPRM/ATuM+Efe5DS4MX+SAo2iR/Z+MTXJTimJjz:ilzu/6FPRM/ATu1ge5Dlk+C9FvN
MD5:	B9134A3839483552F1804BF284318622
SHA1:	8F1DAAA235A1A113657638184C5DE9284F04AEBA
SHA-256:	E04B368D08D638A53290FD6DD19D301C4992113733759BD59799BFE0D7300AD9
SHA-512:	C83459D68239DAE17899B4601356E46665038A0A75C69E9F1BDBD38231D90BA88C67ABD8E4FA207C2564FFBC7D548E3B802E1B37D38B7C94908074A6FA1F30EE
Malicious:	false
Preview:	(....Deke...M-..DW.@e...AWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVEek.HAYI.l.D.@..e..10($v4...* :v)...x#2v6..E-/336E<.6wc[NA\eXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDek5.AW2.nk...2VDekeXAW.DGknZIWV.gke.AWVDek..CWVTekeX.WVDekeHAWVTekcXAWVDekcXAWVDeke.EWV@ekeXAWTD..eXQWVDeke.AWVDekeXQWVDekexAWVDekeXAWFDekehEW#DekeHEWTHeke.EWVPeke.EWnaekeXAWVDeke8EWfeekeXAWVDekeXAWVDekeXAWVDeke.EW~DekeXAWVDekeXAWVDek]KEW.FekexEW6FekeXAWVDekeXAWVDekK,$/"Deke.CWVTeke.CWVTekeXAWVDekeXAWvDe.K< #7Deke8AWVDfke8AWVDfkeXAWVDekeXAW.De.K:2$VDeke.AWV$fke.AWV$fkeXAWVDekeXAWVDe.K1%6"%ekeHAWVTakeHAWVTakeXAWVDekeXAW.De.K<(370.keHAWVdakeHAWVdakeXAWVDekeXAW.De.K=%6"%ekeHAWVtakeHAWVtakeXAWVDekeXAW.De+K,-$VDekeHAWV.akeHAWV.akeXAWVDekeXAWVDe.K%6"%ekeHAWV.akeHAWV.akeXAWVDekeXAW.De+K$;9'ekehAWV$akehAWV$akeXAWVDekeXAW.De)K(%6"%ekehAWV.akehAWV.akeXAWVDekeXAW.De+K*2%5DekexAWV.akexAWV.akeXAWVDekeXAW.De+eXAWVDekeXAWV.akeXAWV.fkeXAWVDekeXAW.De+

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\CoreFoundation.dll (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1719296
Entropy (8bit):	6.055171532365611
Encrypted:	false
SSDEEP:	24576:AQ/h+rgAzii/l7Zn3bUgxgH37CcALvMSdFLmEx239t:Ph4ZzJtMSdFLmEx23
MD5:	55AC845A22243538FCA3A1852858749F
SHA1:	A1973049289A3492355EC42FDA3C653A7A1F289C
SHA-256:	DD3B108D0BDB49D5AD268C65D01A39A4A832F4C49B07CFEC4FF74AD4E869A112
SHA-512:	E5DA92A1321C6A3D262A3B0E8F308E5DCA4CE8F5F8389F09882197C5245001269F612D2121A541E7B6C6BC3E819E5EB3F06C54C541CC1E44EAE57337A2DEA965
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 20%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...Y..e.........." ................PI........@..............................P............`.......................... ...................,........... ...........1...................................................................................................text...d........................... ..`.data...............................@....bss.....................................idata..............................@....didata.............................@....edata...,..........................@..@.rdata..E...........................@..@.reloc..............................@..B.pdata...1.......2..................@..@.rsrc........ ......................@..@.............P.......<..............@..@........................................

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	366944
Entropy (8bit):	6.80696281718998
Encrypted:	false
SSDEEP:	6144:TjZtNtzxEFQVLEhZbblN4W6ZDNFfEai23+FM2+zIv+98vS:ZRxMQLEhZXybF8Ut4o8a
MD5:	ED6A1C72A75DEE15A6FA75873CD64975
SHA1:	67A15CA72E3156F8BE6C46391E184087E47F4A0D
SHA-256:	0D8878CCA08903777888B3681F90E4A07C7AEF7D9600A67DFA985844D4BF5EDA
SHA-512:	256C2EBFEB42C2D3340D8BB423EF0AE48D5FB9FE5CA09C363595F51A03007482B67A777E4CAE7A8194F69BC3A3FBCDB9ABB5C9F92097925272431BB9D50F5C03
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S7...V...V...V..\....V..X...V..X...V..\....V..\....V..\....V...?...V...V...V..X..)V......V...@..V......V..Rich.V..................PE..d...c.^d.........."...."............T..........@....................................o.....`..........................................................`...5... ...%...J..`O......x.......T.......................(.......@............................................text............................... ..`.rdata..............................@..@.data...$(..........................@....pdata...%... ...&..................@..@_RDATA..\....P......................@..@.rsrc....5...`...6..................@..@.reloc..x............B..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\sqlite3.dll (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	data
Category:	dropped
Size (bytes):	1700353
Entropy (8bit):	7.442687329839771
Encrypted:	false
SSDEEP:	24576:ilz6vgGSKeJy5QuxYPFPRM/ATuM+Efe5DS4MX+SAo2iR/Z+MTXJTimJjz:ilzu/6FPRM/ATu1ge5Dlk+C9FvN
MD5:	B9134A3839483552F1804BF284318622
SHA1:	8F1DAAA235A1A113657638184C5DE9284F04AEBA
SHA-256:	E04B368D08D638A53290FD6DD19D301C4992113733759BD59799BFE0D7300AD9
SHA-512:	C83459D68239DAE17899B4601356E46665038A0A75C69E9F1BDBD38231D90BA88C67ABD8E4FA207C2564FFBC7D548E3B802E1B37D38B7C94908074A6FA1F30EE
Malicious:	false
Preview:	(....Deke...M-..DW.@e...AWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVEek.HAYI.l.D.@..e..10($v4...* :v)...x#2v6..E-/336E<.6wc[NA\eXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDekeXAWVDek5.AW2.nk...2VDekeXAW.DGknZIWV.gke.AWVDek..CWVTekeX.WVDekeHAWVTekcXAWVDekcXAWVDeke.EWV@ekeXAWTD..eXQWVDeke.AWVDekeXQWVDekexAWVDekeXAWFDekehEW#DekeHEWTHeke.EWVPeke.EWnaekeXAWVDeke8EWfeekeXAWVDekeXAWVDekeXAWVDeke.EW~DekeXAWVDekeXAWVDek]KEW.FekexEW6FekeXAWVDekeXAWVDekK,$/"Deke.CWVTeke.CWVTekeXAWVDekeXAWvDe.K< #7Deke8AWVDfke8AWVDfkeXAWVDekeXAW.De.K:2$VDeke.AWV$fke.AWV$fkeXAWVDekeXAWVDe.K1%6"%ekeHAWVTakeHAWVTakeXAWVDekeXAW.De.K<(370.keHAWVdakeHAWVdakeXAWVDekeXAW.De.K=%6"%ekeHAWVtakeHAWVtakeXAWVDekeXAW.De+K,-$VDekeHAWV.akeHAWV.akeXAWVDekeXAWVDe.K%6"%ekeHAWV.akeHAWV.akeXAWVDekeXAW.De+K$;9'ekehAWV$akehAWV$akeXAWVDekeXAW.De)K(%6"%ekehAWV.akehAWV.akeXAWVDekeXAW.De+K*2%5DekexAWV.akexAWV.akeXAWVDekeXAW.De+eXAWVDekeXAWV.akeXAWV.fkeXAWVDekeXAW.De+

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\msiwrapper.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1506
Entropy (8bit):	3.670637874801362
Encrypted:	false
SSDEEP:	24:Fmw5dX8DW8XjsKgEblbeYcxdrFEqjCOqjCIyDqjCllzmjHGj+Y:nYgJEb1cxhFxjOj37jRjmjd
MD5:	41D842B9F3CF8CF47E872492D42CEAB5
SHA1:	3DD789CDC3162ACADC56F59ADF7C4840E77A6886
SHA-256:	937758D7C18F6F299887673933CB662A737F8A4A6F143FEC7681FF7D87D9B9FD
SHA-512:	3AF890F42019C5AECBF8531D1E41DB44D4A05EA13BEEB044C3520E5CBD9B8F8EC044EB20D084CF78D3678599BE59189793227C8C0834692805C21828B18A6525
Malicious:	false
Preview:	W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=.{.2.C.B.A.8.8.3.F.-.5.1.A.6.-.3.D.7.D.-.D.B.B.9.-.0.5.2.7.D.3.9.4.3.3.C.B.}...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.H.i.d.d.e.n...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.n.e.v.e.r...B.a.s.e.N.a.m.e.=.i.T.u.n.e.s.H.e.l.p.e.r...e.x.e...C.a.b.H.a.s.h.=.a.5.c.c.2.4.a.d.9.6.1.5.8.4.e.5.5.0.8.2.3.5.a.1.5.2.8.4.a.b.d.9.1.2.b.3.f.d.e.4.a.2.a.1.4.5.d.4.d.c.1.1.2.8.1.c.1.f.9.c.9.e.a.b...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=..F.I.L.E.S.D.I.R....U.I.L.e.v.e.l.=.5...F.o.c.u.s.=.y.e.s...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.c.4.0.7.3.f.3.e.-.f.9.c.7.-.4.3.7.a.-.a.2.9.1.-.d.d.b.9.5.c.0.9.9.0.6.8.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.c.4.0.7.3.f.3.e.-.f.9.c.7.-.4.3.7.a.-.a.2.9.1.-.d.d.b.9.5.c.0.9.9.0.6.8.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.i.l.e.=...R.u.n.

C:\Users\user\AppData\Local\Temp\~DF14CF158985C82578.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC498C58ABD293963.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.13073060199261402
Encrypted:	false
SSDEEP:	24:Bwq/jwY+0JfAebfddipV7sddipVlVIwGzlrkg9SXWp+Qt:1rfddSBsddSHsrfN
MD5:	62A0669A40F93ED77D9512C4B5ADF37D
SHA1:	78984CC9F35CC29423D8D32E21ED88C0027DF9C1
SHA-256:	1866DDDB3AE2CADD194A1BD21B2D6BBDCA38E8D426B51A9BB400E716A7672F4F
SHA-512:	541C72C459388936754F6975229A11548D346639E674B77ABA9DE2CF19F28EBBE938573C4A0A44D3B655F2F206E362867C418BBB9DC1DDC87E7FC13D73EA8BCF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF9711021A423063A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06823305906313656
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOYXldHjSHZRqtoVky6l0t/:2F0i8n0itFzDHFYXvOHvqx01
MD5:	F0AF69413A92F1A1FCDD133FEC6B536E
SHA1:	5A41BF7A77035D56AB14732DFE40F93A7B273D3A
SHA-256:	17C43CD6EF4DD3E8CE62607B0A29A77BDE8B13B746FBD511C0AEED3A3E99C163
SHA-512:	FC440769D8541BC6127B3199F2D2E13F9DC0E135D4989BC7F0D793E55A12C8674FC57E101A1230AD722A84C75B217E92D20C7C628D795030329F12A06827B9DE
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cBDKKEc

Download File

Process:	C:\temp\Autoit3.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.709868358901741
Encrypted:	false
SSDEEP:	3:B1FhUFN:Ba
MD5:	19E5056E44B6E475D155AFEE59738FBD
SHA1:	8970489243D86DF4F2B3BC7BFF12A903E6E0BD19
SHA-256:	9DBD1F2B086ED062994024A821A3C901346A05C631E7E24CD07468EE62BC04EF
SHA-512:	2CAB1153DEDD30EC53432E37BA7EF43F70F9F79B0FA43107D46458EBB08FA3B15586E60FFA67D351158016CCB5D2EE369C60101C8F82FE9966067DDA3A3769C8
Malicious:	false
Preview:	HBEhccGdHFAfDFcDfEDFCbhCAHAGfBeh

C:\Windows\Installer\78bc1f.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: iTunes - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 12.12.9.4, Subject: iTunes - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Apple Inc., Keywords: Installer, Template: Intel;1033, Revision Number: {990E7B22-F011-40C1-BDFC-45B6D5B32DED}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2
Category:	dropped
Size (bytes):	4038656
Entropy (8bit):	7.067723557061814
Encrypted:	false
SSDEEP:	49152:0pUPBhGczyqOSKGLcLxxYuYLRlJ7lzkiBVlR3/BzuAPeJx3B+JLil:0pUqM9LDEKXVuAPMuW
MD5:	54C2F6B177E71EC4C262930566A282D1
SHA1:	B39E90C76E1FB6E4DC6F2D4ED034BA7B9C82BF23
SHA-256:	3ED9BC94879D6DB3F296F8B948645A6EA9F9D4201D0209A71FBC62BF73E2E848
SHA-512:	7B84D5784626707E808BC7A8E0B15FB23F7FAF3DC77E3AA720A18E89E494C98850B1B6DE52B25F43463E5A39AAC2DB1EDEBBD6C891976D89FACD1F775CF16E43
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\78bc20.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5515994104973243
Encrypted:	false
SSDEEP:	24:J+FC/llm6cpmUHCpfbuqKt+Q71TddipVlVIwGzlrkg9SCddipV7eJfAebgwY+5w6:c0pcDH2buVNlddSHsrbddSBer
MD5:	A7DF3BDAE35CC9751ED42C0AEAFF58D9
SHA1:	4A1095AA5EBFAA799B3E9C37E462DA2D28938BE2
SHA-256:	6F59FD9C8EF6D0864068D343E3815954C4C41EA4F0502D12A37A8ED0A07A4A35
SHA-512:	A76DB0DF0223846B20991B84682617F6A46AF2EA38B53B4E3C7B16226F51F49B3E5D1C750A249E87A3A06E20040D4F5CB022BBC878450100AB0CDCCBBA644166
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7956.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	212992
Entropy (8bit):	6.5134888693588575
Encrypted:	false
SSDEEP:	3072:3spAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLf2loHUvULyGxr5lqM2a8:BtOdiRQYpgjpjew5GAyGxjqo8
MD5:	D82B3FB861129C5D71F0CD2874F97216
SHA1:	F3FE341D79224126E950D2691D574D147102B18D
SHA-256:	107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
SHA-512:	244B7675E70AB12AA5776F26E30577268573B725D0F145BFC6B848D2BD8F014C9C6EAB0FC0E4F0A574ED9CA1D230B2094DD88A2146EF0A6DB70DBD815F9A5F5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......b...........!.....h..........K...............................................{....@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`.....................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{D191C7DA-1F42-42D6-B05E-3A9CF93788FB}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.159856500092105
Encrypted:	false
SSDEEP:	12:JSbX72FjoXiAGiLIlHVRpzh/7777777777777777777777777vDHFYXvOHvSQp0V:J2SQI53ySE8F
MD5:	D400106F217DEFF5C12BF68EFDA72891
SHA1:	9054D5983038723B0DB1E50C68E670D028767F97
SHA-256:	636F02CC601C8D1C387FF23351D91A60C9F0500DBCD2D1F7C6883D68F39E525F
SHA-512:	2364C8753161A42CE5AB85C7C6B1D520A6541A1CDAB544E249A3440FD7E8F295459B235D9901EC4A195D0559D863FE08595756839E891B440195ED05CC865E33
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\DPX\setupact.log

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	969
Entropy (8bit):	4.270626702072148
Encrypted:	false
SSDEEP:	12:adMfdN6uFp76uF6dN6uFp76uFp6fdMfdN6uFp76uFp6r:Z76Kp76KY6Kp76Kp6676Kp76Kp6r
MD5:	E380909C816036155BCF24E83A3A6BC9
SHA1:	214DAC2CCCA2CD2D3A7A173A84CDCFAFC8A7BFFE
SHA-256:	0D951499669BD03EB95AF009911C28302FD55FAC5935AE100D54E4389B97EF0B
SHA-512:	046879D308130BFDA721D96B99FA35CBFA7BE06F5E093BE132E1A46B6BD8BF32CC6C4B30A5B58CEA8B67C428D43DFCDA5840B1A07507CAE1A9EF16EC7780CB43
Malicious:	false
Preview:	.2024-02-20 03:25:30, Info DPX Started DPX phase: Resume and Download Job..2024-02-20 03:25:30, Info DPX Started DPX phase: Apply Deltas Provided In File..2024-02-20 03:25:30, Info DPX Ended DPX phase: Apply Deltas Provided In File..2024-02-20 03:25:30, Info DPX Started DPX phase: Apply Deltas Provided In File..2024-02-20 03:25:30, Info DPX Ended DPX phase: Apply Deltas Provided In File..2024-02-20 03:25:30, Info DPX Ended DPX phase: Resume and Download Job..2024-02-20 03:25:30, Info DPX Started DPX phase: Resume and Download Job..2024-02-20 03:25:30, Info DPX Started DPX phase: Apply Deltas Provided In File..2024-02-20 03:25:30, Info DPX Ended DPX phase: Apply Deltas Provided In File..2024-02-20 03:25:30, Info DPX Ended DPX phase: Resume and Download Job..

C:\temp\Autoit3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 4%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\temp\script.a3x

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe
File Type:	data
Category:	dropped
Size (bytes):	485612
Entropy (8bit):	7.2783857027445995
Encrypted:	false
SSDEEP:	12288:LtlETFoVvMZo2iR/4gwYtV+MTGKJsG+qkurJjM:p+SAo2iR/Z+MTXJTimJjM
MD5:	8AB7038B4C8BB4045439C34877B3D987
SHA1:	8238100A487D9CCC7606109BD86F7B46A0FA3630
SHA-256:	F3DE47B6E1D07ECB4CB3CB047EDDEECFCE0ED692963D1AE7AD59FAD45794B995
SHA-512:	7894E8338A6D31F9EE0F43AAFACAE7E8C5845ED55C1B34B7D681820A5A2767F23BF693C225F0B001BB91A6149ECB9BBD5FDF86B4E46816CF585CD2116862E4D3
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M........+..M...F.f.q..R,..].>>.r.nw.i@.../9...w.6..;..$dr..yO.n....-.....qH..O....?@....L.9"...]g....z.}_.1N(...+..............wc....I.wc....I.kC.R......%x....}...q..U-...(....%....V..?p.h.....l)".N.#.R......v.k@3.Q..\...I.h...%D'7...Y.....6(..)w....+...........7.`....8.u....h..0p.R%. ....^Z.B..=H.{.X......(...F...o..wc..Co..wc....I.m.........8.5...x...(.U?j....$.1.#.~.\......<.iw..}.k.5-\|...d..6c).&.....CZ'.....j.q..E.3X-......O..y......cW ..n..0....y.. N/....M.......9.iO..../.]...7"-.B)Y....i...cM.`...d.T.Ff..;..R.Z3..K..?...q5M"....Y....,@...=.'..H.GN..@6J;....eX..p....l...Gfy.;.....m@..1.,....!...q.5.\U)..C..X.m=.U..5....q.....vM9o.1.C....H..v.L..Q.J...\|4.....).lD..D....$..L....s....seb.....,r<..Jp\.lQk(....Z..A...K..iVR..~....t.n[`<..y.D.m=...fC.A........o ......<.k.n......\...d...4*...........r..])SdT"...A..b.:.....9.s.,.Dl.....sS..

C:\temp\test.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	76
Entropy (8bit):	6.247927513443591
Encrypted:	false
SSDEEP:	3:KvRcujLr4BWCh1WSjgHMjb8T:uRcef4B3cSxy
MD5:	768DE4581F6B36192556A9C8FEA206FC
SHA1:	F9B836DEC6B1C7C02A81F3203FB659653229EB0F
SHA-256:	611DECD13720D94BDB697F3B0D3831D80CBF5F564BDC7C81FAD2339205DFB17B
SHA-512:	3E5A3D947584DA521407C3EEC2816E5BB038EA09F1E7F942A742A31AB0BD0EDEBD237E0B36A9E6799AA5ADC60E1CDD247A1293B6C73908C4D4DC766C935EBD7B
Malicious:	false
Preview:	g]kz"BtRa2s9*FwVjvbNp7dEQ5G[y6,Hre0M4{iP TKL}1(.c3uI)&ZmxS=OACqU8DnJYfhX$Wlo

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: iTunes - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 12.12.9.4, Subject: iTunes - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Apple Inc., Keywords: Installer, Template: Intel;1033, Revision Number: {990E7B22-F011-40C1-BDFC-45B6D5B32DED}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2
Entropy (8bit):	7.067723557061814
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	test.msi
File size:	4'038'656 bytes
MD5:	54c2f6b177e71ec4c262930566a282d1
SHA1:	b39e90c76e1fb6e4dc6f2d4ed034ba7b9c82bf23
SHA256:	3ed9bc94879d6db3f296f8b948645a6ea9f9d4201d0209a71fbc62bf73e2e848
SHA512:	7b84d5784626707e808bc7a8e0b15fb23f7faf3dc77e3aa720a18e89e494c98850b1b6de52b25f43463e5a39aac2db1edebbd6c891976d89facd1f775cf16e43
SSDEEP:	49152:0pUPBhGczyqOSKGLcLxxYuYLRlJ7lzkiBVlR3/BzuAPeJx3B+JLil:0pUqM9LDEKXVuAPMuW
TLSH:	5B16496B7640B069C159A13FC4FE6F03B1326061173584CBF5A81F65ADB64C39EFBA88
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	1
Start time:	03:25:04
Start date:	20/02/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\test.msi"
Imagebase:	0xff2f0000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:25:07
Start date:	20/02/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0xff2f0000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:25:28
Start date:	20/02/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 5F18B271DCB7565374F8A7B6F18643C9
Imagebase:	0x8d0000
File size:	73'216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:25:29
Start date:	20/02/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Imagebase:	0xd00000
File size:	27'136 bytes
MD5 hash:	1542A92D5C6F7E1E80613F3466C9CE7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:25:30
Start date:	20/02/2024
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Imagebase:	0x3a0000
File size:	53'248 bytes
MD5 hash:	659CED6D7BDA047BCC6048384231DB9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:25:31
Start date:	20/02/2024
Path:	C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe"
Imagebase:	0x13fbd0000
File size:	366'944 bytes
MD5 hash:	ED6A1C72A75DEE15A6FA75873CD64975
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:25:31
Start date:	20/02/2024
Path:	C:\temp\Autoit3.exe
Wow64 process (32bit):	true
Commandline:	"c:\temp\Autoit3.exe" c:\temp\script.a3x
Imagebase:	0xf80000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 0000000B.00000002.414032605.0000000003827000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 3%, ReversingLabs Detection: 4%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:26:17
Start date:	20/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files"
Imagebase:	0x4a7c0000
File size:	302'592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:26:18
Start date:	20/02/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Imagebase:	0xf90000
File size:	27'136 bytes
MD5 hash:	1542A92D5C6F7E1E80613F3466C9CE7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.9%
Dynamic/Decrypted Code Coverage:	3.5%
Signature Coverage:	13.4%
Total number of Nodes:	433
Total number of Limit Nodes:	12

Executed Functions

Function 6BE54890 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 6BE548D8
RegOpenKeyExW.ADVAPI32 ref: 6BE54933
RegOpenKeyExW.ADVAPI32 ref: 6BE54961
RegOpenKeyExW.ADVAPI32 ref: 6BE5498F
RegOpenKeyExW.ADVAPI32 ref: 6BE549BD
RegOpenKeyExW.ADVAPI32 ref: 6BE549E7
RegOpenKeyExW.ADVAPI32 ref: 6BE54A11
RegQueryValueExW.ADVAPI32 ref: 6BE54A56
RegQueryValueExW.ADVAPI32 ref: 6BE54A95
RegQueryValueExW.ADVAPI32 ref: 6BE54AD8
RegQueryValueExW.ADVAPI32 ref: 6BE54B1A
RegCloseKey.ADVAPI32 ref: 6BE54B50

Strings

Software\Borland\Delphi\Locales, xrefs: 6BE549F5
Software\Borland\Locales, xrefs: 6BE549CB
Software\CodeGear\Locales, xrefs: 6BE54973, 6BE549A1
Software\Embarcadero\Locales, xrefs: 6BE54917, 6BE54945

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: a39e68c356ca0a0198371222888fedf7f107c6aec0af0a3aa8cb3a070aa24a0a
Instruction ID: a2cc885a684b8ac50ec2a9e99074a21af9d2a17821cfddf4f86380ad625c20e3
Opcode Fuzzy Hash: a39e68c356ca0a0198371222888fedf7f107c6aec0af0a3aa8cb3a070aa24a0a
Instruction Fuzzy Hash: 7661C872204B8599EB70CF71E8983DA23B5F78578CF60111A9A8D8BB1DEF79C265C340

Uniqueness

Uniqueness Score: -1.00%

Function 0208ED60 Relevance: 5.2, Strings: 4, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Software\Embarcadero\Locales, xrefs: 0208EDE7, 0208EE15
Software\Borland\Locales, xrefs: 0208EE9B
Software\Borland\Delphi\Locales, xrefs: 0208EEC5
Software\CodeGear\Locales, xrefs: 0208EE43, 0208EE71

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 0-3496071916
Opcode ID: eb4080e26a6a0e409f81f20ba43894b999a40403412c9c1359f7bf0479805ccb
Instruction ID: 001e1a73b9fc9491a34b59f9c713be732532720d7d502fe0017c4993c8fe54c5
Opcode Fuzzy Hash: eb4080e26a6a0e409f81f20ba43894b999a40403412c9c1359f7bf0479805ccb
Instruction Fuzzy Hash: 14610C32204B8589EB70EF71E8983DB23A5F79978CF901125DA8D8BB29EF74C245D740

Uniqueness

Uniqueness Score: -1.00%

Function 6BE54F80 Relevance: 3.1, APIs: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNEL32 ref: 6BE54FAE
GetLocaleInfoW.KERNEL32 ref: 6BE54FC5

Part of subcall function 6BE54DD0: FindFirstFileW.KERNEL32 ref: 6BE54E02
Part of subcall function 6BE54DD0: FindClose.KERNEL32 ref: 6BE54E1D

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: f8ce65893ade70136e6809773108f5bdb7b857f027b8e6df90e5e9f62af2927b
Instruction ID: de319095d585a0041700780cd4cdbe2c354a4d78fba060b0c8fdd2aabd598e8c
Opcode Fuzzy Hash: f8ce65893ade70136e6809773108f5bdb7b857f027b8e6df90e5e9f62af2927b
Instruction Fuzzy Hash: 5521EF76220A5089DB10DF76D8913D927A1EB88BDCF60610AFA4E47B18CF39C5A68381

Uniqueness

Uniqueness Score: -1.00%

Function 6BE54DD0 Relevance: 3.0, APIs: 2, Instructions: 27
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32 ref: 6BE54E02
FindClose.KERNEL32 ref: 6BE54E1D

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 77909ad07fd8af244572eb0eba36558c16ec36278e2941940a98ef0bf065085b
Instruction ID: 6111ab7688b71f78df259beccf795f1e648680e82369d5f2f2a780121b687781
Opcode Fuzzy Hash: 77909ad07fd8af244572eb0eba36558c16ec36278e2941940a98ef0bf065085b
Instruction Fuzzy Hash: F5F05E122129C089CBB1DE30E8953E92311DB867ACF281755966D0BBE8DE19C2A58700

Uniqueness

Uniqueness Score: -1.00%

Function 0208F2A0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88213be1bcc6b02baa0199bba448e96ec685791caf600502c9c5e95722e0617e
Instruction ID: 7a874f54928a288591c77a9318c1dd7ff09441794071e6f2d6d063a87aa06ee7
Opcode Fuzzy Hash: 88213be1bcc6b02baa0199bba448e96ec685791caf600502c9c5e95722e0617e
Instruction Fuzzy Hash: FFF05416201AC089CBB1BF30D8A43EA2351DB8676CF181311D6AD0BBE4DE15C155AB40

Uniqueness

Uniqueness Score: -1.00%

Function 02091BB0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eeaecd384b77ed4a74c9ff714367a801a5bab5f1d4253a6534ed734200c150
Instruction ID: a9d79db428ec28b894fdb50921926b435af939adfe96438a2072844ddbe30efe
Opcode Fuzzy Hash: 56eeaecd384b77ed4a74c9ff714367a801a5bab5f1d4253a6534ed734200c150
Instruction Fuzzy Hash: EDB09222A148C0938611FB04D88204A7232F7D0B08FD00050E28942614CE18CA268E40

Uniqueness

Uniqueness Score: -1.00%

Function 6BF6C010 Relevance: 9236.6, APIs: 5267, Strings: 2, Instructions: 15891
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowW.USER32 ref: 6BF6C063
FindWindowW.USER32 ref: 6BF6C076
FindWindowW.USER32 ref: 6BF6C089
FindWindowW.USER32 ref: 6BF6C09C
FindWindowW.USER32 ref: 6BF6C0AF
FindWindowW.USER32 ref: 6BF6C0C2
FindWindowW.USER32 ref: 6BF6C0D5
FindWindowW.USER32 ref: 6BF6C0E8
FindWindowW.USER32 ref: 6BF6C0FB
FindWindowW.USER32 ref: 6BF6C10E
FindWindowW.USER32 ref: 6BF6C121
FindWindowW.USER32 ref: 6BF6C134
FindWindowW.USER32 ref: 6BF6C147
FindWindowW.USER32 ref: 6BF6C15A
FindWindowW.USER32 ref: 6BF6C16D
FindWindowW.USER32 ref: 6BF6C180
FindWindowW.USER32 ref: 6BF6C193
FindWindowW.USER32 ref: 6BF6C1A6
FindWindowW.USER32 ref: 6BF6C1B9
FindWindowW.USER32 ref: 6BF6C1CC
FindWindowW.USER32 ref: 6BF6C1DF
FindWindowW.USER32 ref: 6BF6C1F2
FindWindowW.USER32 ref: 6BF6C205
FindWindowW.USER32 ref: 6BF6C218
FindWindowW.USER32 ref: 6BF6C22B
FindWindowW.USER32 ref: 6BF6C23E
FindWindowW.USER32 ref: 6BF6C251
FindWindowW.USER32 ref: 6BF6C264
FindWindowW.USER32 ref: 6BF6C277
FindWindowW.USER32 ref: 6BF6C28A
FindWindowW.USER32 ref: 6BF6C29D
FindWindowW.USER32 ref: 6BF6C2B0
FindWindowW.USER32 ref: 6BF6C2C3
FindWindowW.USER32 ref: 6BF6C2D6
FindWindowW.USER32 ref: 6BF6C2E9
FindWindowW.USER32 ref: 6BF6C2FC
FindWindowW.USER32 ref: 6BF6C30F
FindWindowW.USER32 ref: 6BF6C322
FindWindowW.USER32 ref: 6BF6C335
FindWindowW.USER32 ref: 6BF6C348
FindWindowW.USER32 ref: 6BF6C35B
FindWindowW.USER32 ref: 6BF6C36E
FindWindowW.USER32 ref: 6BF6C381
FindWindowW.USER32 ref: 6BF6C394
FindWindowW.USER32 ref: 6BF6C3A7
FindWindowW.USER32 ref: 6BF6C3BA
FindWindowW.USER32 ref: 6BF6C3CD
FindWindowW.USER32 ref: 6BF6C3E0
FindWindowW.USER32 ref: 6BF6C3F3
FindWindowW.USER32 ref: 6BF6C406
FindWindowW.USER32 ref: 6BF6C419
FindWindowW.USER32 ref: 6BF6C42C
FindWindowW.USER32 ref: 6BF6C43F
FindWindowW.USER32 ref: 6BF6C452
FindWindowW.USER32 ref: 6BF6C465
FindWindowW.USER32 ref: 6BF6C478
FindWindowW.USER32 ref: 6BF6C48B
FindWindowW.USER32 ref: 6BF6C49E
FindWindowW.USER32 ref: 6BF6C4B1
FindWindowW.USER32 ref: 6BF6C4C4
FindWindowW.USER32 ref: 6BF6C4D7
FindWindowW.USER32 ref: 6BF6C4EA
FindWindowW.USER32 ref: 6BF6C4FD
FindWindowW.USER32 ref: 6BF6C510
FindWindowW.USER32 ref: 6BF6C523
FindWindowW.USER32 ref: 6BF6C536
FindWindowW.USER32 ref: 6BF6C549
FindWindowW.USER32 ref: 6BF6C55C
FindWindowW.USER32 ref: 6BF6C56F
FindWindowW.USER32 ref: 6BF6C582
FindWindowW.USER32 ref: 6BF6C595
FindWindowW.USER32 ref: 6BF6C5A8
FindWindowW.USER32 ref: 6BF6C5BB
FindWindowW.USER32 ref: 6BF6C5CE
FindWindowW.USER32 ref: 6BF6C5E1
FindWindowW.USER32 ref: 6BF6C5F4
FindWindowW.USER32 ref: 6BF6C607
FindWindowW.USER32 ref: 6BF6C61A
FindWindowW.USER32 ref: 6BF6C62D
FindWindowW.USER32 ref: 6BF6C640
FindWindowW.USER32 ref: 6BF6C653
FindWindowW.USER32 ref: 6BF6C666
FindWindowW.USER32 ref: 6BF6C679
FindWindowW.USER32 ref: 6BF6C68C
FindWindowW.USER32 ref: 6BF6C69F
FindWindowW.USER32 ref: 6BF6C6B2
FindWindowW.USER32 ref: 6BF6C6C5
FindWindowW.USER32 ref: 6BF6C6D8
FindWindowW.USER32 ref: 6BF6C6EB
FindWindowW.USER32 ref: 6BF6C6FE
FindWindowW.USER32 ref: 6BF6C711
FindWindowW.USER32 ref: 6BF6C724
FindWindowW.USER32 ref: 6BF6C737
FindWindowW.USER32 ref: 6BF6C74A
FindWindowW.USER32 ref: 6BF6C75D
FindWindowW.USER32 ref: 6BF6C770
FindWindowW.USER32 ref: 6BF6C783
FindWindowW.USER32 ref: 6BF6C796
FindWindowW.USER32 ref: 6BF6C7A9
FindWindowW.USER32 ref: 6BF6C7BC
FindWindowW.USER32 ref: 6BF6C7CF
FindWindowW.USER32 ref: 6BF6C7E2
FindWindowW.USER32 ref: 6BF6C7F5
FindWindowW.USER32 ref: 6BF6C808
FindWindowW.USER32 ref: 6BF6C81B
FindWindowW.USER32 ref: 6BF6C82E
FindWindowW.USER32 ref: 6BF6C841
FindWindowW.USER32 ref: 6BF6C854
FindWindowW.USER32 ref: 6BF6C867
FindWindowW.USER32 ref: 6BF6C87A
FindWindowW.USER32 ref: 6BF6C88D
FindWindowW.USER32 ref: 6BF6C8A0
FindWindowW.USER32 ref: 6BF6C8B3
FindWindowW.USER32 ref: 6BF6C8C6
FindWindowW.USER32 ref: 6BF6C8D9
FindWindowW.USER32 ref: 6BF6C8EC
FindWindowW.USER32 ref: 6BF6C8FF
FindWindowW.USER32 ref: 6BF6C912
FindWindowW.USER32 ref: 6BF6C925
FindWindowW.USER32 ref: 6BF6C938
FindWindowW.USER32 ref: 6BF6C94B
FindWindowW.USER32 ref: 6BF6C95E
FindWindowW.USER32 ref: 6BF6C971
FindWindowW.USER32 ref: 6BF6C984
FindWindowW.USER32 ref: 6BF6C997
FindWindowW.USER32 ref: 6BF6C9AA
FindWindowW.USER32 ref: 6BF6C9BD
FindWindowW.USER32 ref: 6BF6C9D0
FindWindowW.USER32 ref: 6BF6C9E3
FindWindowW.USER32 ref: 6BF6C9F6
FindWindowW.USER32 ref: 6BF6CA09
FindWindowW.USER32 ref: 6BF6CA1C
FindWindowW.USER32 ref: 6BF6CA2F
FindWindowW.USER32 ref: 6BF6CA42
FindWindowW.USER32 ref: 6BF6CA55
FindWindowW.USER32 ref: 6BF6CA68
FindWindowW.USER32 ref: 6BF6CA7B
FindWindowW.USER32 ref: 6BF6CA8E
FindWindowW.USER32 ref: 6BF6CAA1
FindWindowW.USER32 ref: 6BF6CAB4
FindWindowW.USER32 ref: 6BF6CAC7
FindWindowW.USER32 ref: 6BF6CADA
FindWindowW.USER32 ref: 6BF6CAED
FindWindowW.USER32 ref: 6BF6CB00
FindWindowW.USER32 ref: 6BF6CB13
FindWindowW.USER32 ref: 6BF6CB26
FindWindowW.USER32 ref: 6BF6CB39
FindWindowW.USER32 ref: 6BF6CB4C
FindWindowW.USER32 ref: 6BF6CB5F
FindWindowW.USER32 ref: 6BF6CB72
FindWindowW.USER32 ref: 6BF6CB85
FindWindowW.USER32 ref: 6BF6CB98
FindWindowW.USER32 ref: 6BF6CBAB
FindWindowW.USER32 ref: 6BF6CBBE
FindWindowW.USER32 ref: 6BF6CBD1
FindWindowW.USER32 ref: 6BF6CBE4
FindWindowW.USER32 ref: 6BF6CBF7
FindWindowW.USER32 ref: 6BF6CC0A
FindWindowW.USER32 ref: 6BF6CC1D
FindWindowW.USER32 ref: 6BF6CC30
FindWindowW.USER32 ref: 6BF6CC43
FindWindowW.USER32 ref: 6BF6CC56
FindWindowW.USER32 ref: 6BF6CC69
FindWindowW.USER32 ref: 6BF6CC7C
FindWindowW.USER32 ref: 6BF6CC8F
FindWindowW.USER32 ref: 6BF6CCA2
FindWindowW.USER32 ref: 6BF6CCB5
FindWindowW.USER32 ref: 6BF6CCC8
FindWindowW.USER32 ref: 6BF6CCDB
FindWindowW.USER32 ref: 6BF6CCEE
FindWindowW.USER32 ref: 6BF6CD01
FindWindowW.USER32 ref: 6BF6CD14
FindWindowW.USER32 ref: 6BF6CD27
FindWindowW.USER32 ref: 6BF6CD3A
FindWindowW.USER32 ref: 6BF6CD4D
FindWindowW.USER32 ref: 6BF6CD60
FindWindowW.USER32 ref: 6BF6CD73
FindWindowW.USER32 ref: 6BF6CD86
FindWindowW.USER32 ref: 6BF6CD99
FindWindowW.USER32 ref: 6BF6CDAC
FindWindowW.USER32 ref: 6BF6CDBF
FindWindowW.USER32 ref: 6BF6CDD2
FindWindowW.USER32 ref: 6BF6CDE5
FindWindowW.USER32 ref: 6BF6CDF8
FindWindowW.USER32 ref: 6BF6CE0B
FindWindowW.USER32 ref: 6BF6CE1E
FindWindowW.USER32 ref: 6BF6CE31
FindWindowW.USER32 ref: 6BF6CE44
FindWindowW.USER32 ref: 6BF6CE57
FindWindowW.USER32 ref: 6BF6CE6A
FindWindowW.USER32 ref: 6BF6CE7D
FindWindowW.USER32 ref: 6BF6CE90
FindWindowW.USER32 ref: 6BF6CEA3
FindWindowW.USER32 ref: 6BF6CEB6
FindWindowW.USER32 ref: 6BF6CEC9
FindWindowW.USER32 ref: 6BF6CEDC
FindWindowW.USER32 ref: 6BF6CEEF
FindWindowW.USER32 ref: 6BF6CF02
FindWindowW.USER32 ref: 6BF6CF15
FindWindowW.USER32 ref: 6BF6CF28
FindWindowW.USER32 ref: 6BF6CF3B
FindWindowW.USER32 ref: 6BF6CF4E
FindWindowW.USER32 ref: 6BF6CF61
FindWindowW.USER32 ref: 6BF6CF74
FindWindowW.USER32 ref: 6BF6CF87
FindWindowW.USER32 ref: 6BF6CF9A
FindWindowW.USER32 ref: 6BF6CFAD
FindWindowW.USER32 ref: 6BF6CFC0
FindWindowW.USER32 ref: 6BF6CFD3
FindWindowW.USER32 ref: 6BF6CFE6
FindWindowW.USER32 ref: 6BF6CFF9
FindWindowW.USER32 ref: 6BF6D00C
FindWindowW.USER32 ref: 6BF6D01F
FindWindowW.USER32 ref: 6BF6D032
FindWindowW.USER32 ref: 6BF6D045
FindWindowW.USER32 ref: 6BF6D058
FindWindowW.USER32 ref: 6BF6D06B
FindWindowW.USER32 ref: 6BF6D07E
FindWindowW.USER32 ref: 6BF6D091
FindWindowW.USER32 ref: 6BF6D0A4
FindWindowW.USER32 ref: 6BF6D0B7
FindWindowW.USER32 ref: 6BF6D0CA
FindWindowW.USER32 ref: 6BF6D0DD
FindWindowW.USER32 ref: 6BF6D0F0
FindWindowW.USER32 ref: 6BF6D103
FindWindowW.USER32 ref: 6BF6D116
FindWindowW.USER32 ref: 6BF6D129
FindWindowW.USER32 ref: 6BF6D13C
FindWindowW.USER32 ref: 6BF6D14F
FindWindowW.USER32 ref: 6BF6D162
FindWindowW.USER32 ref: 6BF6D175
FindWindowW.USER32 ref: 6BF6D188
FindWindowW.USER32 ref: 6BF6D19B
FindWindowW.USER32 ref: 6BF6D1AE
FindWindowW.USER32 ref: 6BF6D1C1
FindWindowW.USER32 ref: 6BF6D1D4
FindWindowW.USER32 ref: 6BF6D1E7
FindWindowW.USER32 ref: 6BF6D1FA
FindWindowW.USER32 ref: 6BF6D20D
FindWindowW.USER32 ref: 6BF6D220
FindWindowW.USER32 ref: 6BF6D233
FindWindowW.USER32 ref: 6BF6D246
FindWindowW.USER32 ref: 6BF6D259
FindWindowW.USER32 ref: 6BF6D26C
FindWindowW.USER32 ref: 6BF6D27F
FindWindowW.USER32 ref: 6BF6D292
FindWindowW.USER32 ref: 6BF6D2A5
FindWindowW.USER32 ref: 6BF6D2B8
FindWindowW.USER32 ref: 6BF6D2CB
FindWindowW.USER32 ref: 6BF6D2DE
FindWindowW.USER32 ref: 6BF6D2F1
FindWindowW.USER32 ref: 6BF6D304
FindWindowW.USER32 ref: 6BF6D317
FindWindowW.USER32 ref: 6BF6D32A
FindWindowW.USER32 ref: 6BF6D33D
FindWindowW.USER32 ref: 6BF6D350
FindWindowW.USER32 ref: 6BF6D363
FindWindowW.USER32 ref: 6BF6D376
FindWindowW.USER32 ref: 6BF6D389
FindWindowW.USER32 ref: 6BF6D39C
FindWindowW.USER32 ref: 6BF6D3AF
FindWindowW.USER32 ref: 6BF6D3C2
FindWindowW.USER32 ref: 6BF6D3D5
FindWindowW.USER32 ref: 6BF6D3E8
FindWindowW.USER32 ref: 6BF6D3FB
FindWindowW.USER32 ref: 6BF6D40E
FindWindowW.USER32 ref: 6BF6D421
FindWindowW.USER32 ref: 6BF6D434
FindWindowW.USER32 ref: 6BF6D447
FindWindowW.USER32 ref: 6BF6D45A
FindWindowW.USER32 ref: 6BF6D46D
FindWindowW.USER32 ref: 6BF6D480
FindWindowW.USER32 ref: 6BF6D493
FindWindowW.USER32 ref: 6BF6D4A6
FindWindowW.USER32 ref: 6BF6D4B9
FindWindowW.USER32 ref: 6BF6D4CC
FindWindowW.USER32 ref: 6BF6D4DF
FindWindowW.USER32 ref: 6BF6D4F2
FindWindowW.USER32 ref: 6BF6D505
FindWindowW.USER32 ref: 6BF6D518
FindWindowW.USER32 ref: 6BF6D52B
FindWindowW.USER32 ref: 6BF6D53E
FindWindowW.USER32 ref: 6BF6D551
FindWindowW.USER32 ref: 6BF6D564
FindWindowW.USER32 ref: 6BF6D577
FindWindowW.USER32 ref: 6BF6D58A
FindWindowW.USER32 ref: 6BF6D59D
FindWindowW.USER32 ref: 6BF6D5B0
FindWindowW.USER32 ref: 6BF6D5C3
FindWindowW.USER32 ref: 6BF6D5D6
FindWindowW.USER32 ref: 6BF6D5E9
FindWindowW.USER32 ref: 6BF6D5FC
FindWindowW.USER32 ref: 6BF6D60F
FindWindowW.USER32 ref: 6BF6D622
FindWindowW.USER32 ref: 6BF6D635
FindWindowW.USER32 ref: 6BF6D648
FindWindowW.USER32 ref: 6BF6D65B
FindWindowW.USER32 ref: 6BF6D66E
FindWindowW.USER32 ref: 6BF6D681
FindWindowW.USER32 ref: 6BF6D694
FindWindowW.USER32 ref: 6BF6D6A7
FindWindowW.USER32 ref: 6BF6D6BA
FindWindowW.USER32 ref: 6BF6D6CD
FindWindowW.USER32 ref: 6BF6D6E0
FindWindowW.USER32 ref: 6BF6D6F3
FindWindowW.USER32 ref: 6BF6D706
FindWindowW.USER32 ref: 6BF6D719
FindWindowW.USER32 ref: 6BF6D72C
FindWindowW.USER32 ref: 6BF6D73F
FindWindowW.USER32 ref: 6BF6D752
FindWindowW.USER32 ref: 6BF6D765
FindWindowW.USER32 ref: 6BF6D778
FindWindowW.USER32 ref: 6BF6D78B
FindWindowW.USER32 ref: 6BF6D79E
FindWindowW.USER32 ref: 6BF6D7B1
FindWindowW.USER32 ref: 6BF6D7C4
FindWindowW.USER32 ref: 6BF6D7D7
FindWindowW.USER32 ref: 6BF6D7EA
FindWindowW.USER32 ref: 6BF6D7FD
FindWindowW.USER32 ref: 6BF6D810
FindWindowW.USER32 ref: 6BF6D823
FindWindowW.USER32 ref: 6BF6D836
FindWindowW.USER32 ref: 6BF6D849
FindWindowW.USER32 ref: 6BF6D85C
FindWindowW.USER32 ref: 6BF6D86F
FindWindowW.USER32 ref: 6BF6D882
FindWindowW.USER32 ref: 6BF6D895
FindWindowW.USER32 ref: 6BF6D8A8
FindWindowW.USER32 ref: 6BF6D8BB
FindWindowW.USER32 ref: 6BF6D8CE
FindWindowW.USER32 ref: 6BF6D8E1
FindWindowW.USER32 ref: 6BF6D8F4
FindWindowW.USER32 ref: 6BF6D907
FindWindowW.USER32 ref: 6BF6D91A
FindWindowW.USER32 ref: 6BF6D92D
FindWindowW.USER32 ref: 6BF6D940
FindWindowW.USER32 ref: 6BF6D953
FindWindowW.USER32 ref: 6BF6D966
FindWindowW.USER32 ref: 6BF6D979
FindWindowW.USER32 ref: 6BF6D98C
FindWindowW.USER32 ref: 6BF6D99F
FindWindowW.USER32 ref: 6BF6D9B2
FindWindowW.USER32 ref: 6BF6D9C5
FindWindowW.USER32 ref: 6BF6D9D8
FindWindowW.USER32 ref: 6BF6D9EB
FindWindowW.USER32 ref: 6BF6D9FE
FindWindowW.USER32 ref: 6BF6DA11
FindWindowW.USER32 ref: 6BF6DA24
FindWindowW.USER32 ref: 6BF6DA37
FindWindowW.USER32 ref: 6BF6DA4A
FindWindowW.USER32 ref: 6BF6DA5D
FindWindowW.USER32 ref: 6BF6DA70
FindWindowW.USER32 ref: 6BF6DA83
FindWindowW.USER32 ref: 6BF6DA96
FindWindowW.USER32 ref: 6BF6DAA9
FindWindowW.USER32 ref: 6BF6DABC
FindWindowW.USER32 ref: 6BF6DACF
FindWindowW.USER32 ref: 6BF6DAE2
FindWindowW.USER32 ref: 6BF6DAF5
FindWindowW.USER32 ref: 6BF6DB08
FindWindowW.USER32 ref: 6BF6DB1B
FindWindowW.USER32 ref: 6BF6DB2E
FindWindowW.USER32 ref: 6BF6DB41
FindWindowW.USER32 ref: 6BF6DB54
FindWindowW.USER32 ref: 6BF6DB67
FindWindowW.USER32 ref: 6BF6DB7A
FindWindowW.USER32 ref: 6BF6DB8D
FindWindowW.USER32 ref: 6BF6DBA0
FindWindowW.USER32 ref: 6BF6DBB3
FindWindowW.USER32 ref: 6BF6DBC6
FindWindowW.USER32 ref: 6BF6DBD9
FindWindowW.USER32 ref: 6BF6DBEC
FindWindowW.USER32 ref: 6BF6DBFF
FindWindowW.USER32 ref: 6BF6DC12
FindWindowW.USER32 ref: 6BF6DC25
FindWindowW.USER32 ref: 6BF6DC38
FindWindowW.USER32 ref: 6BF6DC4B
FindWindowW.USER32 ref: 6BF6DC5E
FindWindowW.USER32 ref: 6BF6DC71
FindWindowW.USER32 ref: 6BF6DC84
FindWindowW.USER32 ref: 6BF6DC97
FindWindowW.USER32 ref: 6BF6DCAA
FindWindowW.USER32 ref: 6BF6DCBD
FindWindowW.USER32 ref: 6BF6DCD0
FindWindowW.USER32 ref: 6BF6DCE3
FindWindowW.USER32 ref: 6BF6DCF6
FindWindowW.USER32 ref: 6BF6DD09
FindWindowW.USER32 ref: 6BF6DD1C
FindWindowW.USER32 ref: 6BF6DD2F
FindWindowW.USER32 ref: 6BF6DD42
FindWindowW.USER32 ref: 6BF6DD55
FindWindowW.USER32 ref: 6BF6DD68
FindWindowW.USER32 ref: 6BF6DD7B
FindWindowW.USER32 ref: 6BF6DD8E
FindWindowW.USER32 ref: 6BF6DDA1
FindWindowW.USER32 ref: 6BF6DDB4
FindWindowW.USER32 ref: 6BF6DDC7
FindWindowW.USER32 ref: 6BF6DDDA
FindWindowW.USER32 ref: 6BF6DDED
FindWindowW.USER32 ref: 6BF6DE00
FindWindowW.USER32 ref: 6BF6DE13
FindWindowW.USER32 ref: 6BF6DE26
FindWindowW.USER32 ref: 6BF6DE39
FindWindowW.USER32 ref: 6BF6DE4C
FindWindowW.USER32 ref: 6BF6DE5F
FindWindowW.USER32 ref: 6BF6DE72
FindWindowW.USER32 ref: 6BF6DE85
FindWindowW.USER32 ref: 6BF6DE98
FindWindowW.USER32 ref: 6BF6DEAB
FindWindowW.USER32 ref: 6BF6DEBE
FindWindowW.USER32 ref: 6BF6DED1
FindWindowW.USER32 ref: 6BF6DEE4
FindWindowW.USER32 ref: 6BF6DEF7
FindWindowW.USER32 ref: 6BF6DF0A
FindWindowW.USER32 ref: 6BF6DF1D
FindWindowW.USER32 ref: 6BF6DF30
FindWindowW.USER32 ref: 6BF6DF43
FindWindowW.USER32 ref: 6BF6DF56
FindWindowW.USER32 ref: 6BF6DF69
FindWindowW.USER32 ref: 6BF6DF7C
FindWindowW.USER32 ref: 6BF6DF8F
FindWindowW.USER32 ref: 6BF6DFA2
FindWindowW.USER32 ref: 6BF6DFB5
FindWindowW.USER32 ref: 6BF6DFC8
FindWindowW.USER32 ref: 6BF6DFDB
FindWindowW.USER32 ref: 6BF6DFEE
FindWindowW.USER32 ref: 6BF6E001
FindWindowW.USER32 ref: 6BF6E014
FindWindowW.USER32 ref: 6BF6E027
FindWindowW.USER32 ref: 6BF6E03A
FindWindowW.USER32 ref: 6BF6E04D
FindWindowW.USER32 ref: 6BF6E060
FindWindowW.USER32 ref: 6BF6E073
FindWindowW.USER32 ref: 6BF6E086
FindWindowW.USER32 ref: 6BF6E099
FindWindowW.USER32 ref: 6BF6E0AC
FindWindowW.USER32 ref: 6BF6E0BF
FindWindowW.USER32 ref: 6BF6E0D2
FindWindowW.USER32 ref: 6BF6E0E5
FindWindowW.USER32 ref: 6BF6E0F8
FindWindowW.USER32 ref: 6BF6E10B
FindWindowW.USER32 ref: 6BF6E11E
FindWindowW.USER32 ref: 6BF6E131
FindWindowW.USER32 ref: 6BF6E144
FindWindowW.USER32 ref: 6BF6E157
FindWindowW.USER32 ref: 6BF6E16A
FindWindowW.USER32 ref: 6BF6E17D
FindWindowW.USER32 ref: 6BF6E190
FindWindowW.USER32 ref: 6BF6E1A3
FindWindowW.USER32 ref: 6BF6E1B6
FindWindowW.USER32 ref: 6BF6E1C9
FindWindowW.USER32 ref: 6BF6E1DC
FindWindowW.USER32 ref: 6BF6E1EF
FindWindowW.USER32 ref: 6BF6E202
FindWindowW.USER32 ref: 6BF6E215
FindWindowW.USER32 ref: 6BF6E228
FindWindowW.USER32 ref: 6BF6E23B
FindWindowW.USER32 ref: 6BF6E24E
FindWindowW.USER32 ref: 6BF6E261
FindWindowW.USER32 ref: 6BF6E274
FindWindowW.USER32 ref: 6BF6E287
FindWindowW.USER32 ref: 6BF6E29A
FindWindowW.USER32 ref: 6BF6E2AD
FindWindowW.USER32 ref: 6BF6E2C0
FindWindowW.USER32 ref: 6BF6E2D3
FindWindowW.USER32 ref: 6BF6E2E6
FindWindowW.USER32 ref: 6BF6E2F9
FindWindowW.USER32 ref: 6BF6E30C
FindWindowW.USER32 ref: 6BF6E31F
FindWindowW.USER32 ref: 6BF6E332
FindWindowW.USER32 ref: 6BF6E345
FindWindowW.USER32 ref: 6BF6E358
FindWindowW.USER32 ref: 6BF6E36B
FindWindowW.USER32 ref: 6BF6E37E
FindWindowW.USER32 ref: 6BF6E391
FindWindowW.USER32 ref: 6BF6E3A4
FindWindowW.USER32 ref: 6BF6E3B7
FindWindowW.USER32 ref: 6BF6E3CA
FindWindowW.USER32 ref: 6BF6E3DD
FindWindowW.USER32 ref: 6BF6E3F0
FindWindowW.USER32 ref: 6BF6E403
FindWindowW.USER32 ref: 6BF6E416
FindWindowW.USER32 ref: 6BF6E429
FindWindowW.USER32 ref: 6BF6E43C
FindWindowW.USER32 ref: 6BF6E44F
FindWindowW.USER32 ref: 6BF6E462
FindWindowW.USER32 ref: 6BF6E475
FindWindowW.USER32 ref: 6BF6E488
FindWindowW.USER32 ref: 6BF6E49B
FindWindowW.USER32 ref: 6BF6E4AE
FindWindowW.USER32 ref: 6BF6E4C1
FindWindowW.USER32 ref: 6BF6E4D4
FindWindowW.USER32 ref: 6BF6E4E7
FindWindowW.USER32 ref: 6BF6E4FA
FindWindowW.USER32 ref: 6BF6E50D
FindWindowW.USER32 ref: 6BF6E520
FindWindowW.USER32 ref: 6BF6E533
FindWindowW.USER32 ref: 6BF6E546
FindWindowW.USER32 ref: 6BF6E559
FindWindowW.USER32 ref: 6BF6E56C
FindWindowW.USER32 ref: 6BF6E57F
FindWindowW.USER32 ref: 6BF6E592
FindWindowW.USER32 ref: 6BF6E5A5
FindWindowW.USER32 ref: 6BF6E5B8
FindWindowW.USER32 ref: 6BF6E5CB
FindWindowW.USER32 ref: 6BF6E5DE
FindWindowW.USER32 ref: 6BF6E5F1
FindWindowW.USER32 ref: 6BF6E604
FindWindowW.USER32 ref: 6BF6E617
FindWindowW.USER32 ref: 6BF6E62A
FindWindowW.USER32 ref: 6BF6E63D
FindWindowW.USER32 ref: 6BF6E650
FindWindowW.USER32 ref: 6BF6E663
FindWindowW.USER32 ref: 6BF6E676
FindWindowW.USER32 ref: 6BF6E689
FindWindowW.USER32 ref: 6BF6E69C
FindWindowW.USER32 ref: 6BF6E6AF
FindWindowW.USER32 ref: 6BF6E6C2
FindWindowW.USER32 ref: 6BF6E6D5
FindWindowW.USER32 ref: 6BF6E6E8
FindWindowW.USER32 ref: 6BF6E6FB
FindWindowW.USER32 ref: 6BF6E70E
FindWindowW.USER32 ref: 6BF6E721
FindWindowW.USER32 ref: 6BF6E734
FindWindowW.USER32 ref: 6BF6E747
FindWindowW.USER32 ref: 6BF6E75A
FindWindowW.USER32 ref: 6BF6E76D
FindWindowW.USER32 ref: 6BF6E780
FindWindowW.USER32 ref: 6BF6E793
FindWindowW.USER32 ref: 6BF6E7A6
FindWindowW.USER32 ref: 6BF6E7B9
FindWindowW.USER32 ref: 6BF6E7CC
FindWindowW.USER32 ref: 6BF6E7DF
FindWindowW.USER32 ref: 6BF6E7F2
FindWindowW.USER32 ref: 6BF6E805
FindWindowW.USER32 ref: 6BF6E818
FindWindowW.USER32 ref: 6BF6E82B
FindWindowW.USER32 ref: 6BF6E83E
FindWindowW.USER32 ref: 6BF6E851
FindWindowW.USER32 ref: 6BF6E864
FindWindowW.USER32 ref: 6BF6E877
FindWindowW.USER32 ref: 6BF6E88A
FindWindowW.USER32 ref: 6BF6E89D
FindWindowW.USER32 ref: 6BF6E8B0
FindWindowW.USER32 ref: 6BF6E8C3
FindWindowW.USER32 ref: 6BF6E8D6
FindWindowW.USER32 ref: 6BF6E8E9
FindWindowW.USER32 ref: 6BF6E8FC
FindWindowW.USER32 ref: 6BF6E90F
FindWindowW.USER32 ref: 6BF6E922
FindWindowW.USER32 ref: 6BF6E935
FindWindowW.USER32 ref: 6BF6E948
FindWindowW.USER32 ref: 6BF6E95B
FindWindowW.USER32 ref: 6BF6E96E
FindWindowW.USER32 ref: 6BF6E981
FindWindowW.USER32 ref: 6BF6E994
FindWindowW.USER32 ref: 6BF6E9A7
FindWindowW.USER32 ref: 6BF6E9BA
FindWindowW.USER32 ref: 6BF6E9CD
FindWindowW.USER32 ref: 6BF6E9E0
FindWindowW.USER32 ref: 6BF6E9F3
FindWindowW.USER32 ref: 6BF6EA06
FindWindowW.USER32 ref: 6BF6EA19
FindWindowW.USER32 ref: 6BF6EA2C
FindWindowW.USER32 ref: 6BF6EA3F
FindWindowW.USER32 ref: 6BF6EA52
FindWindowW.USER32 ref: 6BF6EA65
FindWindowW.USER32 ref: 6BF6EA78
FindWindowW.USER32 ref: 6BF6EA8B
FindWindowW.USER32 ref: 6BF6EA9E
FindWindowW.USER32 ref: 6BF6EAB1
FindWindowW.USER32 ref: 6BF6EAC4
FindWindowW.USER32 ref: 6BF6EAD7
FindWindowW.USER32 ref: 6BF6EAEA
FindWindowW.USER32 ref: 6BF6EAFD
FindWindowW.USER32 ref: 6BF6EB10
FindWindowW.USER32 ref: 6BF6EB23
FindWindowW.USER32 ref: 6BF6EB36
FindWindowW.USER32 ref: 6BF6EB49
FindWindowW.USER32 ref: 6BF6EB5C
FindWindowW.USER32 ref: 6BF6EB6F
FindWindowW.USER32 ref: 6BF6EB82
FindWindowW.USER32 ref: 6BF6EB95
FindWindowW.USER32 ref: 6BF6EBA8
FindWindowW.USER32 ref: 6BF6EBBB
FindWindowW.USER32 ref: 6BF6EBCE
FindWindowW.USER32 ref: 6BF6EBE1
FindWindowW.USER32 ref: 6BF6EBF4
FindWindowW.USER32 ref: 6BF6EC07
FindWindowW.USER32 ref: 6BF6EC1A
FindWindowW.USER32 ref: 6BF6EC2D
FindWindowW.USER32 ref: 6BF6EC40
FindWindowW.USER32 ref: 6BF6EC53
FindWindowW.USER32 ref: 6BF6EC66
FindWindowW.USER32 ref: 6BF6EC79
FindWindowW.USER32 ref: 6BF6EC8C
FindWindowW.USER32 ref: 6BF6EC9F
FindWindowW.USER32 ref: 6BF6ECB2
FindWindowW.USER32 ref: 6BF6ECC5
FindWindowW.USER32 ref: 6BF6ECD8
FindWindowW.USER32 ref: 6BF6ECEB
FindWindowW.USER32 ref: 6BF6ECFE
FindWindowW.USER32 ref: 6BF6ED11
FindWindowW.USER32 ref: 6BF6ED24
FindWindowW.USER32 ref: 6BF6ED37
FindWindowW.USER32 ref: 6BF6ED4A
FindWindowW.USER32 ref: 6BF6ED5D
FindWindowW.USER32 ref: 6BF6ED70
FindWindowW.USER32 ref: 6BF6ED83
FindWindowW.USER32 ref: 6BF6ED96
FindWindowW.USER32 ref: 6BF6EDA9
FindWindowW.USER32 ref: 6BF6EDBC
FindWindowW.USER32 ref: 6BF6EDCF
FindWindowW.USER32 ref: 6BF6EDE2
FindWindowW.USER32 ref: 6BF6EDF5
FindWindowW.USER32 ref: 6BF6EE08
FindWindowW.USER32 ref: 6BF6EE1B
FindWindowW.USER32 ref: 6BF6EE2E
FindWindowW.USER32 ref: 6BF6EE41
FindWindowW.USER32 ref: 6BF6EE54
FindWindowW.USER32 ref: 6BF6EE67
FindWindowW.USER32 ref: 6BF6EE7A
FindWindowW.USER32 ref: 6BF6EE8D
FindWindowW.USER32 ref: 6BF6EEA0
FindWindowW.USER32 ref: 6BF6EEB3
FindWindowW.USER32 ref: 6BF6EEC6
FindWindowW.USER32 ref: 6BF6EED9
FindWindowW.USER32 ref: 6BF6EEEC
FindWindowW.USER32 ref: 6BF6EEFF
FindWindowW.USER32 ref: 6BF6EF12
FindWindowW.USER32 ref: 6BF6EF25
FindWindowW.USER32 ref: 6BF6EF38
FindWindowW.USER32 ref: 6BF6EF4B
FindWindowW.USER32 ref: 6BF6EF5E
FindWindowW.USER32 ref: 6BF6EF71
FindWindowW.USER32 ref: 6BF6EF84
FindWindowW.USER32 ref: 6BF6EF97
FindWindowW.USER32 ref: 6BF6EFAA
FindWindowW.USER32 ref: 6BF6EFBD
FindWindowW.USER32 ref: 6BF6EFD0
FindWindowW.USER32 ref: 6BF6EFE3
FindWindowW.USER32 ref: 6BF6EFF6
FindWindowW.USER32 ref: 6BF6F009
FindWindowW.USER32 ref: 6BF6F01C
FindWindowW.USER32 ref: 6BF6F02F
FindWindowW.USER32 ref: 6BF6F042
FindWindowW.USER32 ref: 6BF6F055
FindWindowW.USER32 ref: 6BF6F068
FindWindowW.USER32 ref: 6BF6F07B
FindWindowW.USER32 ref: 6BF6F08E
FindWindowW.USER32 ref: 6BF6F0A1
FindWindowW.USER32 ref: 6BF6F0B4
FindWindowW.USER32 ref: 6BF6F0C7
FindWindowW.USER32 ref: 6BF6F0DA
FindWindowW.USER32 ref: 6BF6F0ED
FindWindowW.USER32 ref: 6BF6F100
FindWindowW.USER32 ref: 6BF6F113
FindWindowW.USER32 ref: 6BF6F126
FindWindowW.USER32 ref: 6BF6F139
FindWindowW.USER32 ref: 6BF6F14C
FindWindowW.USER32 ref: 6BF6F15F
FindWindowW.USER32 ref: 6BF6F172
FindWindowW.USER32 ref: 6BF6F185
FindWindowW.USER32 ref: 6BF6F198
FindWindowW.USER32 ref: 6BF6F1AB
FindWindowW.USER32 ref: 6BF6F1BE
FindWindowW.USER32 ref: 6BF6F1D1
FindWindowW.USER32 ref: 6BF6F1E4
FindWindowW.USER32 ref: 6BF6F1F7
FindWindowW.USER32 ref: 6BF6F20A
FindWindowW.USER32 ref: 6BF6F21D
FindWindowW.USER32 ref: 6BF6F230
FindWindowW.USER32 ref: 6BF6F243
FindWindowW.USER32 ref: 6BF6F256
FindWindowW.USER32 ref: 6BF6F269
FindWindowW.USER32 ref: 6BF6F27C
FindWindowW.USER32 ref: 6BF6F28F
FindWindowW.USER32 ref: 6BF6F2A2
FindWindowW.USER32 ref: 6BF6F2B5
FindWindowW.USER32 ref: 6BF6F2C8
FindWindowW.USER32 ref: 6BF6F2DB
FindWindowW.USER32 ref: 6BF6F2EE
FindWindowW.USER32 ref: 6BF6F301
FindWindowW.USER32 ref: 6BF6F314
FindWindowW.USER32 ref: 6BF6F327
FindWindowW.USER32 ref: 6BF6F33A
FindWindowW.USER32 ref: 6BF6F34D
FindWindowW.USER32 ref: 6BF6F360
FindWindowW.USER32 ref: 6BF6F373
FindWindowW.USER32 ref: 6BF6F386
FindWindowW.USER32 ref: 6BF6F399
FindWindowW.USER32 ref: 6BF6F3AC
FindWindowW.USER32 ref: 6BF6F3BF
FindWindowW.USER32 ref: 6BF6F3D2
FindWindowW.USER32 ref: 6BF6F3E5
FindWindowW.USER32 ref: 6BF6F3F8
FindWindowW.USER32 ref: 6BF6F40B
FindWindowW.USER32 ref: 6BF6F41E
FindWindowW.USER32 ref: 6BF6F431
FindWindowW.USER32 ref: 6BF6F444
FindWindowW.USER32 ref: 6BF6F457
FindWindowW.USER32 ref: 6BF6F46A
FindWindowW.USER32 ref: 6BF6F47D
FindWindowW.USER32 ref: 6BF6F490
FindWindowW.USER32 ref: 6BF6F4A3
FindWindowW.USER32 ref: 6BF6F4B6
FindWindowW.USER32 ref: 6BF6F4C9
FindWindowW.USER32 ref: 6BF6F4DC
FindWindowW.USER32 ref: 6BF6F4EF
FindWindowW.USER32 ref: 6BF6F502
FindWindowW.USER32 ref: 6BF6F515
FindWindowW.USER32 ref: 6BF6F528
FindWindowW.USER32 ref: 6BF6F53B
FindWindowW.USER32 ref: 6BF6F54E
FindWindowW.USER32 ref: 6BF6F561
FindWindowW.USER32 ref: 6BF6F574
FindWindowW.USER32 ref: 6BF6F587
FindWindowW.USER32 ref: 6BF6F59A
FindWindowW.USER32 ref: 6BF6F5AD
FindWindowW.USER32 ref: 6BF6F5C0
FindWindowW.USER32 ref: 6BF6F5D3
FindWindowW.USER32 ref: 6BF6F5E6
FindWindowW.USER32 ref: 6BF6F5F9
FindWindowW.USER32 ref: 6BF6F60C
FindWindowW.USER32 ref: 6BF6F61F
FindWindowW.USER32 ref: 6BF6F632
FindWindowW.USER32 ref: 6BF6F645
FindWindowW.USER32 ref: 6BF6F658
FindWindowW.USER32 ref: 6BF6F66B
FindWindowW.USER32 ref: 6BF6F67E
FindWindowW.USER32 ref: 6BF6F691
FindWindowW.USER32 ref: 6BF6F6A4
FindWindowW.USER32 ref: 6BF6F6B7
FindWindowW.USER32 ref: 6BF6F6CA
FindWindowW.USER32 ref: 6BF6F6DD
FindWindowW.USER32 ref: 6BF6F6F0
FindWindowW.USER32 ref: 6BF6F703
FindWindowW.USER32 ref: 6BF6F716
FindWindowW.USER32 ref: 6BF6F729
FindWindowW.USER32 ref: 6BF6F73C
FindWindowW.USER32 ref: 6BF6F74F
FindWindowW.USER32 ref: 6BF6F762
FindWindowW.USER32 ref: 6BF6F775
FindWindowW.USER32 ref: 6BF6F788
FindWindowW.USER32 ref: 6BF6F79B
FindWindowW.USER32 ref: 6BF6F7AE
FindWindowW.USER32 ref: 6BF6F7C1
FindWindowW.USER32 ref: 6BF6F7D4
FindWindowW.USER32 ref: 6BF6F7E7
FindWindowW.USER32 ref: 6BF6F7FA
FindWindowW.USER32 ref: 6BF6F80D
FindWindowW.USER32 ref: 6BF6F820
FindWindowW.USER32 ref: 6BF6F833
FindWindowW.USER32 ref: 6BF6F846
FindWindowW.USER32 ref: 6BF6F859
FindWindowW.USER32 ref: 6BF6F86C
FindWindowW.USER32 ref: 6BF6F87F
FindWindowW.USER32 ref: 6BF6F892
FindWindowW.USER32 ref: 6BF6F8A5
FindWindowW.USER32 ref: 6BF6F8B8
FindWindowW.USER32 ref: 6BF6F8CB
FindWindowW.USER32 ref: 6BF6F8DE
FindWindowW.USER32 ref: 6BF6F8F1
FindWindowW.USER32 ref: 6BF6F904
FindWindowW.USER32 ref: 6BF6F917
FindWindowW.USER32 ref: 6BF6F92A
FindWindowW.USER32 ref: 6BF6F93D
FindWindowW.USER32 ref: 6BF6F950
FindWindowW.USER32 ref: 6BF6F963
FindWindowW.USER32 ref: 6BF6F976
FindWindowW.USER32 ref: 6BF6F989
FindWindowW.USER32 ref: 6BF6F99C
FindWindowW.USER32 ref: 6BF6F9AF
FindWindowW.USER32 ref: 6BF6F9C2
FindWindowW.USER32 ref: 6BF6F9D5
FindWindowW.USER32 ref: 6BF6F9E8
FindWindowW.USER32 ref: 6BF6F9FB
FindWindowW.USER32 ref: 6BF6FA0E
FindWindowW.USER32 ref: 6BF6FA21
FindWindowW.USER32 ref: 6BF6FA34
FindWindowW.USER32 ref: 6BF6FA47
FindWindowW.USER32 ref: 6BF6FA5A
FindWindowW.USER32 ref: 6BF6FA6D
FindWindowW.USER32 ref: 6BF6FA80
FindWindowW.USER32 ref: 6BF6FA93
FindWindowW.USER32 ref: 6BF6FAA6
FindWindowW.USER32 ref: 6BF6FAB9
FindWindowW.USER32 ref: 6BF6FACC
FindWindowW.USER32 ref: 6BF6FADF
FindWindowW.USER32 ref: 6BF6FAF2
FindWindowW.USER32 ref: 6BF6FB05
FindWindowW.USER32 ref: 6BF6FB18
FindWindowW.USER32 ref: 6BF6FB2B
FindWindowW.USER32 ref: 6BF6FB3E
FindWindowW.USER32 ref: 6BF6FB51
FindWindowW.USER32 ref: 6BF6FB64
FindWindowW.USER32 ref: 6BF6FB77
FindWindowW.USER32 ref: 6BF6FB8A
FindWindowW.USER32 ref: 6BF6FB9D
FindWindowW.USER32 ref: 6BF6FBB0
FindWindowW.USER32 ref: 6BF6FBC3
FindWindowW.USER32 ref: 6BF6FBD6
FindWindowW.USER32 ref: 6BF6FBE9
FindWindowW.USER32 ref: 6BF6FBFC
FindWindowW.USER32 ref: 6BF6FC0F
FindWindowW.USER32 ref: 6BF6FC22
FindWindowW.USER32 ref: 6BF6FC35
FindWindowW.USER32 ref: 6BF6FC48
FindWindowW.USER32 ref: 6BF6FC5B
FindWindowW.USER32 ref: 6BF6FC6E
FindWindowW.USER32 ref: 6BF6FC81
FindWindowW.USER32 ref: 6BF6FC94
FindWindowW.USER32 ref: 6BF6FCA7
FindWindowW.USER32 ref: 6BF6FCBA
FindWindowW.USER32 ref: 6BF6FCCD
FindWindowW.USER32 ref: 6BF6FCE0
FindWindowW.USER32 ref: 6BF6FCF3
FindWindowW.USER32 ref: 6BF6FD06
FindWindowW.USER32 ref: 6BF6FD19
FindWindowW.USER32 ref: 6BF6FD2C
FindWindowW.USER32 ref: 6BF6FD3F
FindWindowW.USER32 ref: 6BF6FD52
FindWindowW.USER32 ref: 6BF6FD65
FindWindowW.USER32 ref: 6BF6FD78
FindWindowW.USER32 ref: 6BF6FD8B
FindWindowW.USER32 ref: 6BF6FD9E
FindWindowW.USER32 ref: 6BF6FDB1
FindWindowW.USER32 ref: 6BF6FDC4
FindWindowW.USER32 ref: 6BF6FDD7
FindWindowW.USER32 ref: 6BF6FDEA
FindWindowW.USER32 ref: 6BF6FDFD
FindWindowW.USER32 ref: 6BF6FE10
FindWindowW.USER32 ref: 6BF6FE23
FindWindowW.USER32 ref: 6BF6FE36
FindWindowW.USER32 ref: 6BF6FE49
FindWindowW.USER32 ref: 6BF6FE5C
FindWindowW.USER32 ref: 6BF6FE6F
FindWindowW.USER32 ref: 6BF6FE82
FindWindowW.USER32 ref: 6BF6FE95
FindWindowW.USER32 ref: 6BF6FEA8
FindWindowW.USER32 ref: 6BF6FEBB
FindWindowW.USER32 ref: 6BF6FECE
FindWindowW.USER32 ref: 6BF6FEE1
FindWindowW.USER32 ref: 6BF6FEF4
FindWindowW.USER32 ref: 6BF6FF07
FindWindowW.USER32 ref: 6BF6FF1A
FindWindowW.USER32 ref: 6BF6FF2D
FindWindowW.USER32 ref: 6BF6FF40
FindWindowW.USER32 ref: 6BF6FF53
FindWindowW.USER32 ref: 6BF6FF66
FindWindowW.USER32 ref: 6BF6FF79
FindWindowW.USER32 ref: 6BF6FF8C
FindWindowW.USER32 ref: 6BF6FF9F
FindWindowW.USER32 ref: 6BF6FFB2
FindWindowW.USER32 ref: 6BF6FFC5
FindWindowW.USER32 ref: 6BF6FFD8
FindWindowW.USER32 ref: 6BF6FFEB
FindWindowW.USER32 ref: 6BF6FFFE
FindWindowW.USER32 ref: 6BF70011
FindWindowW.USER32 ref: 6BF70024
FindWindowW.USER32 ref: 6BF70037
FindWindowW.USER32 ref: 6BF7004A
FindWindowW.USER32 ref: 6BF7005D
FindWindowW.USER32 ref: 6BF70070
FindWindowW.USER32 ref: 6BF70083
FindWindowW.USER32 ref: 6BF70096
FindWindowW.USER32 ref: 6BF700A9
FindWindowW.USER32 ref: 6BF700BC
FindWindowW.USER32 ref: 6BF700CF
FindWindowW.USER32 ref: 6BF700E2
FindWindowW.USER32 ref: 6BF700F5
FindWindowW.USER32 ref: 6BF70108
FindWindowW.USER32 ref: 6BF7011B
FindWindowW.USER32 ref: 6BF7012E
FindWindowW.USER32 ref: 6BF70141
FindWindowW.USER32 ref: 6BF70154
FindWindowW.USER32 ref: 6BF70167
FindWindowW.USER32 ref: 6BF7017A
FindWindowW.USER32 ref: 6BF7018D
FindWindowW.USER32 ref: 6BF701A0
FindWindowW.USER32 ref: 6BF701B3
FindWindowW.USER32 ref: 6BF701C6
FindWindowW.USER32 ref: 6BF701D9
FindWindowW.USER32 ref: 6BF701EC
FindWindowW.USER32 ref: 6BF701FF
FindWindowW.USER32 ref: 6BF70212
FindWindowW.USER32 ref: 6BF70225
FindWindowW.USER32 ref: 6BF70238
FindWindowW.USER32 ref: 6BF7024B
FindWindowW.USER32 ref: 6BF7025E
FindWindowW.USER32 ref: 6BF70271
FindWindowW.USER32 ref: 6BF70284
FindWindowW.USER32 ref: 6BF70297
FindWindowW.USER32 ref: 6BF702AA
FindWindowW.USER32 ref: 6BF702BD
FindWindowW.USER32 ref: 6BF702D0
FindWindowW.USER32 ref: 6BF702E3
FindWindowW.USER32 ref: 6BF702F6
FindWindowW.USER32 ref: 6BF70309
FindWindowW.USER32 ref: 6BF7031C
FindWindowW.USER32 ref: 6BF7032F
FindWindowW.USER32 ref: 6BF70342
FindWindowW.USER32 ref: 6BF70355
FindWindowW.USER32 ref: 6BF70368
FindWindowW.USER32 ref: 6BF7037B
FindWindowW.USER32 ref: 6BF7038E
FindWindowW.USER32 ref: 6BF703A1
FindWindowW.USER32 ref: 6BF703B4
FindWindowW.USER32 ref: 6BF703C7
FindWindowW.USER32 ref: 6BF703DA
FindWindowW.USER32 ref: 6BF703ED
FindWindowW.USER32 ref: 6BF70400
FindWindowW.USER32 ref: 6BF70413
FindWindowW.USER32 ref: 6BF70426
FindWindowW.USER32 ref: 6BF70439
FindWindowW.USER32 ref: 6BF7044C
FindWindowW.USER32 ref: 6BF7045F
FindWindowW.USER32 ref: 6BF70472
FindWindowW.USER32 ref: 6BF70485
FindWindowW.USER32 ref: 6BF70498
FindWindowW.USER32 ref: 6BF704AB
FindWindowW.USER32 ref: 6BF704BE
FindWindowW.USER32 ref: 6BF704D1
FindWindowW.USER32 ref: 6BF704E4
FindWindowW.USER32 ref: 6BF704F7
FindWindowW.USER32 ref: 6BF7050A
FindWindowW.USER32 ref: 6BF7051D
FindWindowW.USER32 ref: 6BF70530
FindWindowW.USER32 ref: 6BF70543
FindWindowW.USER32 ref: 6BF70556
FindWindowW.USER32 ref: 6BF70569
FindWindowW.USER32 ref: 6BF7057C
FindWindowW.USER32 ref: 6BF7058F
FindWindowW.USER32 ref: 6BF705A2
FindWindowW.USER32 ref: 6BF705B5
FindWindowW.USER32 ref: 6BF705C8
FindWindowW.USER32 ref: 6BF705DB
FindWindowW.USER32 ref: 6BF705EE
FindWindowW.USER32 ref: 6BF70601
FindWindowW.USER32 ref: 6BF70614
FindWindowW.USER32 ref: 6BF70627
FindWindowW.USER32 ref: 6BF7063A
FindWindowW.USER32 ref: 6BF7064D
FindWindowW.USER32 ref: 6BF70660
FindWindowW.USER32 ref: 6BF70673
FindWindowW.USER32 ref: 6BF70686
FindWindowW.USER32 ref: 6BF70699
FindWindowW.USER32 ref: 6BF706AC
FindWindowW.USER32 ref: 6BF706BF
FindWindowW.USER32 ref: 6BF706D2
FindWindowW.USER32 ref: 6BF706E5
FindWindowW.USER32 ref: 6BF706F8
FindWindowW.USER32 ref: 6BF7070B
FindWindowW.USER32 ref: 6BF7071E
FindWindowW.USER32 ref: 6BF70731
FindWindowW.USER32 ref: 6BF70744
FindWindowW.USER32 ref: 6BF70757
FindWindowW.USER32 ref: 6BF7076A
FindWindowW.USER32 ref: 6BF7077D
FindWindowW.USER32 ref: 6BF70790
FindWindowW.USER32 ref: 6BF707A3
FindWindowW.USER32 ref: 6BF707B6
FindWindowW.USER32 ref: 6BF707C9
FindWindowW.USER32 ref: 6BF707DC
FindWindowW.USER32 ref: 6BF707EF
FindWindowW.USER32 ref: 6BF70802
FindWindowW.USER32 ref: 6BF70815
FindWindowW.USER32 ref: 6BF70828
FindWindowW.USER32 ref: 6BF7083B
FindWindowW.USER32 ref: 6BF7084E
FindWindowW.USER32 ref: 6BF70861
FindWindowW.USER32 ref: 6BF70874
FindWindowW.USER32 ref: 6BF70887
FindWindowW.USER32 ref: 6BF7089A
FindWindowW.USER32 ref: 6BF708AD
FindWindowW.USER32 ref: 6BF708C0
FindWindowW.USER32 ref: 6BF708D3
FindWindowW.USER32 ref: 6BF708E6
FindWindowW.USER32 ref: 6BF708F9
FindWindowW.USER32 ref: 6BF7090C
FindWindowW.USER32 ref: 6BF7091F
FindWindowW.USER32 ref: 6BF70932
FindWindowW.USER32 ref: 6BF70945
FindWindowW.USER32 ref: 6BF70958
FindWindowW.USER32 ref: 6BF7096B
FindWindowW.USER32 ref: 6BF7097E
FindWindowW.USER32 ref: 6BF70991
FindWindowW.USER32 ref: 6BF709A4
FindWindowW.USER32 ref: 6BF709B7
FindWindowW.USER32 ref: 6BF709CA
FindWindowW.USER32 ref: 6BF709DD
FindWindowW.USER32 ref: 6BF709F0
FindWindowW.USER32 ref: 6BF70A03
FindWindowW.USER32 ref: 6BF70A16
FindWindowW.USER32 ref: 6BF70A29
FindWindowW.USER32 ref: 6BF70A3C
FindWindowW.USER32 ref: 6BF70A4F
FindWindowW.USER32 ref: 6BF70A62
FindWindowW.USER32 ref: 6BF70A75
FindWindowW.USER32 ref: 6BF70A88
FindWindowW.USER32 ref: 6BF70A9B
FindWindowW.USER32 ref: 6BF70AAE
FindWindowW.USER32 ref: 6BF70AC1
FindWindowW.USER32 ref: 6BF70AD4
FindWindowW.USER32 ref: 6BF70AE7
FindWindowW.USER32 ref: 6BF70AFA
FindWindowW.USER32 ref: 6BF70B0D
FindWindowW.USER32 ref: 6BF70B20
FindWindowW.USER32 ref: 6BF70B33
FindWindowW.USER32 ref: 6BF70B46
FindWindowW.USER32 ref: 6BF70B59
FindWindowW.USER32 ref: 6BF70B6C
FindWindowW.USER32 ref: 6BF70B7F
FindWindowW.USER32 ref: 6BF70B92
FindWindowW.USER32 ref: 6BF70BA5
FindWindowW.USER32 ref: 6BF70BB8
FindWindowW.USER32 ref: 6BF70BCB
FindWindowW.USER32 ref: 6BF70BDE
FindWindowW.USER32 ref: 6BF70BF1
FindWindowW.USER32 ref: 6BF70C04
FindWindowW.USER32 ref: 6BF70C17
FindWindowW.USER32 ref: 6BF70C2A
FindWindowW.USER32 ref: 6BF70C3D
FindWindowW.USER32 ref: 6BF70C50
FindWindowW.USER32 ref: 6BF70C63
FindWindowW.USER32 ref: 6BF70C76
FindWindowW.USER32 ref: 6BF70C89
FindWindowW.USER32 ref: 6BF70C9C
FindWindowW.USER32 ref: 6BF70CAF
FindWindowW.USER32 ref: 6BF70CC2
FindWindowW.USER32 ref: 6BF70CD5
FindWindowW.USER32 ref: 6BF70CE8
FindWindowW.USER32 ref: 6BF70CFB
FindWindowW.USER32 ref: 6BF70D0E
FindWindowW.USER32 ref: 6BF70D21
FindWindowW.USER32 ref: 6BF70D34
FindWindowW.USER32 ref: 6BF70D47
FindWindowW.USER32 ref: 6BF70D5A
FindWindowW.USER32 ref: 6BF70D6D
FindWindowW.USER32 ref: 6BF70D80
FindWindowW.USER32 ref: 6BF70D93
FindWindowW.USER32 ref: 6BF70DA6
FindWindowW.USER32 ref: 6BF70DB9
FindWindowW.USER32 ref: 6BF70DCC
FindWindowW.USER32 ref: 6BF70DDF
FindWindowW.USER32 ref: 6BF70DF2
FindWindowW.USER32 ref: 6BF70E05
FindWindowW.USER32 ref: 6BF70E18
FindWindowW.USER32 ref: 6BF70E2B
FindWindowW.USER32 ref: 6BF70E3E
FindWindowW.USER32 ref: 6BF70E51
FindWindowW.USER32 ref: 6BF70E64
FindWindowW.USER32 ref: 6BF70E77
FindWindowW.USER32 ref: 6BF70E8A
FindWindowW.USER32 ref: 6BF70E9D
FindWindowW.USER32 ref: 6BF70EB0
FindWindowW.USER32 ref: 6BF70EC3
FindWindowW.USER32 ref: 6BF70ED6
FindWindowW.USER32 ref: 6BF70EE9
FindWindowW.USER32 ref: 6BF70EFC
FindWindowW.USER32 ref: 6BF70F0F
FindWindowW.USER32 ref: 6BF70F22
FindWindowW.USER32 ref: 6BF70F35
FindWindowW.USER32 ref: 6BF70F48
FindWindowW.USER32 ref: 6BF70F5B
FindWindowW.USER32 ref: 6BF70F6E
FindWindowW.USER32 ref: 6BF70F81
FindWindowW.USER32 ref: 6BF70F94
FindWindowW.USER32 ref: 6BF70FA7
FindWindowW.USER32 ref: 6BF70FBA
FindWindowW.USER32 ref: 6BF70FCD
FindWindowW.USER32 ref: 6BF70FE0
FindWindowW.USER32 ref: 6BF70FF3
FindWindowW.USER32 ref: 6BF71006
FindWindowW.USER32 ref: 6BF71019
FindWindowW.USER32 ref: 6BF7102C
FindWindowW.USER32 ref: 6BF7103F
FindWindowW.USER32 ref: 6BF71052
FindWindowW.USER32 ref: 6BF71065
FindWindowW.USER32 ref: 6BF71078
FindWindowW.USER32 ref: 6BF7108B
FindWindowW.USER32 ref: 6BF7109E
FindWindowW.USER32 ref: 6BF710B1
FindWindowW.USER32 ref: 6BF710C4
FindWindowW.USER32 ref: 6BF710D7
FindWindowW.USER32 ref: 6BF710EA
FindWindowW.USER32 ref: 6BF710FD
FindWindowW.USER32 ref: 6BF71110
FindWindowW.USER32 ref: 6BF71123
FindWindowW.USER32 ref: 6BF71136
FindWindowW.USER32 ref: 6BF71149
FindWindowW.USER32 ref: 6BF7115C
FindWindowW.USER32 ref: 6BF7116F
FindWindowW.USER32 ref: 6BF71182
FindWindowW.USER32 ref: 6BF71195
FindWindowW.USER32 ref: 6BF711A8
FindWindowW.USER32 ref: 6BF711BB
FindWindowW.USER32 ref: 6BF711CE
FindWindowW.USER32 ref: 6BF711E1
FindWindowW.USER32 ref: 6BF711F4
FindWindowW.USER32 ref: 6BF71207
FindWindowW.USER32 ref: 6BF7121A
FindWindowW.USER32 ref: 6BF7122D
FindWindowW.USER32 ref: 6BF71240
FindWindowW.USER32 ref: 6BF71253
FindWindowW.USER32 ref: 6BF71266
FindWindowW.USER32 ref: 6BF71279
FindWindowW.USER32 ref: 6BF7128C
FindWindowW.USER32 ref: 6BF7129F
FindWindowW.USER32 ref: 6BF712B2
FindWindowW.USER32 ref: 6BF712C5
FindWindowW.USER32 ref: 6BF712D8
FindWindowW.USER32 ref: 6BF712EB
FindWindowW.USER32 ref: 6BF712FE
FindWindowW.USER32 ref: 6BF71311
FindWindowW.USER32 ref: 6BF71324
FindWindowW.USER32 ref: 6BF71337
FindWindowW.USER32 ref: 6BF7134A
FindWindowW.USER32 ref: 6BF7135D
FindWindowW.USER32 ref: 6BF71370
FindWindowW.USER32 ref: 6BF71383
FindWindowW.USER32 ref: 6BF71396
FindWindowW.USER32 ref: 6BF713A9
FindWindowW.USER32 ref: 6BF713BC
FindWindowW.USER32 ref: 6BF713CF
FindWindowW.USER32 ref: 6BF713E2
FindWindowW.USER32 ref: 6BF713F5
FindWindowW.USER32 ref: 6BF71408
FindWindowW.USER32 ref: 6BF7141B
FindWindowW.USER32 ref: 6BF7142E
FindWindowW.USER32 ref: 6BF71441
FindWindowW.USER32 ref: 6BF71454
FindWindowW.USER32 ref: 6BF71467
FindWindowW.USER32 ref: 6BF7147A
FindWindowW.USER32 ref: 6BF7148D
FindWindowW.USER32 ref: 6BF714A0
FindWindowW.USER32 ref: 6BF714B3
FindWindowW.USER32 ref: 6BF714C6
FindWindowW.USER32 ref: 6BF714D9
FindWindowW.USER32 ref: 6BF714EC
FindWindowW.USER32 ref: 6BF714FF
FindWindowW.USER32 ref: 6BF71512
FindWindowW.USER32 ref: 6BF71525
FindWindowW.USER32 ref: 6BF71538
FindWindowW.USER32 ref: 6BF7154B
FindWindowW.USER32 ref: 6BF7155E
FindWindowW.USER32 ref: 6BF71571
FindWindowW.USER32 ref: 6BF71584
FindWindowW.USER32 ref: 6BF71597
FindWindowW.USER32 ref: 6BF715AA
FindWindowW.USER32 ref: 6BF715BD
FindWindowW.USER32 ref: 6BF715D0
FindWindowW.USER32 ref: 6BF715E3
FindWindowW.USER32 ref: 6BF715F6
FindWindowW.USER32 ref: 6BF71609
FindWindowW.USER32 ref: 6BF7161C
FindWindowW.USER32 ref: 6BF7162F
FindWindowW.USER32 ref: 6BF71642
FindWindowW.USER32 ref: 6BF71655
FindWindowW.USER32 ref: 6BF71668
FindWindowW.USER32 ref: 6BF7167B
FindWindowW.USER32 ref: 6BF7168E
FindWindowW.USER32 ref: 6BF716A1
FindWindowW.USER32 ref: 6BF716B4
FindWindowW.USER32 ref: 6BF716C7
FindWindowW.USER32 ref: 6BF716DA
FindWindowW.USER32 ref: 6BF716ED
FindWindowW.USER32 ref: 6BF71700
FindWindowW.USER32 ref: 6BF71713
FindWindowW.USER32 ref: 6BF71726
FindWindowW.USER32 ref: 6BF71739
FindWindowW.USER32 ref: 6BF7174C
FindWindowW.USER32 ref: 6BF7175F
FindWindowW.USER32 ref: 6BF71772
FindWindowW.USER32 ref: 6BF71785
FindWindowW.USER32 ref: 6BF71798
FindWindowW.USER32 ref: 6BF717AB
FindWindowW.USER32 ref: 6BF717BE
FindWindowW.USER32 ref: 6BF717D1
FindWindowW.USER32 ref: 6BF717E4
FindWindowW.USER32 ref: 6BF717F7
FindWindowW.USER32 ref: 6BF7180A
FindWindowW.USER32 ref: 6BF7181D
FindWindowW.USER32 ref: 6BF71830
FindWindowW.USER32 ref: 6BF71843
FindWindowW.USER32 ref: 6BF71856
FindWindowW.USER32 ref: 6BF71869
FindWindowW.USER32 ref: 6BF7187C
FindWindowW.USER32 ref: 6BF7188F
FindWindowW.USER32 ref: 6BF718A2
FindWindowW.USER32 ref: 6BF718B5
FindWindowW.USER32 ref: 6BF718C8
FindWindowW.USER32 ref: 6BF718DB
FindWindowW.USER32 ref: 6BF718EE
FindWindowW.USER32 ref: 6BF71901
FindWindowW.USER32 ref: 6BF71914
FindWindowW.USER32 ref: 6BF71927
FindWindowW.USER32 ref: 6BF7193A
FindWindowW.USER32 ref: 6BF7194D
FindWindowW.USER32 ref: 6BF71960
FindWindowW.USER32 ref: 6BF71973
FindWindowW.USER32 ref: 6BF71986
FindWindowW.USER32 ref: 6BF71999
FindWindowW.USER32 ref: 6BF719AC
FindWindowW.USER32 ref: 6BF719BF
FindWindowW.USER32 ref: 6BF719D2
FindWindowW.USER32 ref: 6BF719E5
FindWindowW.USER32 ref: 6BF719F8
FindWindowW.USER32 ref: 6BF71A0B
FindWindowW.USER32 ref: 6BF71A1E
FindWindowW.USER32 ref: 6BF71A31
FindWindowW.USER32 ref: 6BF71A44
FindWindowW.USER32 ref: 6BF71A57
FindWindowW.USER32 ref: 6BF71A6A
FindWindowW.USER32 ref: 6BF71A7D
FindWindowW.USER32 ref: 6BF71A90
FindWindowW.USER32 ref: 6BF71AA3
FindWindowW.USER32 ref: 6BF71AB6
FindWindowW.USER32 ref: 6BF71AC9
FindWindowW.USER32 ref: 6BF71ADC
FindWindowW.USER32 ref: 6BF71AEF
FindWindowW.USER32 ref: 6BF71B02
FindWindowW.USER32 ref: 6BF71B15
FindWindowW.USER32 ref: 6BF71B28
FindWindowW.USER32 ref: 6BF71B3B
FindWindowW.USER32 ref: 6BF71B4E
FindWindowW.USER32 ref: 6BF71B61
FindWindowW.USER32 ref: 6BF71B74
FindWindowW.USER32 ref: 6BF71B87
FindWindowW.USER32 ref: 6BF71B9A
FindWindowW.USER32 ref: 6BF71BAD
FindWindowW.USER32 ref: 6BF71BC0
FindWindowW.USER32 ref: 6BF71BD3
FindWindowW.USER32 ref: 6BF71BE6
FindWindowW.USER32 ref: 6BF71BF9
FindWindowW.USER32 ref: 6BF71C0C
FindWindowW.USER32 ref: 6BF71C1F
FindWindowW.USER32 ref: 6BF71C32
FindWindowW.USER32 ref: 6BF71C45
FindWindowW.USER32 ref: 6BF71C58
FindWindowW.USER32 ref: 6BF71C6B
FindWindowW.USER32 ref: 6BF71C7E
FindWindowW.USER32 ref: 6BF71C91
FindWindowW.USER32 ref: 6BF71CA4
FindWindowW.USER32 ref: 6BF71CB7
FindWindowW.USER32 ref: 6BF71CCA
FindWindowW.USER32 ref: 6BF71CDD
FindWindowW.USER32 ref: 6BF71CF0
FindWindowW.USER32 ref: 6BF71D03
FindWindowW.USER32 ref: 6BF71D16
FindWindowW.USER32 ref: 6BF71D29
FindWindowW.USER32 ref: 6BF71D3C
FindWindowW.USER32 ref: 6BF71D4F
FindWindowW.USER32 ref: 6BF71D62
FindWindowW.USER32 ref: 6BF71D75
FindWindowW.USER32 ref: 6BF71D88
FindWindowW.USER32 ref: 6BF71D9B
FindWindowW.USER32 ref: 6BF71DAE
FindWindowW.USER32 ref: 6BF71DC1
FindWindowW.USER32 ref: 6BF71DD4
FindWindowW.USER32 ref: 6BF71DE7
FindWindowW.USER32 ref: 6BF71DFA
FindWindowW.USER32 ref: 6BF71E0D
FindWindowW.USER32 ref: 6BF71E20
FindWindowW.USER32 ref: 6BF71E33
FindWindowW.USER32 ref: 6BF71E46
FindWindowW.USER32 ref: 6BF71E59
FindWindowW.USER32 ref: 6BF71E6C
FindWindowW.USER32 ref: 6BF71E7F
FindWindowW.USER32 ref: 6BF71E92
FindWindowW.USER32 ref: 6BF71EA5
FindWindowW.USER32 ref: 6BF71EB8
FindWindowW.USER32 ref: 6BF71ECB
FindWindowW.USER32 ref: 6BF71EDE
FindWindowW.USER32 ref: 6BF71EF1
FindWindowW.USER32 ref: 6BF71F04
FindWindowW.USER32 ref: 6BF71F17
FindWindowW.USER32 ref: 6BF71F2A
FindWindowW.USER32 ref: 6BF71F3D
FindWindowW.USER32 ref: 6BF71F50
FindWindowW.USER32 ref: 6BF71F63
FindWindowW.USER32 ref: 6BF71F76
FindWindowW.USER32 ref: 6BF71F89
FindWindowW.USER32 ref: 6BF71F9C
FindWindowW.USER32 ref: 6BF71FAF
FindWindowW.USER32 ref: 6BF71FC2
FindWindowW.USER32 ref: 6BF71FD5
FindWindowW.USER32 ref: 6BF71FE8
FindWindowW.USER32 ref: 6BF71FFB
FindWindowW.USER32 ref: 6BF7200E
FindWindowW.USER32 ref: 6BF72021
FindWindowW.USER32 ref: 6BF72034
FindWindowW.USER32 ref: 6BF72047
FindWindowW.USER32 ref: 6BF7205A
FindWindowW.USER32 ref: 6BF7206D
FindWindowW.USER32 ref: 6BF72080
FindWindowW.USER32 ref: 6BF72093
FindWindowW.USER32 ref: 6BF720A6
FindWindowW.USER32 ref: 6BF720B9
FindWindowW.USER32 ref: 6BF720CC
FindWindowW.USER32 ref: 6BF720DF
FindWindowW.USER32 ref: 6BF720F2
FindWindowW.USER32 ref: 6BF72105
FindWindowW.USER32 ref: 6BF72118
FindWindowW.USER32 ref: 6BF7212B
FindWindowW.USER32 ref: 6BF7213E
FindWindowW.USER32 ref: 6BF72151
FindWindowW.USER32 ref: 6BF72164
FindWindowW.USER32 ref: 6BF72177
FindWindowW.USER32 ref: 6BF7218A
FindWindowW.USER32 ref: 6BF7219D
FindWindowW.USER32 ref: 6BF721B0
FindWindowW.USER32 ref: 6BF721C3
FindWindowW.USER32 ref: 6BF721D6
FindWindowW.USER32 ref: 6BF721E9
FindWindowW.USER32 ref: 6BF721FC
FindWindowW.USER32 ref: 6BF7220F
FindWindowW.USER32 ref: 6BF72222
FindWindowW.USER32 ref: 6BF72235
FindWindowW.USER32 ref: 6BF72248
FindWindowW.USER32 ref: 6BF7225B
FindWindowW.USER32 ref: 6BF7226E
FindWindowW.USER32 ref: 6BF72281
FindWindowW.USER32 ref: 6BF72294
FindWindowW.USER32 ref: 6BF722A7
FindWindowW.USER32 ref: 6BF722BA
FindWindowW.USER32 ref: 6BF722CD
FindWindowW.USER32 ref: 6BF722E0
FindWindowW.USER32 ref: 6BF722F3
FindWindowW.USER32 ref: 6BF72306
FindWindowW.USER32 ref: 6BF72319
FindWindowW.USER32 ref: 6BF7232C
FindWindowW.USER32 ref: 6BF7233F
FindWindowW.USER32 ref: 6BF72352
FindWindowW.USER32 ref: 6BF72365
FindWindowW.USER32 ref: 6BF72378
FindWindowW.USER32 ref: 6BF7238B
FindWindowW.USER32 ref: 6BF7239E
FindWindowW.USER32 ref: 6BF723B1
FindWindowW.USER32 ref: 6BF723C4
FindWindowW.USER32 ref: 6BF723D7
FindWindowW.USER32 ref: 6BF723EA
FindWindowW.USER32 ref: 6BF723FD
FindWindowW.USER32 ref: 6BF72410
FindWindowW.USER32 ref: 6BF72423
FindWindowW.USER32 ref: 6BF72436
FindWindowW.USER32 ref: 6BF72449
FindWindowW.USER32 ref: 6BF7245C
FindWindowW.USER32 ref: 6BF7246F
FindWindowW.USER32 ref: 6BF72482
FindWindowW.USER32 ref: 6BF72495
FindWindowW.USER32 ref: 6BF724A8
FindWindowW.USER32 ref: 6BF724BB
FindWindowW.USER32 ref: 6BF724CE
FindWindowW.USER32 ref: 6BF724E1
FindWindowW.USER32 ref: 6BF724F4
FindWindowW.USER32 ref: 6BF72507
FindWindowW.USER32 ref: 6BF7251A
FindWindowW.USER32 ref: 6BF7252D
FindWindowW.USER32 ref: 6BF72540
FindWindowW.USER32 ref: 6BF72553
FindWindowW.USER32 ref: 6BF72566
FindWindowW.USER32 ref: 6BF72579
FindWindowW.USER32 ref: 6BF7258C
FindWindowW.USER32 ref: 6BF7259F
FindWindowW.USER32 ref: 6BF725B2
FindWindowW.USER32 ref: 6BF725C5
FindWindowW.USER32 ref: 6BF725D8
FindWindowW.USER32 ref: 6BF725EB
FindWindowW.USER32 ref: 6BF725FE
FindWindowW.USER32 ref: 6BF72611
FindWindowW.USER32 ref: 6BF72624
FindWindowW.USER32 ref: 6BF72637
FindWindowW.USER32 ref: 6BF7264A
FindWindowW.USER32 ref: 6BF7265D
FindWindowW.USER32 ref: 6BF72670
FindWindowW.USER32 ref: 6BF72683
FindWindowW.USER32 ref: 6BF72696
FindWindowW.USER32 ref: 6BF726A9
FindWindowW.USER32 ref: 6BF726BC
FindWindowW.USER32 ref: 6BF726CF
FindWindowW.USER32 ref: 6BF726E2
FindWindowW.USER32 ref: 6BF726F5
FindWindowW.USER32 ref: 6BF72708
FindWindowW.USER32 ref: 6BF7271B
FindWindowW.USER32 ref: 6BF7272E
FindWindowW.USER32 ref: 6BF72741
FindWindowW.USER32 ref: 6BF72754
FindWindowW.USER32 ref: 6BF72767
FindWindowW.USER32 ref: 6BF7277A
FindWindowW.USER32 ref: 6BF7278D
FindWindowW.USER32 ref: 6BF727A0
FindWindowW.USER32 ref: 6BF727B3
FindWindowW.USER32 ref: 6BF727C6
FindWindowW.USER32 ref: 6BF727D9
FindWindowW.USER32 ref: 6BF727EC
FindWindowW.USER32 ref: 6BF727FF
FindWindowW.USER32 ref: 6BF72812
FindWindowW.USER32 ref: 6BF72825
FindWindowW.USER32 ref: 6BF72838
FindWindowW.USER32 ref: 6BF7284B
FindWindowW.USER32 ref: 6BF7285E
FindWindowW.USER32 ref: 6BF72871
FindWindowW.USER32 ref: 6BF72884
FindWindowW.USER32 ref: 6BF72897
FindWindowW.USER32 ref: 6BF728AA
FindWindowW.USER32 ref: 6BF728BD
FindWindowW.USER32 ref: 6BF728D0
FindWindowW.USER32 ref: 6BF728E3
FindWindowW.USER32 ref: 6BF728F6
FindWindowW.USER32 ref: 6BF72909
FindWindowW.USER32 ref: 6BF7291C
FindWindowW.USER32 ref: 6BF7292F
FindWindowW.USER32 ref: 6BF72942
FindWindowW.USER32 ref: 6BF72955
FindWindowW.USER32 ref: 6BF72968
FindWindowW.USER32 ref: 6BF7297B
FindWindowW.USER32 ref: 6BF7298E
FindWindowW.USER32 ref: 6BF729A1
FindWindowW.USER32 ref: 6BF729B4
FindWindowW.USER32 ref: 6BF729C7
FindWindowW.USER32 ref: 6BF729DA
FindWindowW.USER32 ref: 6BF729ED
FindWindowW.USER32 ref: 6BF72A00
FindWindowW.USER32 ref: 6BF72A13
FindWindowW.USER32 ref: 6BF72A26
FindWindowW.USER32 ref: 6BF72A39
FindWindowW.USER32 ref: 6BF72A4C
FindWindowW.USER32 ref: 6BF72A5F
FindWindowW.USER32 ref: 6BF72A72
FindWindowW.USER32 ref: 6BF72A85
FindWindowW.USER32 ref: 6BF72A98
FindWindowW.USER32 ref: 6BF72AAB
FindWindowW.USER32 ref: 6BF72ABE
FindWindowW.USER32 ref: 6BF72AD1
FindWindowW.USER32 ref: 6BF72AE4
FindWindowW.USER32 ref: 6BF72AF7
FindWindowW.USER32 ref: 6BF72B0A
FindWindowW.USER32 ref: 6BF72B1D
FindWindowW.USER32 ref: 6BF72B30
FindWindowW.USER32 ref: 6BF72B43
FindWindowW.USER32 ref: 6BF72B56
FindWindowW.USER32 ref: 6BF72B69
FindWindowW.USER32 ref: 6BF72B7C
FindWindowW.USER32 ref: 6BF72B8F
FindWindowW.USER32 ref: 6BF72BA2
FindWindowW.USER32 ref: 6BF72BB5
FindWindowW.USER32 ref: 6BF72BC8
FindWindowW.USER32 ref: 6BF72BDB
FindWindowW.USER32 ref: 6BF72BEE
FindWindowW.USER32 ref: 6BF72C01
FindWindowW.USER32 ref: 6BF72C14
FindWindowW.USER32 ref: 6BF72C27
FindWindowW.USER32 ref: 6BF72C3A
FindWindowW.USER32 ref: 6BF72C4D
FindWindowW.USER32 ref: 6BF72C60
FindWindowW.USER32 ref: 6BF72C73
FindWindowW.USER32 ref: 6BF72C86
FindWindowW.USER32 ref: 6BF72C99
FindWindowW.USER32 ref: 6BF72CAC
FindWindowW.USER32 ref: 6BF72CBF
FindWindowW.USER32 ref: 6BF72CD2
FindWindowW.USER32 ref: 6BF72CE5
FindWindowW.USER32 ref: 6BF72CF8
FindWindowW.USER32 ref: 6BF72D0B
FindWindowW.USER32 ref: 6BF72D1E
FindWindowW.USER32 ref: 6BF72D31
FindWindowW.USER32 ref: 6BF72D44
FindWindowW.USER32 ref: 6BF72D57
FindWindowW.USER32 ref: 6BF72D6A
FindWindowW.USER32 ref: 6BF72D7D
FindWindowW.USER32 ref: 6BF72D90
FindWindowW.USER32 ref: 6BF72DA3
FindWindowW.USER32 ref: 6BF72DB6
FindWindowW.USER32 ref: 6BF72DC9
FindWindowW.USER32 ref: 6BF72DDC
FindWindowW.USER32 ref: 6BF72DEF
FindWindowW.USER32 ref: 6BF72E02
FindWindowW.USER32 ref: 6BF72E15
FindWindowW.USER32 ref: 6BF72E28
FindWindowW.USER32 ref: 6BF72E3B
FindWindowW.USER32 ref: 6BF72E4E
FindWindowW.USER32 ref: 6BF72E61
FindWindowW.USER32 ref: 6BF72E74
FindWindowW.USER32 ref: 6BF72E87
FindWindowW.USER32 ref: 6BF72E9A
FindWindowW.USER32 ref: 6BF72EAD
FindWindowW.USER32 ref: 6BF72EC0
FindWindowW.USER32 ref: 6BF72ED3
FindWindowW.USER32 ref: 6BF72EE6
FindWindowW.USER32 ref: 6BF72EF9
FindWindowW.USER32 ref: 6BF72F0C
FindWindowW.USER32 ref: 6BF72F1F
FindWindowW.USER32 ref: 6BF72F32
FindWindowW.USER32 ref: 6BF72F45
FindWindowW.USER32 ref: 6BF72F58
FindWindowW.USER32 ref: 6BF72F6B
FindWindowW.USER32 ref: 6BF72F7E
FindWindowW.USER32 ref: 6BF72F91
FindWindowW.USER32 ref: 6BF72FA4
FindWindowW.USER32 ref: 6BF72FB7
FindWindowW.USER32 ref: 6BF72FCA
FindWindowW.USER32 ref: 6BF72FDD
FindWindowW.USER32 ref: 6BF72FF0
FindWindowW.USER32 ref: 6BF73003
FindWindowW.USER32 ref: 6BF73016
FindWindowW.USER32 ref: 6BF73029
FindWindowW.USER32 ref: 6BF7303C
FindWindowW.USER32 ref: 6BF7304F
FindWindowW.USER32 ref: 6BF73062
FindWindowW.USER32 ref: 6BF73075
FindWindowW.USER32 ref: 6BF73088
FindWindowW.USER32 ref: 6BF7309B
FindWindowW.USER32 ref: 6BF730AE
FindWindowW.USER32 ref: 6BF730C1
FindWindowW.USER32 ref: 6BF730D4
FindWindowW.USER32 ref: 6BF730E7
FindWindowW.USER32 ref: 6BF730FA
FindWindowW.USER32 ref: 6BF7310D
FindWindowW.USER32 ref: 6BF73120
FindWindowW.USER32 ref: 6BF73133
FindWindowW.USER32 ref: 6BF73146
FindWindowW.USER32 ref: 6BF73159
FindWindowW.USER32 ref: 6BF7316C
FindWindowW.USER32 ref: 6BF7317F
FindWindowW.USER32 ref: 6BF73192
FindWindowW.USER32 ref: 6BF731A5
FindWindowW.USER32 ref: 6BF731B8
FindWindowW.USER32 ref: 6BF731CB
FindWindowW.USER32 ref: 6BF731DE
FindWindowW.USER32 ref: 6BF731F1
FindWindowW.USER32 ref: 6BF73204
FindWindowW.USER32 ref: 6BF73217
FindWindowW.USER32 ref: 6BF7322A
FindWindowW.USER32 ref: 6BF7323D
FindWindowW.USER32 ref: 6BF73250
FindWindowW.USER32 ref: 6BF73263
FindWindowW.USER32 ref: 6BF73276
FindWindowW.USER32 ref: 6BF73289
FindWindowW.USER32 ref: 6BF7329C
FindWindowW.USER32 ref: 6BF732AF
FindWindowW.USER32 ref: 6BF732C2
FindWindowW.USER32 ref: 6BF732D5
FindWindowW.USER32 ref: 6BF732E8
FindWindowW.USER32 ref: 6BF732FB
FindWindowW.USER32 ref: 6BF7330E
FindWindowW.USER32 ref: 6BF73321
FindWindowW.USER32 ref: 6BF73334
FindWindowW.USER32 ref: 6BF73347
FindWindowW.USER32 ref: 6BF7335A
FindWindowW.USER32 ref: 6BF7336D
FindWindowW.USER32 ref: 6BF73380
FindWindowW.USER32 ref: 6BF73393
FindWindowW.USER32 ref: 6BF733A6
FindWindowW.USER32 ref: 6BF733B9
FindWindowW.USER32 ref: 6BF733CC
FindWindowW.USER32 ref: 6BF733DF
FindWindowW.USER32 ref: 6BF733F2
FindWindowW.USER32 ref: 6BF73405
FindWindowW.USER32 ref: 6BF73418
FindWindowW.USER32 ref: 6BF7342B
FindWindowW.USER32 ref: 6BF7343E
FindWindowW.USER32 ref: 6BF73451
FindWindowW.USER32 ref: 6BF73464
FindWindowW.USER32 ref: 6BF73477
FindWindowW.USER32 ref: 6BF7348A
FindWindowW.USER32 ref: 6BF7349D
FindWindowW.USER32 ref: 6BF734B0
FindWindowW.USER32 ref: 6BF734C3
FindWindowW.USER32 ref: 6BF734D6
FindWindowW.USER32 ref: 6BF734E9
FindWindowW.USER32 ref: 6BF734FC
FindWindowW.USER32 ref: 6BF7350F
FindWindowW.USER32 ref: 6BF73522
FindWindowW.USER32 ref: 6BF73535
FindWindowW.USER32 ref: 6BF73548
FindWindowW.USER32 ref: 6BF7355B
FindWindowW.USER32 ref: 6BF7356E
FindWindowW.USER32 ref: 6BF73581
FindWindowW.USER32 ref: 6BF73594
FindWindowW.USER32 ref: 6BF735A7
FindWindowW.USER32 ref: 6BF735BA
FindWindowW.USER32 ref: 6BF735CD
FindWindowW.USER32 ref: 6BF735E0
FindWindowW.USER32 ref: 6BF735F3
FindWindowW.USER32 ref: 6BF73606
FindWindowW.USER32 ref: 6BF73619
FindWindowW.USER32 ref: 6BF7362C
FindWindowW.USER32 ref: 6BF7363F
FindWindowW.USER32 ref: 6BF73652
FindWindowW.USER32 ref: 6BF73665
FindWindowW.USER32 ref: 6BF73678
FindWindowW.USER32 ref: 6BF7368B
FindWindowW.USER32 ref: 6BF7369E
FindWindowW.USER32 ref: 6BF736B1
FindWindowW.USER32 ref: 6BF736C4
FindWindowW.USER32 ref: 6BF736D7
FindWindowW.USER32 ref: 6BF736EA
FindWindowW.USER32 ref: 6BF736FD
FindWindowW.USER32 ref: 6BF73710
FindWindowW.USER32 ref: 6BF73723
FindWindowW.USER32 ref: 6BF73736
FindWindowW.USER32 ref: 6BF73749
FindWindowW.USER32 ref: 6BF7375C
FindWindowW.USER32 ref: 6BF7376F
FindWindowW.USER32 ref: 6BF73782
FindWindowW.USER32 ref: 6BF73795
FindWindowW.USER32 ref: 6BF737A8
FindWindowW.USER32 ref: 6BF737BB
FindWindowW.USER32 ref: 6BF737CE
FindWindowW.USER32 ref: 6BF737E1
FindWindowW.USER32 ref: 6BF737F4
FindWindowW.USER32 ref: 6BF73807
FindWindowW.USER32 ref: 6BF7381A
FindWindowW.USER32 ref: 6BF7382D
FindWindowW.USER32 ref: 6BF73840
FindWindowW.USER32 ref: 6BF73853
FindWindowW.USER32 ref: 6BF73866
FindWindowW.USER32 ref: 6BF73879
FindWindowW.USER32 ref: 6BF7388C
FindWindowW.USER32 ref: 6BF7389F
FindWindowW.USER32 ref: 6BF738B2
FindWindowW.USER32 ref: 6BF738C5
FindWindowW.USER32 ref: 6BF738D8
FindWindowW.USER32 ref: 6BF738EB
FindWindowW.USER32 ref: 6BF738FE
FindWindowW.USER32 ref: 6BF73911
FindWindowW.USER32 ref: 6BF73924
FindWindowW.USER32 ref: 6BF73937
FindWindowW.USER32 ref: 6BF7394A
FindWindowW.USER32 ref: 6BF7395D
FindWindowW.USER32 ref: 6BF73970
FindWindowW.USER32 ref: 6BF73983
FindWindowW.USER32 ref: 6BF73996
FindWindowW.USER32 ref: 6BF739A9
FindWindowW.USER32 ref: 6BF739BC
FindWindowW.USER32 ref: 6BF739CF
FindWindowW.USER32 ref: 6BF739E2
FindWindowW.USER32 ref: 6BF739F5
FindWindowW.USER32 ref: 6BF73A08
FindWindowW.USER32 ref: 6BF73A1B
FindWindowW.USER32 ref: 6BF73A2E
FindWindowW.USER32 ref: 6BF73A41
FindWindowW.USER32 ref: 6BF73A54
FindWindowW.USER32 ref: 6BF73A67
FindWindowW.USER32 ref: 6BF73A7A
FindWindowW.USER32 ref: 6BF73A8D
FindWindowW.USER32 ref: 6BF73AA0
FindWindowW.USER32 ref: 6BF73AB3
FindWindowW.USER32 ref: 6BF73AC6
FindWindowW.USER32 ref: 6BF73AD9
FindWindowW.USER32 ref: 6BF73AEC
FindWindowW.USER32 ref: 6BF73AFF
FindWindowW.USER32 ref: 6BF73B12
FindWindowW.USER32 ref: 6BF73B25
FindWindowW.USER32 ref: 6BF73B38
FindWindowW.USER32 ref: 6BF73B4B
FindWindowW.USER32 ref: 6BF73B5E
FindWindowW.USER32 ref: 6BF73B71
FindWindowW.USER32 ref: 6BF73B84
FindWindowW.USER32 ref: 6BF73B97
FindWindowW.USER32 ref: 6BF73BAA
FindWindowW.USER32 ref: 6BF73BBD
FindWindowW.USER32 ref: 6BF73BD0
FindWindowW.USER32 ref: 6BF73BE3
FindWindowW.USER32 ref: 6BF73BF6
FindWindowW.USER32 ref: 6BF73C09
FindWindowW.USER32 ref: 6BF73C1C
FindWindowW.USER32 ref: 6BF73C2F
FindWindowW.USER32 ref: 6BF73C42
FindWindowW.USER32 ref: 6BF73C55
FindWindowW.USER32 ref: 6BF73C68
FindWindowW.USER32 ref: 6BF73C7B
FindWindowW.USER32 ref: 6BF73C8E
FindWindowW.USER32 ref: 6BF73CA1
FindWindowW.USER32 ref: 6BF73CB4
FindWindowW.USER32 ref: 6BF73CC7
FindWindowW.USER32 ref: 6BF73CDA
FindWindowW.USER32 ref: 6BF73CED
FindWindowW.USER32 ref: 6BF73D00
FindWindowW.USER32 ref: 6BF73D13
FindWindowW.USER32 ref: 6BF73D26
FindWindowW.USER32 ref: 6BF73D39
FindWindowW.USER32 ref: 6BF73D4C
FindWindowW.USER32 ref: 6BF73D5F
FindWindowW.USER32 ref: 6BF73D72
FindWindowW.USER32 ref: 6BF73D85
FindWindowW.USER32 ref: 6BF73D98
FindWindowW.USER32 ref: 6BF73DAB
FindWindowW.USER32 ref: 6BF73DBE
FindWindowW.USER32 ref: 6BF73DD1
FindWindowW.USER32 ref: 6BF73DE4
FindWindowW.USER32 ref: 6BF73DF7
FindWindowW.USER32 ref: 6BF73E0A
FindWindowW.USER32 ref: 6BF73E1D
FindWindowW.USER32 ref: 6BF73E30
FindWindowW.USER32 ref: 6BF73E43
FindWindowW.USER32 ref: 6BF73E56
FindWindowW.USER32 ref: 6BF73E69
FindWindowW.USER32 ref: 6BF73E7C
FindWindowW.USER32 ref: 6BF73E8F
FindWindowW.USER32 ref: 6BF73EA2
FindWindowW.USER32 ref: 6BF73EB5
FindWindowW.USER32 ref: 6BF73EC8
FindWindowW.USER32 ref: 6BF73EDB
FindWindowW.USER32 ref: 6BF73EEE
FindWindowW.USER32 ref: 6BF73F01
FindWindowW.USER32 ref: 6BF73F14
FindWindowW.USER32 ref: 6BF73F27
FindWindowW.USER32 ref: 6BF73F3A
FindWindowW.USER32 ref: 6BF73F4D
FindWindowW.USER32 ref: 6BF73F60
FindWindowW.USER32 ref: 6BF73F73
FindWindowW.USER32 ref: 6BF73F86
FindWindowW.USER32 ref: 6BF73F99
FindWindowW.USER32 ref: 6BF73FAC
FindWindowW.USER32 ref: 6BF73FBF
FindWindowW.USER32 ref: 6BF73FD2
FindWindowW.USER32 ref: 6BF73FE5
FindWindowW.USER32 ref: 6BF73FF8
FindWindowW.USER32 ref: 6BF7400B
FindWindowW.USER32 ref: 6BF7401E
FindWindowW.USER32 ref: 6BF74031
FindWindowW.USER32 ref: 6BF74044
FindWindowW.USER32 ref: 6BF74057
FindWindowW.USER32 ref: 6BF7406A
FindWindowW.USER32 ref: 6BF7407D
FindWindowW.USER32 ref: 6BF74090
FindWindowW.USER32 ref: 6BF740A3
FindWindowW.USER32 ref: 6BF740B6
FindWindowW.USER32 ref: 6BF740C9
FindWindowW.USER32 ref: 6BF740DC
FindWindowW.USER32 ref: 6BF740EF
FindWindowW.USER32 ref: 6BF74102
FindWindowW.USER32 ref: 6BF74115
FindWindowW.USER32 ref: 6BF74128
FindWindowW.USER32 ref: 6BF7413B
FindWindowW.USER32 ref: 6BF7414E
FindWindowW.USER32 ref: 6BF74161
FindWindowW.USER32 ref: 6BF74174
FindWindowW.USER32 ref: 6BF74187
FindWindowW.USER32 ref: 6BF7419A
FindWindowW.USER32 ref: 6BF741AD
FindWindowW.USER32 ref: 6BF741C0
FindWindowW.USER32 ref: 6BF741D3
FindWindowW.USER32 ref: 6BF741E6
FindWindowW.USER32 ref: 6BF741F9
FindWindowW.USER32 ref: 6BF7420C
FindWindowW.USER32 ref: 6BF7421F
FindWindowW.USER32 ref: 6BF74232
FindWindowW.USER32 ref: 6BF74245
FindWindowW.USER32 ref: 6BF74258
FindWindowW.USER32 ref: 6BF7426B
FindWindowW.USER32 ref: 6BF7427E
FindWindowW.USER32 ref: 6BF74291
FindWindowW.USER32 ref: 6BF742A4
FindWindowW.USER32 ref: 6BF742B7
FindWindowW.USER32 ref: 6BF742CA
FindWindowW.USER32 ref: 6BF742DD
FindWindowW.USER32 ref: 6BF742F0
FindWindowW.USER32 ref: 6BF74303
FindWindowW.USER32 ref: 6BF74316
FindWindowW.USER32 ref: 6BF74329
FindWindowW.USER32 ref: 6BF7433C
FindWindowW.USER32 ref: 6BF7434F
FindWindowW.USER32 ref: 6BF74362
FindWindowW.USER32 ref: 6BF74375
FindWindowW.USER32 ref: 6BF74388
FindWindowW.USER32 ref: 6BF7439B
FindWindowW.USER32 ref: 6BF743AE
FindWindowW.USER32 ref: 6BF743C1
FindWindowW.USER32 ref: 6BF743D4
FindWindowW.USER32 ref: 6BF743E7
FindWindowW.USER32 ref: 6BF743FA
FindWindowW.USER32 ref: 6BF7440D
FindWindowW.USER32 ref: 6BF74420
FindWindowW.USER32 ref: 6BF74433
FindWindowW.USER32 ref: 6BF74446
FindWindowW.USER32 ref: 6BF74459
FindWindowW.USER32 ref: 6BF7446C
FindWindowW.USER32 ref: 6BF7447F
FindWindowW.USER32 ref: 6BF74492
FindWindowW.USER32 ref: 6BF744A5
FindWindowW.USER32 ref: 6BF744B8
FindWindowW.USER32 ref: 6BF744CB
FindWindowW.USER32 ref: 6BF744DE
FindWindowW.USER32 ref: 6BF744F1
FindWindowW.USER32 ref: 6BF74504
FindWindowW.USER32 ref: 6BF74517
FindWindowW.USER32 ref: 6BF7452A
FindWindowW.USER32 ref: 6BF7453D
FindWindowW.USER32 ref: 6BF74550
FindWindowW.USER32 ref: 6BF74563
FindWindowW.USER32 ref: 6BF74576
FindWindowW.USER32 ref: 6BF74589
FindWindowW.USER32 ref: 6BF7459C
FindWindowW.USER32 ref: 6BF745AF
FindWindowW.USER32 ref: 6BF745C2
FindWindowW.USER32 ref: 6BF745D5
FindWindowW.USER32 ref: 6BF745E8
FindWindowW.USER32 ref: 6BF745FB
FindWindowW.USER32 ref: 6BF7460E
FindWindowW.USER32 ref: 6BF74621
FindWindowW.USER32 ref: 6BF74634
FindWindowW.USER32 ref: 6BF74647
FindWindowW.USER32 ref: 6BF7465A
FindWindowW.USER32 ref: 6BF7466D
FindWindowW.USER32 ref: 6BF74680
FindWindowW.USER32 ref: 6BF74693
FindWindowW.USER32 ref: 6BF746A6
FindWindowW.USER32 ref: 6BF746B9
FindWindowW.USER32 ref: 6BF746CC
FindWindowW.USER32 ref: 6BF746DF
FindWindowW.USER32 ref: 6BF746F2
FindWindowW.USER32 ref: 6BF74705
FindWindowW.USER32 ref: 6BF74718
FindWindowW.USER32 ref: 6BF7472B
FindWindowW.USER32 ref: 6BF7473E
FindWindowW.USER32 ref: 6BF74751
FindWindowW.USER32 ref: 6BF74764
FindWindowW.USER32 ref: 6BF74777
FindWindowW.USER32 ref: 6BF7478A
FindWindowW.USER32 ref: 6BF7479D
FindWindowW.USER32 ref: 6BF747B0
FindWindowW.USER32 ref: 6BF747C3
FindWindowW.USER32 ref: 6BF747D6
FindWindowW.USER32 ref: 6BF747E9
FindWindowW.USER32 ref: 6BF747FC
FindWindowW.USER32 ref: 6BF7480F
FindWindowW.USER32 ref: 6BF74822
FindWindowW.USER32 ref: 6BF74835
FindWindowW.USER32 ref: 6BF74848
FindWindowW.USER32 ref: 6BF7485B
FindWindowW.USER32 ref: 6BF7486E
FindWindowW.USER32 ref: 6BF74881
FindWindowW.USER32 ref: 6BF74894
FindWindowW.USER32 ref: 6BF748A7
FindWindowW.USER32 ref: 6BF748BA
FindWindowW.USER32 ref: 6BF748CD
FindWindowW.USER32 ref: 6BF748E0
FindWindowW.USER32 ref: 6BF748F3
FindWindowW.USER32 ref: 6BF74906
FindWindowW.USER32 ref: 6BF74919
FindWindowW.USER32 ref: 6BF7492C
FindWindowW.USER32 ref: 6BF7493F
FindWindowW.USER32 ref: 6BF74952
FindWindowW.USER32 ref: 6BF74965
FindWindowW.USER32 ref: 6BF74978
FindWindowW.USER32 ref: 6BF7498B
FindWindowW.USER32 ref: 6BF7499E
FindWindowW.USER32 ref: 6BF749B1
FindWindowW.USER32 ref: 6BF749C4
FindWindowW.USER32 ref: 6BF749D7
FindWindowW.USER32 ref: 6BF749EA
FindWindowW.USER32 ref: 6BF749FD
FindWindowW.USER32 ref: 6BF74A10
FindWindowW.USER32 ref: 6BF74A23
FindWindowW.USER32 ref: 6BF74A36
FindWindowW.USER32 ref: 6BF74A49
FindWindowW.USER32 ref: 6BF74A5C
FindWindowW.USER32 ref: 6BF74A6F
FindWindowW.USER32 ref: 6BF74A82
FindWindowW.USER32 ref: 6BF74A95
FindWindowW.USER32 ref: 6BF74AA8
FindWindowW.USER32 ref: 6BF74ABB
FindWindowW.USER32 ref: 6BF74ACE
FindWindowW.USER32 ref: 6BF74AE1
FindWindowW.USER32 ref: 6BF74AF4
FindWindowW.USER32 ref: 6BF74B07
FindWindowW.USER32 ref: 6BF74B1A
FindWindowW.USER32 ref: 6BF74B2D
FindWindowW.USER32 ref: 6BF74B40
FindWindowW.USER32 ref: 6BF74B53
FindWindowW.USER32 ref: 6BF74B66
FindWindowW.USER32 ref: 6BF74B79
FindWindowW.USER32 ref: 6BF74B8C
FindWindowW.USER32 ref: 6BF74B9F
FindWindowW.USER32 ref: 6BF74BB2
FindWindowW.USER32 ref: 6BF74BC5
FindWindowW.USER32 ref: 6BF74BD8
FindWindowW.USER32 ref: 6BF74BEB
FindWindowW.USER32 ref: 6BF74BFE
FindWindowW.USER32 ref: 6BF74C11
FindWindowW.USER32 ref: 6BF74C24
FindWindowW.USER32 ref: 6BF74C37
FindWindowW.USER32 ref: 6BF74C4A
FindWindowW.USER32 ref: 6BF74C5D
FindWindowW.USER32 ref: 6BF74C70
FindWindowW.USER32 ref: 6BF74C83
FindWindowW.USER32 ref: 6BF74C96
FindWindowW.USER32 ref: 6BF74CA9
FindWindowW.USER32 ref: 6BF74CBC
FindWindowW.USER32 ref: 6BF74CCF
FindWindowW.USER32 ref: 6BF74CE2
FindWindowW.USER32 ref: 6BF74CF5
FindWindowW.USER32 ref: 6BF74D08
FindWindowW.USER32 ref: 6BF74D1B
FindWindowW.USER32 ref: 6BF74D2E
FindWindowW.USER32 ref: 6BF74D41
FindWindowW.USER32 ref: 6BF74D54
FindWindowW.USER32 ref: 6BF74D67
FindWindowW.USER32 ref: 6BF74D7A
FindWindowW.USER32 ref: 6BF74D8D
FindWindowW.USER32 ref: 6BF74DA0
FindWindowW.USER32 ref: 6BF74DB3
FindWindowW.USER32 ref: 6BF74DC6
FindWindowW.USER32 ref: 6BF74DD9
FindWindowW.USER32 ref: 6BF74DEC
FindWindowW.USER32 ref: 6BF74DFF
FindWindowW.USER32 ref: 6BF74E12
FindWindowW.USER32 ref: 6BF74E25
FindWindowW.USER32 ref: 6BF74E38
FindWindowW.USER32 ref: 6BF74E4B
FindWindowW.USER32 ref: 6BF74E5E
FindWindowW.USER32 ref: 6BF74E71
FindWindowW.USER32 ref: 6BF74E84
FindWindowW.USER32 ref: 6BF74E97
FindWindowW.USER32 ref: 6BF74EAA
FindWindowW.USER32 ref: 6BF74EBD
FindWindowW.USER32 ref: 6BF74ED0
FindWindowW.USER32 ref: 6BF74EE3
FindWindowW.USER32 ref: 6BF74EF6
FindWindowW.USER32 ref: 6BF74F09
FindWindowW.USER32 ref: 6BF74F1C
FindWindowW.USER32 ref: 6BF74F2F
FindWindowW.USER32 ref: 6BF74F42
FindWindowW.USER32 ref: 6BF74F55
FindWindowW.USER32 ref: 6BF74F68
FindWindowW.USER32 ref: 6BF74F7B
FindWindowW.USER32 ref: 6BF74F8E
FindWindowW.USER32 ref: 6BF74FA1
FindWindowW.USER32 ref: 6BF74FB4
FindWindowW.USER32 ref: 6BF74FC7
FindWindowW.USER32 ref: 6BF74FDA
FindWindowW.USER32 ref: 6BF74FED
FindWindowW.USER32 ref: 6BF75000
FindWindowW.USER32 ref: 6BF75013
FindWindowW.USER32 ref: 6BF75026
FindWindowW.USER32 ref: 6BF75039
FindWindowW.USER32 ref: 6BF7504C
FindWindowW.USER32 ref: 6BF7505F
FindWindowW.USER32 ref: 6BF75072
FindWindowW.USER32 ref: 6BF75085
FindWindowW.USER32 ref: 6BF75098
FindWindowW.USER32 ref: 6BF750AB
FindWindowW.USER32 ref: 6BF750BE
FindWindowW.USER32 ref: 6BF750D1
FindWindowW.USER32 ref: 6BF750E4
FindWindowW.USER32 ref: 6BF750F7
FindWindowW.USER32 ref: 6BF7510A
FindWindowW.USER32 ref: 6BF7511D
FindWindowW.USER32 ref: 6BF75130
FindWindowW.USER32 ref: 6BF75143
FindWindowW.USER32 ref: 6BF75156
FindWindowW.USER32 ref: 6BF75169
FindWindowW.USER32 ref: 6BF7517C
FindWindowW.USER32 ref: 6BF7518F
FindWindowW.USER32 ref: 6BF751A2
FindWindowW.USER32 ref: 6BF751B5
FindWindowW.USER32 ref: 6BF751C8
FindWindowW.USER32 ref: 6BF751DB
FindWindowW.USER32 ref: 6BF751EE
FindWindowW.USER32 ref: 6BF75201
FindWindowW.USER32 ref: 6BF75214
FindWindowW.USER32 ref: 6BF75227
FindWindowW.USER32 ref: 6BF7523A
FindWindowW.USER32 ref: 6BF7524D
FindWindowW.USER32 ref: 6BF75260
FindWindowW.USER32 ref: 6BF75273
FindWindowW.USER32 ref: 6BF75286
FindWindowW.USER32 ref: 6BF75299
FindWindowW.USER32 ref: 6BF752AC
FindWindowW.USER32 ref: 6BF752BF
FindWindowW.USER32 ref: 6BF752D2
FindWindowW.USER32 ref: 6BF752E5
FindWindowW.USER32 ref: 6BF752F8
FindWindowW.USER32 ref: 6BF7530B
FindWindowW.USER32 ref: 6BF7531E
FindWindowW.USER32 ref: 6BF75331
FindWindowW.USER32 ref: 6BF75344
FindWindowW.USER32 ref: 6BF75357
FindWindowW.USER32 ref: 6BF7536A
FindWindowW.USER32 ref: 6BF7537D
FindWindowW.USER32 ref: 6BF75390
FindWindowW.USER32 ref: 6BF753A3
FindWindowW.USER32 ref: 6BF753B6
FindWindowW.USER32 ref: 6BF753C9
FindWindowW.USER32 ref: 6BF753DC
FindWindowW.USER32 ref: 6BF753EF
FindWindowW.USER32 ref: 6BF75402
FindWindowW.USER32 ref: 6BF75415
FindWindowW.USER32 ref: 6BF75428
FindWindowW.USER32 ref: 6BF7543B
FindWindowW.USER32 ref: 6BF7544E
FindWindowW.USER32 ref: 6BF75461
FindWindowW.USER32 ref: 6BF75474
FindWindowW.USER32 ref: 6BF75487
FindWindowW.USER32 ref: 6BF7549A
FindWindowW.USER32 ref: 6BF754AD
FindWindowW.USER32 ref: 6BF754C0
FindWindowW.USER32 ref: 6BF754D3
FindWindowW.USER32 ref: 6BF754E6
FindWindowW.USER32 ref: 6BF754F9
FindWindowW.USER32 ref: 6BF7550C
FindWindowW.USER32 ref: 6BF7551F
FindWindowW.USER32 ref: 6BF75532
FindWindowW.USER32 ref: 6BF75545
FindWindowW.USER32 ref: 6BF75558
FindWindowW.USER32 ref: 6BF7556B
FindWindowW.USER32 ref: 6BF7557E
FindWindowW.USER32 ref: 6BF75591
FindWindowW.USER32 ref: 6BF755A4
FindWindowW.USER32 ref: 6BF755B7
FindWindowW.USER32 ref: 6BF755CA
FindWindowW.USER32 ref: 6BF755DD
FindWindowW.USER32 ref: 6BF755F0
FindWindowW.USER32 ref: 6BF75603
FindWindowW.USER32 ref: 6BF75616
FindWindowW.USER32 ref: 6BF75629
FindWindowW.USER32 ref: 6BF7563C
FindWindowW.USER32 ref: 6BF7564F
FindWindowW.USER32 ref: 6BF75662
FindWindowW.USER32 ref: 6BF75675
FindWindowW.USER32 ref: 6BF75688
FindWindowW.USER32 ref: 6BF7569B
FindWindowW.USER32 ref: 6BF756AE
FindWindowW.USER32 ref: 6BF756C1
FindWindowW.USER32 ref: 6BF756D4
FindWindowW.USER32 ref: 6BF756E7
FindWindowW.USER32 ref: 6BF756FA
FindWindowW.USER32 ref: 6BF7570D
FindWindowW.USER32 ref: 6BF75720
FindWindowW.USER32 ref: 6BF75733
FindWindowW.USER32 ref: 6BF75746
FindWindowW.USER32 ref: 6BF75759
FindWindowW.USER32 ref: 6BF7576C
FindWindowW.USER32 ref: 6BF7577F
FindWindowW.USER32 ref: 6BF75792
FindWindowW.USER32 ref: 6BF757A5
FindWindowW.USER32 ref: 6BF757B8
FindWindowW.USER32 ref: 6BF757CB
FindWindowW.USER32 ref: 6BF757DE
FindWindowW.USER32 ref: 6BF757F1
FindWindowW.USER32 ref: 6BF75804
FindWindowW.USER32 ref: 6BF75817
FindWindowW.USER32 ref: 6BF7582A
FindWindowW.USER32 ref: 6BF7583D
FindWindowW.USER32 ref: 6BF75850
FindWindowW.USER32 ref: 6BF75863
FindWindowW.USER32 ref: 6BF75876
FindWindowW.USER32 ref: 6BF75889
FindWindowW.USER32 ref: 6BF7589C
FindWindowW.USER32 ref: 6BF758AF
FindWindowW.USER32 ref: 6BF758C2
FindWindowW.USER32 ref: 6BF758D5
FindWindowW.USER32 ref: 6BF758E8
FindWindowW.USER32 ref: 6BF758FB
FindWindowW.USER32 ref: 6BF7590E
FindWindowW.USER32 ref: 6BF75921
FindWindowW.USER32 ref: 6BF75934
FindWindowW.USER32 ref: 6BF75947
FindWindowW.USER32 ref: 6BF7595A
FindWindowW.USER32 ref: 6BF7596D
FindWindowW.USER32 ref: 6BF75980
FindWindowW.USER32 ref: 6BF75993
FindWindowW.USER32 ref: 6BF759A6
FindWindowW.USER32 ref: 6BF759B9
FindWindowW.USER32 ref: 6BF759CC
FindWindowW.USER32 ref: 6BF759DF
FindWindowW.USER32 ref: 6BF759F2
FindWindowW.USER32 ref: 6BF75A05
FindWindowW.USER32 ref: 6BF75A18
FindWindowW.USER32 ref: 6BF75A2B
FindWindowW.USER32 ref: 6BF75A3E
FindWindowW.USER32 ref: 6BF75A51
FindWindowW.USER32 ref: 6BF75A64
FindWindowW.USER32 ref: 6BF75A77
FindWindowW.USER32 ref: 6BF75A8A
FindWindowW.USER32 ref: 6BF75A9D
FindWindowW.USER32 ref: 6BF75AB0
FindWindowW.USER32 ref: 6BF75AC3
FindWindowW.USER32 ref: 6BF75AD6
FindWindowW.USER32 ref: 6BF75AE9
FindWindowW.USER32 ref: 6BF75AFC
FindWindowW.USER32 ref: 6BF75B0F
FindWindowW.USER32 ref: 6BF75B22
FindWindowW.USER32 ref: 6BF75B35
FindWindowW.USER32 ref: 6BF75B48
FindWindowW.USER32 ref: 6BF75B5B
FindWindowW.USER32 ref: 6BF75B6E
FindWindowW.USER32 ref: 6BF75B81
FindWindowW.USER32 ref: 6BF75B94
FindWindowW.USER32 ref: 6BF75BA7
FindWindowW.USER32 ref: 6BF75BBA
FindWindowW.USER32 ref: 6BF75BCD
FindWindowW.USER32 ref: 6BF75BE0
FindWindowW.USER32 ref: 6BF75BF3
FindWindowW.USER32 ref: 6BF75C06
FindWindowW.USER32 ref: 6BF75C19
FindWindowW.USER32 ref: 6BF75C2C
FindWindowW.USER32 ref: 6BF75C3F
FindWindowW.USER32 ref: 6BF75C52
FindWindowW.USER32 ref: 6BF75C65
FindWindowW.USER32 ref: 6BF75C78
FindWindowW.USER32 ref: 6BF75C8B
FindWindowW.USER32 ref: 6BF75C9E
FindWindowW.USER32 ref: 6BF75CB1
FindWindowW.USER32 ref: 6BF75CC4
FindWindowW.USER32 ref: 6BF75CD7
FindWindowW.USER32 ref: 6BF75CEA
FindWindowW.USER32 ref: 6BF75CFD
FindWindowW.USER32 ref: 6BF75D10
FindWindowW.USER32 ref: 6BF75D23
FindWindowW.USER32 ref: 6BF75D36
FindWindowW.USER32 ref: 6BF75D49
FindWindowW.USER32 ref: 6BF75D5C
FindWindowW.USER32 ref: 6BF75D6F
FindWindowW.USER32 ref: 6BF75D82
FindWindowW.USER32 ref: 6BF75D95
FindWindowW.USER32 ref: 6BF75DA8
FindWindowW.USER32 ref: 6BF75DBB
FindWindowW.USER32 ref: 6BF75DCE
FindWindowW.USER32 ref: 6BF75DE1
FindWindowW.USER32 ref: 6BF75DF4
FindWindowW.USER32 ref: 6BF75E07
FindWindowW.USER32 ref: 6BF75E1A
FindWindowW.USER32 ref: 6BF75E2D
FindWindowW.USER32 ref: 6BF75E40
FindWindowW.USER32 ref: 6BF75E53
FindWindowW.USER32 ref: 6BF75E66
FindWindowW.USER32 ref: 6BF75E79
FindWindowW.USER32 ref: 6BF75E8C
FindWindowW.USER32 ref: 6BF75E9F
FindWindowW.USER32 ref: 6BF75EB2
FindWindowW.USER32 ref: 6BF75EC5
FindWindowW.USER32 ref: 6BF75ED8
FindWindowW.USER32 ref: 6BF75EEB
FindWindowW.USER32 ref: 6BF75EFE
FindWindowW.USER32 ref: 6BF75F11
FindWindowW.USER32 ref: 6BF75F24
FindWindowW.USER32 ref: 6BF75F37
FindWindowW.USER32 ref: 6BF75F4A
FindWindowW.USER32 ref: 6BF75F5D
FindWindowW.USER32 ref: 6BF75F70
FindWindowW.USER32 ref: 6BF75F83
FindWindowW.USER32 ref: 6BF75F96
FindWindowW.USER32 ref: 6BF75FA9
FindWindowW.USER32 ref: 6BF75FBC
FindWindowW.USER32 ref: 6BF75FCF
FindWindowW.USER32 ref: 6BF75FE2
FindWindowW.USER32 ref: 6BF75FF5
FindWindowW.USER32 ref: 6BF76008
FindWindowW.USER32 ref: 6BF7601B
FindWindowW.USER32 ref: 6BF7602E
FindWindowW.USER32 ref: 6BF76041
FindWindowW.USER32 ref: 6BF76054
FindWindowW.USER32 ref: 6BF76067
FindWindowW.USER32 ref: 6BF7607A
FindWindowW.USER32 ref: 6BF7608D
FindWindowW.USER32 ref: 6BF760A0
FindWindowW.USER32 ref: 6BF760B3
FindWindowW.USER32 ref: 6BF760C6
FindWindowW.USER32 ref: 6BF760D9
FindWindowW.USER32 ref: 6BF760EC
FindWindowW.USER32 ref: 6BF760FF
FindWindowW.USER32 ref: 6BF76112
FindWindowW.USER32 ref: 6BF76125
FindWindowW.USER32 ref: 6BF76138
FindWindowW.USER32 ref: 6BF7614B
FindWindowW.USER32 ref: 6BF7615E
FindWindowW.USER32 ref: 6BF76171
FindWindowW.USER32 ref: 6BF76184
FindWindowW.USER32 ref: 6BF76197
FindWindowW.USER32 ref: 6BF761AA
FindWindowW.USER32 ref: 6BF761BD
FindWindowW.USER32 ref: 6BF761D0
FindWindowW.USER32 ref: 6BF761E3
FindWindowW.USER32 ref: 6BF761F6
FindWindowW.USER32 ref: 6BF76209
FindWindowW.USER32 ref: 6BF7621C
FindWindowW.USER32 ref: 6BF7622F
FindWindowW.USER32 ref: 6BF76242
FindWindowW.USER32 ref: 6BF76255
FindWindowW.USER32 ref: 6BF76268
FindWindowW.USER32 ref: 6BF7627B
FindWindowW.USER32 ref: 6BF7628E
FindWindowW.USER32 ref: 6BF762A1
FindWindowW.USER32 ref: 6BF762B4
FindWindowW.USER32 ref: 6BF762C7
FindWindowW.USER32 ref: 6BF762DA
FindWindowW.USER32 ref: 6BF762ED
FindWindowW.USER32 ref: 6BF76300
FindWindowW.USER32 ref: 6BF76313
FindWindowW.USER32 ref: 6BF76326
FindWindowW.USER32 ref: 6BF76339
FindWindowW.USER32 ref: 6BF7634C
FindWindowW.USER32 ref: 6BF7635F
FindWindowW.USER32 ref: 6BF76372
FindWindowW.USER32 ref: 6BF76385
FindWindowW.USER32 ref: 6BF76398
FindWindowW.USER32 ref: 6BF763AB
FindWindowW.USER32 ref: 6BF763BE
FindWindowW.USER32 ref: 6BF763D1
FindWindowW.USER32 ref: 6BF763E4
FindWindowW.USER32 ref: 6BF763F7
FindWindowW.USER32 ref: 6BF7640A
FindWindowW.USER32 ref: 6BF7641D
FindWindowW.USER32 ref: 6BF76430
FindWindowW.USER32 ref: 6BF76443
FindWindowW.USER32 ref: 6BF76456
FindWindowW.USER32 ref: 6BF76469
FindWindowW.USER32 ref: 6BF7647C
FindWindowW.USER32 ref: 6BF7648F
FindWindowW.USER32 ref: 6BF764A2
FindWindowW.USER32 ref: 6BF764B5
FindWindowW.USER32 ref: 6BF764C8
FindWindowW.USER32 ref: 6BF764DB
FindWindowW.USER32 ref: 6BF764EE
FindWindowW.USER32 ref: 6BF76501
FindWindowW.USER32 ref: 6BF76514
FindWindowW.USER32 ref: 6BF76527
FindWindowW.USER32 ref: 6BF7653A
FindWindowW.USER32 ref: 6BF7654D
FindWindowW.USER32 ref: 6BF76560
FindWindowW.USER32 ref: 6BF76573
FindWindowW.USER32 ref: 6BF76586
FindWindowW.USER32 ref: 6BF76599
FindWindowW.USER32 ref: 6BF765AC
FindWindowW.USER32 ref: 6BF765BF
FindWindowW.USER32 ref: 6BF765D2
FindWindowW.USER32 ref: 6BF765E5
FindWindowW.USER32 ref: 6BF765F8
FindWindowW.USER32 ref: 6BF7660B
FindWindowW.USER32 ref: 6BF7661E
FindWindowW.USER32 ref: 6BF76631
FindWindowW.USER32 ref: 6BF76644
FindWindowW.USER32 ref: 6BF76657
FindWindowW.USER32 ref: 6BF7666A
FindWindowW.USER32 ref: 6BF7667D
FindWindowW.USER32 ref: 6BF76690
FindWindowW.USER32 ref: 6BF766A3
FindWindowW.USER32 ref: 6BF766B6
FindWindowW.USER32 ref: 6BF766C9
FindWindowW.USER32 ref: 6BF766DC
FindWindowW.USER32 ref: 6BF766EF
FindWindowW.USER32 ref: 6BF76702
FindWindowW.USER32 ref: 6BF76715
FindWindowW.USER32 ref: 6BF76728
FindWindowW.USER32 ref: 6BF7673B
FindWindowW.USER32 ref: 6BF7674E
FindWindowW.USER32 ref: 6BF76761
FindWindowW.USER32 ref: 6BF76774
FindWindowW.USER32 ref: 6BF76787
FindWindowW.USER32 ref: 6BF7679A
FindWindowW.USER32 ref: 6BF767AD
FindWindowW.USER32 ref: 6BF767C0
FindWindowW.USER32 ref: 6BF767D3
FindWindowW.USER32 ref: 6BF767E6
FindWindowW.USER32 ref: 6BF767F9
FindWindowW.USER32 ref: 6BF7680C
FindWindowW.USER32 ref: 6BF7681F
FindWindowW.USER32 ref: 6BF76832
FindWindowW.USER32 ref: 6BF76845
FindWindowW.USER32 ref: 6BF76858
FindWindowW.USER32 ref: 6BF7686B
FindWindowW.USER32 ref: 6BF7687E
FindWindowW.USER32 ref: 6BF76891
FindWindowW.USER32 ref: 6BF768A4
FindWindowW.USER32 ref: 6BF768B7
FindWindowW.USER32 ref: 6BF768CA
FindWindowW.USER32 ref: 6BF768DD
FindWindowW.USER32 ref: 6BF768F0
FindWindowW.USER32 ref: 6BF76903
FindWindowW.USER32 ref: 6BF76916
FindWindowW.USER32 ref: 6BF76929
FindWindowW.USER32 ref: 6BF7693C
FindWindowW.USER32 ref: 6BF7694F
FindWindowW.USER32 ref: 6BF76962
FindWindowW.USER32 ref: 6BF76975
FindWindowW.USER32 ref: 6BF76988
FindWindowW.USER32 ref: 6BF7699B
FindWindowW.USER32 ref: 6BF769AE
FindWindowW.USER32 ref: 6BF769C1
FindWindowW.USER32 ref: 6BF769D4
FindWindowW.USER32 ref: 6BF769E7
FindWindowW.USER32 ref: 6BF769FA
FindWindowW.USER32 ref: 6BF76A0D
FindWindowW.USER32 ref: 6BF76A20
FindWindowW.USER32 ref: 6BF76A33
FindWindowW.USER32 ref: 6BF76A46
FindWindowW.USER32 ref: 6BF76A59
FindWindowW.USER32 ref: 6BF76A6C
FindWindowW.USER32 ref: 6BF76A7F
FindWindowW.USER32 ref: 6BF76A92
FindWindowW.USER32 ref: 6BF76AA5
FindWindowW.USER32 ref: 6BF76AB8
FindWindowW.USER32 ref: 6BF76ACB
FindWindowW.USER32 ref: 6BF76ADE
FindWindowW.USER32 ref: 6BF76AF1
FindWindowW.USER32 ref: 6BF76B04
FindWindowW.USER32 ref: 6BF76B17
FindWindowW.USER32 ref: 6BF76B2A
FindWindowW.USER32 ref: 6BF76B3D
FindWindowW.USER32 ref: 6BF76B50
FindWindowW.USER32 ref: 6BF76B63
FindWindowW.USER32 ref: 6BF76B76
FindWindowW.USER32 ref: 6BF76B89
FindWindowW.USER32 ref: 6BF76B9C
FindWindowW.USER32 ref: 6BF76BAF
FindWindowW.USER32 ref: 6BF76BC2
FindWindowW.USER32 ref: 6BF76BD5
FindWindowW.USER32 ref: 6BF76BE8
FindWindowW.USER32 ref: 6BF76BFB
FindWindowW.USER32 ref: 6BF76C0E
FindWindowW.USER32 ref: 6BF76C21
FindWindowW.USER32 ref: 6BF76C34
FindWindowW.USER32 ref: 6BF76C47
FindWindowW.USER32 ref: 6BF76C5A
FindWindowW.USER32 ref: 6BF76C6D
FindWindowW.USER32 ref: 6BF76C80
FindWindowW.USER32 ref: 6BF76C93
FindWindowW.USER32 ref: 6BF76CA6
FindWindowW.USER32 ref: 6BF76CB9
FindWindowW.USER32 ref: 6BF76CCC
FindWindowW.USER32 ref: 6BF76CDF
FindWindowW.USER32 ref: 6BF76CF2
FindWindowW.USER32 ref: 6BF76D05
FindWindowW.USER32 ref: 6BF76D18
FindWindowW.USER32 ref: 6BF76D2B
FindWindowW.USER32 ref: 6BF76D3E
FindWindowW.USER32 ref: 6BF76D51
FindWindowW.USER32 ref: 6BF76D64
FindWindowW.USER32 ref: 6BF76D77
FindWindowW.USER32 ref: 6BF76D8A
FindWindowW.USER32 ref: 6BF76D9D
FindWindowW.USER32 ref: 6BF76DB0
FindWindowW.USER32 ref: 6BF76DC3
FindWindowW.USER32 ref: 6BF76DD6
FindWindowW.USER32 ref: 6BF76DE9
FindWindowW.USER32 ref: 6BF76DFC
FindWindowW.USER32 ref: 6BF76E0F
FindWindowW.USER32 ref: 6BF76E22
FindWindowW.USER32 ref: 6BF76E35
FindWindowW.USER32 ref: 6BF76E48
FindWindowW.USER32 ref: 6BF76E5B
FindWindowW.USER32 ref: 6BF76E6E
FindWindowW.USER32 ref: 6BF76E81
FindWindowW.USER32 ref: 6BF76E94
FindWindowW.USER32 ref: 6BF76EA7
FindWindowW.USER32 ref: 6BF76EBA
FindWindowW.USER32 ref: 6BF76ECD
FindWindowW.USER32 ref: 6BF76EE0
FindWindowW.USER32 ref: 6BF76EF3
FindWindowW.USER32 ref: 6BF76F06
FindWindowW.USER32 ref: 6BF76F19
FindWindowW.USER32 ref: 6BF76F2C
FindWindowW.USER32 ref: 6BF76F3F
FindWindowW.USER32 ref: 6BF76F52
FindWindowW.USER32 ref: 6BF76F65
FindWindowW.USER32 ref: 6BF76F78
FindWindowW.USER32 ref: 6BF76F8B
FindWindowW.USER32 ref: 6BF76F9E
FindWindowW.USER32 ref: 6BF76FB1
FindWindowW.USER32 ref: 6BF76FC4
FindWindowW.USER32 ref: 6BF76FD7
FindWindowW.USER32 ref: 6BF76FEA
FindWindowW.USER32 ref: 6BF76FFD
FindWindowW.USER32 ref: 6BF77010
FindWindowW.USER32 ref: 6BF77023
FindWindowW.USER32 ref: 6BF77036
FindWindowW.USER32 ref: 6BF77049
FindWindowW.USER32 ref: 6BF7705C
FindWindowW.USER32 ref: 6BF7706F
FindWindowW.USER32 ref: 6BF77082
FindWindowW.USER32 ref: 6BF77095
FindWindowW.USER32 ref: 6BF770A8
FindWindowW.USER32 ref: 6BF770BB
FindWindowW.USER32 ref: 6BF770CE
FindWindowW.USER32 ref: 6BF770E1
FindWindowW.USER32 ref: 6BF770F4
FindWindowW.USER32 ref: 6BF77107
FindWindowW.USER32 ref: 6BF7711A
FindWindowW.USER32 ref: 6BF7712D
FindWindowW.USER32 ref: 6BF77140
FindWindowW.USER32 ref: 6BF77153
FindWindowW.USER32 ref: 6BF77166
FindWindowW.USER32 ref: 6BF77179
FindWindowW.USER32 ref: 6BF7718C
FindWindowW.USER32 ref: 6BF7719F
FindWindowW.USER32 ref: 6BF771B2
FindWindowW.USER32 ref: 6BF771C5
FindWindowW.USER32 ref: 6BF771D8
FindWindowW.USER32 ref: 6BF771EB
FindWindowW.USER32 ref: 6BF771FE
FindWindowW.USER32 ref: 6BF77211
FindWindowW.USER32 ref: 6BF77224
FindWindowW.USER32 ref: 6BF77237
FindWindowW.USER32 ref: 6BF7724A
FindWindowW.USER32 ref: 6BF7725D
FindWindowW.USER32 ref: 6BF77270
FindWindowW.USER32 ref: 6BF77283
FindWindowW.USER32 ref: 6BF77296
FindWindowW.USER32 ref: 6BF772A9
FindWindowW.USER32 ref: 6BF772BC
FindWindowW.USER32 ref: 6BF772CF
FindWindowW.USER32 ref: 6BF772E2
FindWindowW.USER32 ref: 6BF772F5
FindWindowW.USER32 ref: 6BF77308
FindWindowW.USER32 ref: 6BF7731B
FindWindowW.USER32 ref: 6BF7732E
FindWindowW.USER32 ref: 6BF77341
FindWindowW.USER32 ref: 6BF77354
FindWindowW.USER32 ref: 6BF77367
FindWindowW.USER32 ref: 6BF7737A
FindWindowW.USER32 ref: 6BF7738D
FindWindowW.USER32 ref: 6BF773A0
FindWindowW.USER32 ref: 6BF773B3
FindWindowW.USER32 ref: 6BF773C6
FindWindowW.USER32 ref: 6BF773D9
FindWindowW.USER32 ref: 6BF773EC
FindWindowW.USER32 ref: 6BF773FF
FindWindowW.USER32 ref: 6BF77412
FindWindowW.USER32 ref: 6BF77425
FindWindowW.USER32 ref: 6BF77438
FindWindowW.USER32 ref: 6BF7744B
FindWindowW.USER32 ref: 6BF7745E
FindWindowW.USER32 ref: 6BF77471
FindWindowW.USER32 ref: 6BF77484
FindWindowW.USER32 ref: 6BF77497
FindWindowW.USER32 ref: 6BF774AA
FindWindowW.USER32 ref: 6BF774BD
FindWindowW.USER32 ref: 6BF774D0
FindWindowW.USER32 ref: 6BF774E3
FindWindowW.USER32 ref: 6BF774F6
FindWindowW.USER32 ref: 6BF77509
FindWindowW.USER32 ref: 6BF7751C
FindWindowW.USER32 ref: 6BF7752F
FindWindowW.USER32 ref: 6BF77542
FindWindowW.USER32 ref: 6BF77555
FindWindowW.USER32 ref: 6BF77568
FindWindowW.USER32 ref: 6BF7757B
FindWindowW.USER32 ref: 6BF7758E
FindWindowW.USER32 ref: 6BF775A1
FindWindowW.USER32 ref: 6BF775B4
FindWindowW.USER32 ref: 6BF775C7
FindWindowW.USER32 ref: 6BF775DA
FindWindowW.USER32 ref: 6BF775ED
FindWindowW.USER32 ref: 6BF77600
FindWindowW.USER32 ref: 6BF77613
FindWindowW.USER32 ref: 6BF77626
FindWindowW.USER32 ref: 6BF77639
FindWindowW.USER32 ref: 6BF7764C
FindWindowW.USER32 ref: 6BF7765F
FindWindowW.USER32 ref: 6BF77672
FindWindowW.USER32 ref: 6BF77685
FindWindowW.USER32 ref: 6BF77698
FindWindowW.USER32 ref: 6BF776AB
FindWindowW.USER32 ref: 6BF776BE
FindWindowW.USER32 ref: 6BF776D1
FindWindowW.USER32 ref: 6BF776E4
FindWindowW.USER32 ref: 6BF776F7
FindWindowW.USER32 ref: 6BF7770A
FindWindowW.USER32 ref: 6BF7771D
FindWindowW.USER32 ref: 6BF77730
FindWindowW.USER32 ref: 6BF77743
FindWindowW.USER32 ref: 6BF77756
FindWindowW.USER32 ref: 6BF77769
FindWindowW.USER32 ref: 6BF7777C
FindWindowW.USER32 ref: 6BF7778F
FindWindowW.USER32 ref: 6BF777A2
FindWindowW.USER32 ref: 6BF777B5
FindWindowW.USER32 ref: 6BF777C8
FindWindowW.USER32 ref: 6BF777DB
FindWindowW.USER32 ref: 6BF777EE
FindWindowW.USER32 ref: 6BF77801
FindWindowW.USER32 ref: 6BF77814
FindWindowW.USER32 ref: 6BF77827
FindWindowW.USER32 ref: 6BF7783A
FindWindowW.USER32 ref: 6BF7784D
FindWindowW.USER32 ref: 6BF77860
FindWindowW.USER32 ref: 6BF77873
FindWindowW.USER32 ref: 6BF77886
FindWindowW.USER32 ref: 6BF77899
FindWindowW.USER32 ref: 6BF778AC
FindWindowW.USER32 ref: 6BF778BF
FindWindowW.USER32 ref: 6BF778D2
FindWindowW.USER32 ref: 6BF778E5
FindWindowW.USER32 ref: 6BF778F8
FindWindowW.USER32 ref: 6BF7790B
FindWindowW.USER32 ref: 6BF7791E
FindWindowW.USER32 ref: 6BF77931
FindWindowW.USER32 ref: 6BF77944
FindWindowW.USER32 ref: 6BF77957
FindWindowW.USER32 ref: 6BF7796A
FindWindowW.USER32 ref: 6BF7797D
FindWindowW.USER32 ref: 6BF77990
FindWindowW.USER32 ref: 6BF779A3
FindWindowW.USER32 ref: 6BF779B6
FindWindowW.USER32 ref: 6BF779C9
FindWindowW.USER32 ref: 6BF779DC
FindWindowW.USER32 ref: 6BF779EF
FindWindowW.USER32 ref: 6BF77A02
FindWindowW.USER32 ref: 6BF77A15
FindWindowW.USER32 ref: 6BF77A28
FindWindowW.USER32 ref: 6BF77A3B
FindWindowW.USER32 ref: 6BF77A4E
FindWindowW.USER32 ref: 6BF77A61
FindWindowW.USER32 ref: 6BF77A74
FindWindowW.USER32 ref: 6BF77A87
FindWindowW.USER32 ref: 6BF77A9A
FindWindowW.USER32 ref: 6BF77AAD
FindWindowW.USER32 ref: 6BF77AC0
FindWindowW.USER32 ref: 6BF77AD3
FindWindowW.USER32 ref: 6BF77AE6
FindWindowW.USER32 ref: 6BF77AF9
FindWindowW.USER32 ref: 6BF77B0C
FindWindowW.USER32 ref: 6BF77B1F
FindWindowW.USER32 ref: 6BF77B32
FindWindowW.USER32 ref: 6BF77B45
FindWindowW.USER32 ref: 6BF77B58
FindWindowW.USER32 ref: 6BF77B6B
FindWindowW.USER32 ref: 6BF77B7E
FindWindowW.USER32 ref: 6BF77B91
FindWindowW.USER32 ref: 6BF77BA4
FindWindowW.USER32 ref: 6BF77BB7
FindWindowW.USER32 ref: 6BF77BCA
FindWindowW.USER32 ref: 6BF77BDD
FindWindowW.USER32 ref: 6BF77BF0
FindWindowW.USER32 ref: 6BF77C03
FindWindowW.USER32 ref: 6BF77C16
FindWindowW.USER32 ref: 6BF77C29
FindWindowW.USER32 ref: 6BF77C3C
FindWindowW.USER32 ref: 6BF77C4F
FindWindowW.USER32 ref: 6BF77C62
FindWindowW.USER32 ref: 6BF77C75
FindWindowW.USER32 ref: 6BF77C88
FindWindowW.USER32 ref: 6BF77C9B
FindWindowW.USER32 ref: 6BF77CAE
FindWindowW.USER32 ref: 6BF77CC1
FindWindowW.USER32 ref: 6BF77CD4
FindWindowW.USER32 ref: 6BF77CE7
FindWindowW.USER32 ref: 6BF77CFA
FindWindowW.USER32 ref: 6BF77D0D
FindWindowW.USER32 ref: 6BF77D20
FindWindowW.USER32 ref: 6BF77D33
FindWindowW.USER32 ref: 6BF77D46
FindWindowW.USER32 ref: 6BF77D59
FindWindowW.USER32 ref: 6BF77D6C
FindWindowW.USER32 ref: 6BF77D7F
FindWindowW.USER32 ref: 6BF77D92
FindWindowW.USER32 ref: 6BF77DA5
FindWindowW.USER32 ref: 6BF77DB8
FindWindowW.USER32 ref: 6BF77DCB
FindWindowW.USER32 ref: 6BF77DDE
FindWindowW.USER32 ref: 6BF77DF1
FindWindowW.USER32 ref: 6BF77E04
FindWindowW.USER32 ref: 6BF77E17
FindWindowW.USER32 ref: 6BF77E2A
FindWindowW.USER32 ref: 6BF77E3D
FindWindowW.USER32 ref: 6BF77E50
FindWindowW.USER32 ref: 6BF77E63
FindWindowW.USER32 ref: 6BF77E76
FindWindowW.USER32 ref: 6BF77E89
FindWindowW.USER32 ref: 6BF77E9C
FindWindowW.USER32 ref: 6BF77EAF
FindWindowW.USER32 ref: 6BF77EC2
FindWindowW.USER32 ref: 6BF77ED5
FindWindowW.USER32 ref: 6BF77EE8
FindWindowW.USER32 ref: 6BF77EFB
FindWindowW.USER32 ref: 6BF77F0E
FindWindowW.USER32 ref: 6BF77F21
FindWindowW.USER32 ref: 6BF77F34
FindWindowW.USER32 ref: 6BF77F47
FindWindowW.USER32 ref: 6BF77F5A
FindWindowW.USER32 ref: 6BF77F6D
FindWindowW.USER32 ref: 6BF77F80
FindWindowW.USER32 ref: 6BF77F93
FindWindowW.USER32 ref: 6BF77FA6
FindWindowW.USER32 ref: 6BF77FB9
FindWindowW.USER32 ref: 6BF77FCC
FindWindowW.USER32 ref: 6BF77FDF
FindWindowW.USER32 ref: 6BF77FF2
FindWindowW.USER32 ref: 6BF78005
FindWindowW.USER32 ref: 6BF78018
FindWindowW.USER32 ref: 6BF7802B
FindWindowW.USER32 ref: 6BF7803E
FindWindowW.USER32 ref: 6BF78051
FindWindowW.USER32 ref: 6BF78064
FindWindowW.USER32 ref: 6BF78077
FindWindowW.USER32 ref: 6BF7808A
FindWindowW.USER32 ref: 6BF7809D
FindWindowW.USER32 ref: 6BF780B0
FindWindowW.USER32 ref: 6BF780C3
FindWindowW.USER32 ref: 6BF780D6
FindWindowW.USER32 ref: 6BF780E9
FindWindowW.USER32 ref: 6BF780FC
FindWindowW.USER32 ref: 6BF7810F
FindWindowW.USER32 ref: 6BF78122
FindWindowW.USER32 ref: 6BF78135
FindWindowW.USER32 ref: 6BF78148
FindWindowW.USER32 ref: 6BF7815B
FindWindowW.USER32 ref: 6BF7816E
FindWindowW.USER32 ref: 6BF78181
FindWindowW.USER32 ref: 6BF78194
FindWindowW.USER32 ref: 6BF781A7
FindWindowW.USER32 ref: 6BF781BA
FindWindowW.USER32 ref: 6BF781CD
FindWindowW.USER32 ref: 6BF781E0
FindWindowW.USER32 ref: 6BF781F3
FindWindowW.USER32 ref: 6BF78206
FindWindowW.USER32 ref: 6BF78219
FindWindowW.USER32 ref: 6BF7822C
FindWindowW.USER32 ref: 6BF7823F
FindWindowW.USER32 ref: 6BF78252
FindWindowW.USER32 ref: 6BF78265
FindWindowW.USER32 ref: 6BF78278
FindWindowW.USER32 ref: 6BF7828B
FindWindowW.USER32 ref: 6BF7829E
FindWindowW.USER32 ref: 6BF782B1
FindWindowW.USER32 ref: 6BF782C4
FindWindowW.USER32 ref: 6BF782D7
FindWindowW.USER32 ref: 6BF782EA
FindWindowW.USER32 ref: 6BF782FD
FindWindowW.USER32 ref: 6BF78310
FindWindowW.USER32 ref: 6BF78323
FindWindowW.USER32 ref: 6BF78336
FindWindowW.USER32 ref: 6BF78349
FindWindowW.USER32 ref: 6BF7835C
FindWindowW.USER32 ref: 6BF7836F
FindWindowW.USER32 ref: 6BF78382
FindWindowW.USER32 ref: 6BF78395
FindWindowW.USER32 ref: 6BF783A8
FindWindowW.USER32 ref: 6BF783BB
FindWindowW.USER32 ref: 6BF783CE
FindWindowW.USER32 ref: 6BF783E1
FindWindowW.USER32 ref: 6BF783F4
FindWindowW.USER32 ref: 6BF78407
FindWindowW.USER32 ref: 6BF7841A
FindWindowW.USER32 ref: 6BF7842D
FindWindowW.USER32 ref: 6BF78440
FindWindowW.USER32 ref: 6BF78453
FindWindowW.USER32 ref: 6BF78466
FindWindowW.USER32 ref: 6BF78479
FindWindowW.USER32 ref: 6BF7848C
FindWindowW.USER32 ref: 6BF7849F
FindWindowW.USER32 ref: 6BF784B2
FindWindowW.USER32 ref: 6BF784C5
FindWindowW.USER32 ref: 6BF784D8
FindWindowW.USER32 ref: 6BF784EB
FindWindowW.USER32 ref: 6BF784FE
FindWindowW.USER32 ref: 6BF78511
FindWindowW.USER32 ref: 6BF78524
FindWindowW.USER32 ref: 6BF78537
FindWindowW.USER32 ref: 6BF7854A
FindWindowW.USER32 ref: 6BF7855D
FindWindowW.USER32 ref: 6BF78570
FindWindowW.USER32 ref: 6BF78583
FindWindowW.USER32 ref: 6BF78596
FindWindowW.USER32 ref: 6BF785A9
FindWindowW.USER32 ref: 6BF785BC
FindWindowW.USER32 ref: 6BF785CF
FindWindowW.USER32 ref: 6BF785E2
FindWindowW.USER32 ref: 6BF785F5
FindWindowW.USER32 ref: 6BF78608
FindWindowW.USER32 ref: 6BF7861B
FindWindowW.USER32 ref: 6BF7862E
FindWindowW.USER32 ref: 6BF78641
FindWindowW.USER32 ref: 6BF78654
FindWindowW.USER32 ref: 6BF78667
FindWindowW.USER32 ref: 6BF7867A
FindWindowW.USER32 ref: 6BF7868D
FindWindowW.USER32 ref: 6BF786A0
FindWindowW.USER32 ref: 6BF786B3
FindWindowW.USER32 ref: 6BF786C6
FindWindowW.USER32 ref: 6BF786D9
FindWindowW.USER32 ref: 6BF786EC
FindWindowW.USER32 ref: 6BF786FF
FindWindowW.USER32 ref: 6BF78712
FindWindowW.USER32 ref: 6BF78725
FindWindowW.USER32 ref: 6BF78738
FindWindowW.USER32 ref: 6BF7874B
FindWindowW.USER32 ref: 6BF7875E
FindWindowW.USER32 ref: 6BF78771
FindWindowW.USER32 ref: 6BF78784
FindWindowW.USER32 ref: 6BF78797
FindWindowW.USER32 ref: 6BF787AA
FindWindowW.USER32 ref: 6BF787BD
FindWindowW.USER32 ref: 6BF787D0
FindWindowW.USER32 ref: 6BF787E3
FindWindowW.USER32 ref: 6BF787F6
FindWindowW.USER32 ref: 6BF78809
FindWindowW.USER32 ref: 6BF7881C
FindWindowW.USER32 ref: 6BF7882F
FindWindowW.USER32 ref: 6BF78842
FindWindowW.USER32 ref: 6BF78855
FindWindowW.USER32 ref: 6BF78868
FindWindowW.USER32 ref: 6BF7887B
FindWindowW.USER32 ref: 6BF7888E
FindWindowW.USER32 ref: 6BF788A1
FindWindowW.USER32 ref: 6BF788B4
FindWindowW.USER32 ref: 6BF788C7
FindWindowW.USER32 ref: 6BF788DA
FindWindowW.USER32 ref: 6BF788ED
FindWindowW.USER32 ref: 6BF78900
FindWindowW.USER32 ref: 6BF78913
FindWindowW.USER32 ref: 6BF78926
FindWindowW.USER32 ref: 6BF78939
FindWindowW.USER32 ref: 6BF7894C
FindWindowW.USER32 ref: 6BF7895F
FindWindowW.USER32 ref: 6BF78972
FindWindowW.USER32 ref: 6BF78985
FindWindowW.USER32 ref: 6BF78998
FindWindowW.USER32 ref: 6BF789AB
FindWindowW.USER32 ref: 6BF789BE
FindWindowW.USER32 ref: 6BF789D1
FindWindowW.USER32 ref: 6BF789E4
FindWindowW.USER32 ref: 6BF789F7
FindWindowW.USER32 ref: 6BF78A0A
FindWindowW.USER32 ref: 6BF78A1D
FindWindowW.USER32 ref: 6BF78A30
FindWindowW.USER32 ref: 6BF78A43
FindWindowW.USER32 ref: 6BF78A56
FindWindowW.USER32 ref: 6BF78A69
FindWindowW.USER32 ref: 6BF78A7C
FindWindowW.USER32 ref: 6BF78A8F
FindWindowW.USER32 ref: 6BF78AA2
FindWindowW.USER32 ref: 6BF78AB5
FindWindowW.USER32 ref: 6BF78AC8
FindWindowW.USER32 ref: 6BF78ADB
FindWindowW.USER32 ref: 6BF78AEE
FindWindowW.USER32 ref: 6BF78B01
FindWindowW.USER32 ref: 6BF78B14
FindWindowW.USER32 ref: 6BF78B27
FindWindowW.USER32 ref: 6BF78B3A
FindWindowW.USER32 ref: 6BF78B4D
FindWindowW.USER32 ref: 6BF78B60
FindWindowW.USER32 ref: 6BF78B73
FindWindowW.USER32 ref: 6BF78B86
FindWindowW.USER32 ref: 6BF78B99
FindWindowW.USER32 ref: 6BF78BAC
FindWindowW.USER32 ref: 6BF78BBF
FindWindowW.USER32 ref: 6BF78BD2
FindWindowW.USER32 ref: 6BF78BE5
FindWindowW.USER32 ref: 6BF78BF8
FindWindowW.USER32 ref: 6BF78C0B
FindWindowW.USER32 ref: 6BF78C1E
FindWindowW.USER32 ref: 6BF78C31
FindWindowW.USER32 ref: 6BF78C44
FindWindowW.USER32 ref: 6BF78C57
FindWindowW.USER32 ref: 6BF78C6A
FindWindowW.USER32 ref: 6BF78C7D
FindWindowW.USER32 ref: 6BF78C90
FindWindowW.USER32 ref: 6BF78CA3
FindWindowW.USER32 ref: 6BF78CB6
FindWindowW.USER32 ref: 6BF78CC9
FindWindowW.USER32 ref: 6BF78CDC
FindWindowW.USER32 ref: 6BF78CEF
FindWindowW.USER32 ref: 6BF78D02
FindWindowW.USER32 ref: 6BF78D15
FindWindowW.USER32 ref: 6BF78D28
FindWindowW.USER32 ref: 6BF78D3B
FindWindowW.USER32 ref: 6BF78D4E
FindWindowW.USER32 ref: 6BF78D61
FindWindowW.USER32 ref: 6BF78D74
FindWindowW.USER32 ref: 6BF78D87
FindWindowW.USER32 ref: 6BF78D9A
FindWindowW.USER32 ref: 6BF78DAD
FindWindowW.USER32 ref: 6BF78DC0
FindWindowW.USER32 ref: 6BF78DD3
FindWindowW.USER32 ref: 6BF78DE6
FindWindowW.USER32 ref: 6BF78DF9
FindWindowW.USER32 ref: 6BF78E0C
FindWindowW.USER32 ref: 6BF78E1F
FindWindowW.USER32 ref: 6BF78E32
FindWindowW.USER32 ref: 6BF78E45
FindWindowW.USER32 ref: 6BF78E58
FindWindowW.USER32 ref: 6BF78E6B
FindWindowW.USER32 ref: 6BF78E7E
FindWindowW.USER32 ref: 6BF78E91
FindWindowW.USER32 ref: 6BF78EA4
FindWindowW.USER32 ref: 6BF78EB7
FindWindowW.USER32 ref: 6BF78ECA
FindWindowW.USER32 ref: 6BF78EDD
FindWindowW.USER32 ref: 6BF78EF0
FindWindowW.USER32 ref: 6BF78F03
FindWindowW.USER32 ref: 6BF78F16
FindWindowW.USER32 ref: 6BF78F29
FindWindowW.USER32 ref: 6BF78F3C
FindWindowW.USER32 ref: 6BF78F4F
FindWindowW.USER32 ref: 6BF78F62
FindWindowW.USER32 ref: 6BF78F75
FindWindowW.USER32 ref: 6BF78F88
FindWindowW.USER32 ref: 6BF78F9B
FindWindowW.USER32 ref: 6BF78FAE
FindWindowW.USER32 ref: 6BF78FC1
FindWindowW.USER32 ref: 6BF78FD4
FindWindowW.USER32 ref: 6BF78FE7
FindWindowW.USER32 ref: 6BF78FFA
FindWindowW.USER32 ref: 6BF7900D
FindWindowW.USER32 ref: 6BF79020
FindWindowW.USER32 ref: 6BF79033
FindWindowW.USER32 ref: 6BF79046
FindWindowW.USER32 ref: 6BF79059
FindWindowW.USER32 ref: 6BF7906C
FindWindowW.USER32 ref: 6BF7907F
FindWindowW.USER32 ref: 6BF79092
FindWindowW.USER32 ref: 6BF790A5
FindWindowW.USER32 ref: 6BF790B8
FindWindowW.USER32 ref: 6BF790CB
FindWindowW.USER32 ref: 6BF790DE
FindWindowW.USER32 ref: 6BF790F1
FindWindowW.USER32 ref: 6BF79104
FindWindowW.USER32 ref: 6BF79117
FindWindowW.USER32 ref: 6BF7912A
FindWindowW.USER32 ref: 6BF7913D
FindWindowW.USER32 ref: 6BF79150
FindWindowW.USER32 ref: 6BF79163
FindWindowW.USER32 ref: 6BF79176
FindWindowW.USER32 ref: 6BF79189
FindWindowW.USER32 ref: 6BF7919C
FindWindowW.USER32 ref: 6BF791AF
FindWindowW.USER32 ref: 6BF791C2
FindWindowW.USER32 ref: 6BF791D5
FindWindowW.USER32 ref: 6BF791E8
FindWindowW.USER32 ref: 6BF791FB
FindWindowW.USER32 ref: 6BF7920E
FindWindowW.USER32 ref: 6BF79221
FindWindowW.USER32 ref: 6BF79234
FindWindowW.USER32 ref: 6BF79247
FindWindowW.USER32 ref: 6BF7925A
FindWindowW.USER32 ref: 6BF7926D
FindWindowW.USER32 ref: 6BF79280
FindWindowW.USER32 ref: 6BF79293
FindWindowW.USER32 ref: 6BF792A6
FindWindowW.USER32 ref: 6BF792B9
FindWindowW.USER32 ref: 6BF792CC
FindWindowW.USER32 ref: 6BF792DF
FindWindowW.USER32 ref: 6BF792F2
FindWindowW.USER32 ref: 6BF79305
FindWindowW.USER32 ref: 6BF79318
FindWindowW.USER32 ref: 6BF7932B
FindWindowW.USER32 ref: 6BF7933E
FindWindowW.USER32 ref: 6BF79351
FindWindowW.USER32 ref: 6BF79364
FindWindowW.USER32 ref: 6BF79377
FindWindowW.USER32 ref: 6BF7938A
FindWindowW.USER32 ref: 6BF7939D
FindWindowW.USER32 ref: 6BF793B0
FindWindowW.USER32 ref: 6BF793C3
FindWindowW.USER32 ref: 6BF793D6
FindWindowW.USER32 ref: 6BF793E9
FindWindowW.USER32 ref: 6BF793FC
FindWindowW.USER32 ref: 6BF7940F
FindWindowW.USER32 ref: 6BF79422
FindWindowW.USER32 ref: 6BF79435
FindWindowW.USER32 ref: 6BF79448
FindWindowW.USER32 ref: 6BF7945B
FindWindowW.USER32 ref: 6BF7946E
FindWindowW.USER32 ref: 6BF79481
FindWindowW.USER32 ref: 6BF79494
FindWindowW.USER32 ref: 6BF794A7
FindWindowW.USER32 ref: 6BF794BA
FindWindowW.USER32 ref: 6BF794CD
FindWindowW.USER32 ref: 6BF794E0
FindWindowW.USER32 ref: 6BF794F3
FindWindowW.USER32 ref: 6BF79506
FindWindowW.USER32 ref: 6BF79519
FindWindowW.USER32 ref: 6BF7952C
FindWindowW.USER32 ref: 6BF7953F
FindWindowW.USER32 ref: 6BF79552
FindWindowW.USER32 ref: 6BF79565
FindWindowW.USER32 ref: 6BF79578
FindWindowW.USER32 ref: 6BF7958B
FindWindowW.USER32 ref: 6BF7959E
FindWindowW.USER32 ref: 6BF795B1
FindWindowW.USER32 ref: 6BF795C4
FindWindowW.USER32 ref: 6BF795D7
FindWindowW.USER32 ref: 6BF795EA
FindWindowW.USER32 ref: 6BF795FD
FindWindowW.USER32 ref: 6BF79610
FindWindowW.USER32 ref: 6BF79623
FindWindowW.USER32 ref: 6BF79636
FindWindowW.USER32 ref: 6BF79649
FindWindowW.USER32 ref: 6BF7965C
FindWindowW.USER32 ref: 6BF7966F
FindWindowW.USER32 ref: 6BF79682
FindWindowW.USER32 ref: 6BF79695
FindWindowW.USER32 ref: 6BF796A8
FindWindowW.USER32 ref: 6BF796BB
FindWindowW.USER32 ref: 6BF796CE
FindWindowW.USER32 ref: 6BF796E1
FindWindowW.USER32 ref: 6BF796F4
FindWindowW.USER32 ref: 6BF79707
FindWindowW.USER32 ref: 6BF7971A
FindWindowW.USER32 ref: 6BF7972D
FindWindowW.USER32 ref: 6BF79740
FindWindowW.USER32 ref: 6BF79753
FindWindowW.USER32 ref: 6BF79766
FindWindowW.USER32 ref: 6BF79779
FindWindowW.USER32 ref: 6BF7978C
FindWindowW.USER32 ref: 6BF7979F
FindWindowW.USER32 ref: 6BF797B2
FindWindowW.USER32 ref: 6BF797C5
FindWindowW.USER32 ref: 6BF797D8
FindWindowW.USER32 ref: 6BF797EB
FindWindowW.USER32 ref: 6BF797FE
FindWindowW.USER32 ref: 6BF79811
FindWindowW.USER32 ref: 6BF79824
FindWindowW.USER32 ref: 6BF79837
FindWindowW.USER32 ref: 6BF7984A
FindWindowW.USER32 ref: 6BF7985D
FindWindowW.USER32 ref: 6BF79870
FindWindowW.USER32 ref: 6BF79883
FindWindowW.USER32 ref: 6BF79896
FindWindowW.USER32 ref: 6BF798A9
FindWindowW.USER32 ref: 6BF798BC
FindWindowW.USER32 ref: 6BF798CF
FindWindowW.USER32 ref: 6BF798E2
FindWindowW.USER32 ref: 6BF798F5
FindWindowW.USER32 ref: 6BF79908
FindWindowW.USER32 ref: 6BF7991B
FindWindowW.USER32 ref: 6BF7992E
FindWindowW.USER32 ref: 6BF79941
FindWindowW.USER32 ref: 6BF79954
FindWindowW.USER32 ref: 6BF79967
FindWindowW.USER32 ref: 6BF7997A
FindWindowW.USER32 ref: 6BF7998D
FindWindowW.USER32 ref: 6BF799A0
FindWindowW.USER32 ref: 6BF799B3
FindWindowW.USER32 ref: 6BF799C6
FindWindowW.USER32 ref: 6BF799D9
FindWindowW.USER32 ref: 6BF799EC
FindWindowW.USER32 ref: 6BF799FF
FindWindowW.USER32 ref: 6BF79A12
FindWindowW.USER32 ref: 6BF79A25
FindWindowW.USER32 ref: 6BF79A38
FindWindowW.USER32 ref: 6BF79A4B
FindWindowW.USER32 ref: 6BF79A5E
FindWindowW.USER32 ref: 6BF79A71
FindWindowW.USER32 ref: 6BF79A84
FindWindowW.USER32 ref: 6BF79A97
FindWindowW.USER32 ref: 6BF79AAA
FindWindowW.USER32 ref: 6BF79ABD
FindWindowW.USER32 ref: 6BF79AD0
FindWindowW.USER32 ref: 6BF79AE3
FindWindowW.USER32 ref: 6BF79AF6
FindWindowW.USER32 ref: 6BF79B09
FindWindowW.USER32 ref: 6BF79B1C
FindWindowW.USER32 ref: 6BF79B2F
FindWindowW.USER32 ref: 6BF79B42
FindWindowW.USER32 ref: 6BF79B55
FindWindowW.USER32 ref: 6BF79B68
FindWindowW.USER32 ref: 6BF79B7B
FindWindowW.USER32 ref: 6BF79B8E
FindWindowW.USER32 ref: 6BF79BA1
FindWindowW.USER32 ref: 6BF79BB4
FindWindowW.USER32 ref: 6BF79BC7
FindWindowW.USER32 ref: 6BF79BDA
FindWindowW.USER32 ref: 6BF79BED
FindWindowW.USER32 ref: 6BF79C00
FindWindowW.USER32 ref: 6BF79C13
FindWindowW.USER32 ref: 6BF79C26
FindWindowW.USER32 ref: 6BF79C39
FindWindowW.USER32 ref: 6BF79C4C
FindWindowW.USER32 ref: 6BF79C5F
FindWindowW.USER32 ref: 6BF79C72
FindWindowW.USER32 ref: 6BF79C85
FindWindowW.USER32 ref: 6BF79C98
FindWindowW.USER32 ref: 6BF79CAB
FindWindowW.USER32 ref: 6BF79CBE
FindWindowW.USER32 ref: 6BF79CD1
FindWindowW.USER32 ref: 6BF79CE4
FindWindowW.USER32 ref: 6BF79CF7
FindWindowW.USER32 ref: 6BF79D0A
FindWindowW.USER32 ref: 6BF79D1D
FindWindowW.USER32 ref: 6BF79D30
FindWindowW.USER32 ref: 6BF79D43
FindWindowW.USER32 ref: 6BF79D56
FindWindowW.USER32 ref: 6BF79D69
FindWindowW.USER32 ref: 6BF79D7C
FindWindowW.USER32 ref: 6BF79D8F
FindWindowW.USER32 ref: 6BF79DA2
FindWindowW.USER32 ref: 6BF79DB5
FindWindowW.USER32 ref: 6BF79DC8
FindWindowW.USER32 ref: 6BF79DDB
FindWindowW.USER32 ref: 6BF79DEE
FindWindowW.USER32 ref: 6BF79E01
FindWindowW.USER32 ref: 6BF79E14
FindWindowW.USER32 ref: 6BF79E27
FindWindowW.USER32 ref: 6BF79E3A
FindWindowW.USER32 ref: 6BF79E4D
FindWindowW.USER32 ref: 6BF79E60
FindWindowW.USER32 ref: 6BF79E73
FindWindowW.USER32 ref: 6BF79E86
FindWindowW.USER32 ref: 6BF79E99
FindWindowW.USER32 ref: 6BF79EAC
FindWindowW.USER32 ref: 6BF79EBF
FindWindowW.USER32 ref: 6BF79ED2
FindWindowW.USER32 ref: 6BF79EE5
FindWindowW.USER32 ref: 6BF79EF8
FindWindowW.USER32 ref: 6BF79F0B
FindWindowW.USER32 ref: 6BF79F1E
FindWindowW.USER32 ref: 6BF79F31
FindWindowW.USER32 ref: 6BF79F44
FindWindowW.USER32 ref: 6BF79F57
FindWindowW.USER32 ref: 6BF79F6A
FindWindowW.USER32 ref: 6BF79F7D
FindWindowW.USER32 ref: 6BF79F90
FindWindowW.USER32 ref: 6BF79FA3
FindWindowW.USER32 ref: 6BF79FB6
FindWindowW.USER32 ref: 6BF79FC9
FindWindowW.USER32 ref: 6BF79FDC
FindWindowW.USER32 ref: 6BF79FEF
FindWindowW.USER32 ref: 6BF7A002
FindWindowW.USER32 ref: 6BF7A015
FindWindowW.USER32 ref: 6BF7A028
FindWindowW.USER32 ref: 6BF7A03B
FindWindowW.USER32 ref: 6BF7A04E
FindWindowW.USER32 ref: 6BF7A061
FindWindowW.USER32 ref: 6BF7A074
FindWindowW.USER32 ref: 6BF7A087
FindWindowW.USER32 ref: 6BF7A09A
FindWindowW.USER32 ref: 6BF7A0AD
FindWindowW.USER32 ref: 6BF7A0C0
FindWindowW.USER32 ref: 6BF7A0D3
FindWindowW.USER32 ref: 6BF7A0E6
FindWindowW.USER32 ref: 6BF7A0F9
FindWindowW.USER32 ref: 6BF7A10C
FindWindowW.USER32 ref: 6BF7A11F
FindWindowW.USER32 ref: 6BF7A132
FindWindowW.USER32 ref: 6BF7A145
FindWindowW.USER32 ref: 6BF7A158
FindWindowW.USER32 ref: 6BF7A16B
FindWindowW.USER32 ref: 6BF7A17E
FindWindowW.USER32 ref: 6BF7A191
FindWindowW.USER32 ref: 6BF7A1A4
FindWindowW.USER32 ref: 6BF7A1B7
FindWindowW.USER32 ref: 6BF7A1CA
FindWindowW.USER32 ref: 6BF7A1DD
FindWindowW.USER32 ref: 6BF7A1F0
FindWindowW.USER32 ref: 6BF7A203
FindWindowW.USER32 ref: 6BF7A216
FindWindowW.USER32 ref: 6BF7A229
FindWindowW.USER32 ref: 6BF7A23C
FindWindowW.USER32 ref: 6BF7A24F
FindWindowW.USER32 ref: 6BF7A262
FindWindowW.USER32 ref: 6BF7A275
FindWindowW.USER32 ref: 6BF7A288
FindWindowW.USER32 ref: 6BF7A29B
FindWindowW.USER32 ref: 6BF7A2AE
FindWindowW.USER32 ref: 6BF7A2C1
FindWindowW.USER32 ref: 6BF7A2D4
FindWindowW.USER32 ref: 6BF7A2E7
FindWindowW.USER32 ref: 6BF7A2FA
FindWindowW.USER32 ref: 6BF7A30D
FindWindowW.USER32 ref: 6BF7A320
FindWindowW.USER32 ref: 6BF7A333
FindWindowW.USER32 ref: 6BF7A346
FindWindowW.USER32 ref: 6BF7A359
FindWindowW.USER32 ref: 6BF7A36C
FindWindowW.USER32 ref: 6BF7A37F
FindWindowW.USER32 ref: 6BF7A392
FindWindowW.USER32 ref: 6BF7A3A5
FindWindowW.USER32 ref: 6BF7A3B8
FindWindowW.USER32 ref: 6BF7A3CB
FindWindowW.USER32 ref: 6BF7A3DE
FindWindowW.USER32 ref: 6BF7A3F1
FindWindowW.USER32 ref: 6BF7A404
FindWindowW.USER32 ref: 6BF7A417
FindWindowW.USER32 ref: 6BF7A42A
FindWindowW.USER32 ref: 6BF7A43D
FindWindowW.USER32 ref: 6BF7A450
FindWindowW.USER32 ref: 6BF7A463
FindWindowW.USER32 ref: 6BF7A476
FindWindowW.USER32 ref: 6BF7A489
FindWindowW.USER32 ref: 6BF7A49C
FindWindowW.USER32 ref: 6BF7A4AF
FindWindowW.USER32 ref: 6BF7A4C2
FindWindowW.USER32 ref: 6BF7A4D5
FindWindowW.USER32 ref: 6BF7A4E8
FindWindowW.USER32 ref: 6BF7A4FB
FindWindowW.USER32 ref: 6BF7A50E
FindWindowW.USER32 ref: 6BF7A521
FindWindowW.USER32 ref: 6BF7A534
FindWindowW.USER32 ref: 6BF7A547
FindWindowW.USER32 ref: 6BF7A55A
FindWindowW.USER32 ref: 6BF7A56D
FindWindowW.USER32 ref: 6BF7A580
FindWindowW.USER32 ref: 6BF7A593
FindWindowW.USER32 ref: 6BF7A5A6
FindWindowW.USER32 ref: 6BF7A5B9
FindWindowW.USER32 ref: 6BF7A5CC
FindWindowW.USER32 ref: 6BF7A5DF
FindWindowW.USER32 ref: 6BF7A5F2
FindWindowW.USER32 ref: 6BF7A605
FindWindowW.USER32 ref: 6BF7A618
FindWindowW.USER32 ref: 6BF7A62B
FindWindowW.USER32 ref: 6BF7A63E
FindWindowW.USER32 ref: 6BF7A651
FindWindowW.USER32 ref: 6BF7A664
FindWindowW.USER32 ref: 6BF7A677
FindWindowW.USER32 ref: 6BF7A68A
FindWindowW.USER32 ref: 6BF7A69D
FindWindowW.USER32 ref: 6BF7A6B0
FindWindowW.USER32 ref: 6BF7A6C3
FindWindowW.USER32 ref: 6BF7A6D6
FindWindowW.USER32 ref: 6BF7A6E9
FindWindowW.USER32 ref: 6BF7A6FC
FindWindowW.USER32 ref: 6BF7A70F
FindWindowW.USER32 ref: 6BF7A722
FindWindowW.USER32 ref: 6BF7A735
FindWindowW.USER32 ref: 6BF7A748
FindWindowW.USER32 ref: 6BF7A75B
FindWindowW.USER32 ref: 6BF7A76E
FindWindowW.USER32 ref: 6BF7A781
FindWindowW.USER32 ref: 6BF7A794
FindWindowW.USER32 ref: 6BF7A7A7
FindWindowW.USER32 ref: 6BF7A7BA
FindWindowW.USER32 ref: 6BF7A7CD
FindWindowW.USER32 ref: 6BF7A7E0
FindWindowW.USER32 ref: 6BF7A7F3
FindWindowW.USER32 ref: 6BF7A806
FindWindowW.USER32 ref: 6BF7A819
FindWindowW.USER32 ref: 6BF7A82C
FindWindowW.USER32 ref: 6BF7A83F
FindWindowW.USER32 ref: 6BF7A852
FindWindowW.USER32 ref: 6BF7A865
FindWindowW.USER32 ref: 6BF7A878
FindWindowW.USER32 ref: 6BF7A88B
FindWindowW.USER32 ref: 6BF7A89E
FindWindowW.USER32 ref: 6BF7A8B1
FindWindowW.USER32 ref: 6BF7A8C4
FindWindowW.USER32 ref: 6BF7A8D7
FindWindowW.USER32 ref: 6BF7A8EA
FindWindowW.USER32 ref: 6BF7A8FD
FindWindowW.USER32 ref: 6BF7A910
FindWindowW.USER32 ref: 6BF7A923
FindWindowW.USER32 ref: 6BF7A936
FindWindowW.USER32 ref: 6BF7A949
FindWindowW.USER32 ref: 6BF7A95C
FindWindowW.USER32 ref: 6BF7A96F
FindWindowW.USER32 ref: 6BF7A982
FindWindowW.USER32 ref: 6BF7A995
FindWindowW.USER32 ref: 6BF7A9A8
FindWindowW.USER32 ref: 6BF7A9BB
FindWindowW.USER32 ref: 6BF7A9CE
FindWindowW.USER32 ref: 6BF7A9E1
FindWindowW.USER32 ref: 6BF7A9F4
FindWindowW.USER32 ref: 6BF7AA07
FindWindowW.USER32 ref: 6BF7AA1A
FindWindowW.USER32 ref: 6BF7AA2D
FindWindowW.USER32 ref: 6BF7AA40
FindWindowW.USER32 ref: 6BF7AA53
FindWindowW.USER32 ref: 6BF7AA66
FindWindowW.USER32 ref: 6BF7AA79
FindWindowW.USER32 ref: 6BF7AA8C
FindWindowW.USER32 ref: 6BF7AA9F
FindWindowW.USER32 ref: 6BF7AAB2
FindWindowW.USER32 ref: 6BF7AAC5
FindWindowW.USER32 ref: 6BF7AAD8
FindWindowW.USER32 ref: 6BF7AAEB
FindWindowW.USER32 ref: 6BF7AAFE
FindWindowW.USER32 ref: 6BF7AB11
FindWindowW.USER32 ref: 6BF7AB24
FindWindowW.USER32 ref: 6BF7AB37
FindWindowW.USER32 ref: 6BF7AB4A
FindWindowW.USER32 ref: 6BF7AB5D
FindWindowW.USER32 ref: 6BF7AB70
FindWindowW.USER32 ref: 6BF7AB83
FindWindowW.USER32 ref: 6BF7AB96
FindWindowW.USER32 ref: 6BF7ABA9
FindWindowW.USER32 ref: 6BF7ABBC
FindWindowW.USER32 ref: 6BF7ABCF
FindWindowW.USER32 ref: 6BF7ABE2
FindWindowW.USER32 ref: 6BF7ABF5
FindWindowW.USER32 ref: 6BF7AC08
FindWindowW.USER32 ref: 6BF7AC1B
FindWindowW.USER32 ref: 6BF7AC2E
FindWindowW.USER32 ref: 6BF7AC41
FindWindowW.USER32 ref: 6BF7AC54
FindWindowW.USER32 ref: 6BF7AC67
FindWindowW.USER32 ref: 6BF7AC7A
FindWindowW.USER32 ref: 6BF7AC8D
FindWindowW.USER32 ref: 6BF7ACA0
FindWindowW.USER32 ref: 6BF7ACB3
FindWindowW.USER32 ref: 6BF7ACC6
FindWindowW.USER32 ref: 6BF7ACD9
FindWindowW.USER32 ref: 6BF7ACEC
FindWindowW.USER32 ref: 6BF7ACFF
FindWindowW.USER32 ref: 6BF7AD12
FindWindowW.USER32 ref: 6BF7AD25
FindWindowW.USER32 ref: 6BF7AD38
FindWindowW.USER32 ref: 6BF7AD4B
FindWindowW.USER32 ref: 6BF7AD5E
FindWindowW.USER32 ref: 6BF7AD71
FindWindowW.USER32 ref: 6BF7AD84
FindWindowW.USER32 ref: 6BF7AD97
FindWindowW.USER32 ref: 6BF7ADAA
FindWindowW.USER32 ref: 6BF7ADBD
FindWindowW.USER32 ref: 6BF7ADD0
FindWindowW.USER32 ref: 6BF7ADE3
FindWindowW.USER32 ref: 6BF7ADF6
FindWindowW.USER32 ref: 6BF7AE09
FindWindowW.USER32 ref: 6BF7AE1C
FindWindowW.USER32 ref: 6BF7AE2F
FindWindowW.USER32 ref: 6BF7AE42
FindWindowW.USER32 ref: 6BF7AE55
FindWindowW.USER32 ref: 6BF7AE68
FindWindowW.USER32 ref: 6BF7AE7B
FindWindowW.USER32 ref: 6BF7AE8E
FindWindowW.USER32 ref: 6BF7AEA1
FindWindowW.USER32 ref: 6BF7AEB4
FindWindowW.USER32 ref: 6BF7AEC7
FindWindowW.USER32 ref: 6BF7AEDA
FindWindowW.USER32 ref: 6BF7AEED
FindWindowW.USER32 ref: 6BF7AF00
FindWindowW.USER32 ref: 6BF7AF13
FindWindowW.USER32 ref: 6BF7AF26
FindWindowW.USER32 ref: 6BF7AF39
FindWindowW.USER32 ref: 6BF7AF4C
FindWindowW.USER32 ref: 6BF7AF5F
FindWindowW.USER32 ref: 6BF7AF72
FindWindowW.USER32 ref: 6BF7AF85
FindWindowW.USER32 ref: 6BF7AF98
FindWindowW.USER32 ref: 6BF7AFAB
FindWindowW.USER32 ref: 6BF7AFBE
FindWindowW.USER32 ref: 6BF7AFD1
FindWindowW.USER32 ref: 6BF7AFE4
FindWindowW.USER32 ref: 6BF7AFF7
FindWindowW.USER32 ref: 6BF7B00A
FindWindowW.USER32 ref: 6BF7B01D
FindWindowW.USER32 ref: 6BF7B030
FindWindowW.USER32 ref: 6BF7B043
FindWindowW.USER32 ref: 6BF7B056
FindWindowW.USER32 ref: 6BF7B069
FindWindowW.USER32 ref: 6BF7B07C
FindWindowW.USER32 ref: 6BF7B08F
FindWindowW.USER32 ref: 6BF7B0A2
FindWindowW.USER32 ref: 6BF7B0B5
FindWindowW.USER32 ref: 6BF7B0C8
FindWindowW.USER32 ref: 6BF7B0DB
FindWindowW.USER32 ref: 6BF7B0EE
FindWindowW.USER32 ref: 6BF7B101
FindWindowW.USER32 ref: 6BF7B114
FindWindowW.USER32 ref: 6BF7B127
FindWindowW.USER32 ref: 6BF7B13A
FindWindowW.USER32 ref: 6BF7B14D
FindWindowW.USER32 ref: 6BF7B160
FindWindowW.USER32 ref: 6BF7B173
FindWindowW.USER32 ref: 6BF7B186
FindWindowW.USER32 ref: 6BF7B199
FindWindowW.USER32 ref: 6BF7B1AC
FindWindowW.USER32 ref: 6BF7B1BF
FindWindowW.USER32 ref: 6BF7B1D2
FindWindowW.USER32 ref: 6BF7B1E5
FindWindowW.USER32 ref: 6BF7B1F8
FindWindowW.USER32 ref: 6BF7B20B
FindWindowW.USER32 ref: 6BF7B21E
FindWindowW.USER32 ref: 6BF7B231
FindWindowW.USER32 ref: 6BF7B244
FindWindowW.USER32 ref: 6BF7B257
FindWindowW.USER32 ref: 6BF7B26A
FindWindowW.USER32 ref: 6BF7B27D
FindWindowW.USER32 ref: 6BF7B290
FindWindowW.USER32 ref: 6BF7B2A3
FindWindowW.USER32 ref: 6BF7B2B6
FindWindowW.USER32 ref: 6BF7B2C9
FindWindowW.USER32 ref: 6BF7B2DC
FindWindowW.USER32 ref: 6BF7B2EF
FindWindowW.USER32 ref: 6BF7B302
FindWindowW.USER32 ref: 6BF7B315
FindWindowW.USER32 ref: 6BF7B328
FindWindowW.USER32 ref: 6BF7B33B
FindWindowW.USER32 ref: 6BF7B34E
FindWindowW.USER32 ref: 6BF7B361
FindWindowW.USER32 ref: 6BF7B374
FindWindowW.USER32 ref: 6BF7B387
FindWindowW.USER32 ref: 6BF7B39A
FindWindowW.USER32 ref: 6BF7B3AD
FindWindowW.USER32 ref: 6BF7B3C0
FindWindowW.USER32 ref: 6BF7B3D3
FindWindowW.USER32 ref: 6BF7B3E6
FindWindowW.USER32 ref: 6BF7B3F9
FindWindowW.USER32 ref: 6BF7B40C
FindWindowW.USER32 ref: 6BF7B41F
FindWindowW.USER32 ref: 6BF7B432
FindWindowW.USER32 ref: 6BF7B445
FindWindowW.USER32 ref: 6BF7B458
FindWindowW.USER32 ref: 6BF7B46B
FindWindowW.USER32 ref: 6BF7B47E
FindWindowW.USER32 ref: 6BF7B491
FindWindowW.USER32 ref: 6BF7B4A4
FindWindowW.USER32 ref: 6BF7B4B7
FindWindowW.USER32 ref: 6BF7B4CA
FindWindowW.USER32 ref: 6BF7B4DD
FindWindowW.USER32 ref: 6BF7B4F0
FindWindowW.USER32 ref: 6BF7B503
FindWindowW.USER32 ref: 6BF7B516
FindWindowW.USER32 ref: 6BF7B529
FindWindowW.USER32 ref: 6BF7B53C
FindWindowW.USER32 ref: 6BF7B54F
FindWindowW.USER32 ref: 6BF7B562
FindWindowW.USER32 ref: 6BF7B575
FindWindowW.USER32 ref: 6BF7B588
FindWindowW.USER32 ref: 6BF7B59B
FindWindowW.USER32 ref: 6BF7B5AE
FindWindowW.USER32 ref: 6BF7B5C1
FindWindowW.USER32 ref: 6BF7B5D4
FindWindowW.USER32 ref: 6BF7B5E7
FindWindowW.USER32 ref: 6BF7B5FA
FindWindowW.USER32 ref: 6BF7B60D
FindWindowW.USER32 ref: 6BF7B620
FindWindowW.USER32 ref: 6BF7B633
FindWindowW.USER32 ref: 6BF7B646
FindWindowW.USER32 ref: 6BF7B659
FindWindowW.USER32 ref: 6BF7B66C
FindWindowW.USER32 ref: 6BF7B67F
FindWindowW.USER32 ref: 6BF7B692
FindWindowW.USER32 ref: 6BF7B6A5
FindWindowW.USER32 ref: 6BF7B6B8
FindWindowW.USER32 ref: 6BF7B6CB
FindWindowW.USER32 ref: 6BF7B6DE
FindWindowW.USER32 ref: 6BF7B6F1
FindWindowW.USER32 ref: 6BF7B704
FindWindowW.USER32 ref: 6BF7B717
FindWindowW.USER32 ref: 6BF7B72A
FindWindowW.USER32 ref: 6BF7B73D
FindWindowW.USER32 ref: 6BF7B750
FindWindowW.USER32 ref: 6BF7B763
FindWindowW.USER32 ref: 6BF7B776
FindWindowW.USER32 ref: 6BF7B789
FindWindowW.USER32 ref: 6BF7B79C
FindWindowW.USER32 ref: 6BF7B7AF
FindWindowW.USER32 ref: 6BF7B7C2
FindWindowW.USER32 ref: 6BF7B7D5
FindWindowW.USER32 ref: 6BF7B7E8
FindWindowW.USER32 ref: 6BF7B7FB
FindWindowW.USER32 ref: 6BF7B80E
FindWindowW.USER32 ref: 6BF7B821
FindWindowW.USER32 ref: 6BF7B834
FindWindowW.USER32 ref: 6BF7B847
FindWindowW.USER32 ref: 6BF7B85A
FindWindowW.USER32 ref: 6BF7B86D
FindWindowW.USER32 ref: 6BF7B880
FindWindowW.USER32 ref: 6BF7B893
FindWindowW.USER32 ref: 6BF7B8A6
FindWindowW.USER32 ref: 6BF7B8B9
FindWindowW.USER32 ref: 6BF7B8CC
FindWindowW.USER32 ref: 6BF7B8DF
FindWindowW.USER32 ref: 6BF7B8F2
FindWindowW.USER32 ref: 6BF7B905
FindWindowW.USER32 ref: 6BF7B918
FindWindowW.USER32 ref: 6BF7B92B
FindWindowW.USER32 ref: 6BF7B93E
FindWindowW.USER32 ref: 6BF7B951
FindWindowW.USER32 ref: 6BF7B964
FindWindowW.USER32 ref: 6BF7B977
FindWindowW.USER32 ref: 6BF7B98A
FindWindowW.USER32 ref: 6BF7B99D
FindWindowW.USER32 ref: 6BF7B9B0
FindWindowW.USER32 ref: 6BF7B9C3
FindWindowW.USER32 ref: 6BF7B9D6
FindWindowW.USER32 ref: 6BF7B9E9
FindWindowW.USER32 ref: 6BF7B9FC
FindWindowW.USER32 ref: 6BF7BA0F
FindWindowW.USER32 ref: 6BF7BA22
FindWindowW.USER32 ref: 6BF7BA35
FindWindowW.USER32 ref: 6BF7BA48
FindWindowW.USER32 ref: 6BF7BA5B
FindWindowW.USER32 ref: 6BF7BA6E
FindWindowW.USER32 ref: 6BF7BA81
FindWindowW.USER32 ref: 6BF7BA94
FindWindowW.USER32 ref: 6BF7BAA7
FindWindowW.USER32 ref: 6BF7BABA
FindWindowW.USER32 ref: 6BF7BACD
FindWindowW.USER32 ref: 6BF7BAE0
FindWindowW.USER32 ref: 6BF7BAF3
FindWindowW.USER32 ref: 6BF7BB06
FindWindowW.USER32 ref: 6BF7BB19
FindWindowW.USER32 ref: 6BF7BB2C
FindWindowW.USER32 ref: 6BF7BB3F
FindWindowW.USER32 ref: 6BF7BB52
FindWindowW.USER32 ref: 6BF7BB65
FindWindowW.USER32 ref: 6BF7BB78
FindWindowW.USER32 ref: 6BF7BB8B
FindWindowW.USER32 ref: 6BF7BB9E
FindWindowW.USER32 ref: 6BF7BBB1
FindWindowW.USER32 ref: 6BF7BBC4
FindWindowW.USER32 ref: 6BF7BBD7
FindWindowW.USER32 ref: 6BF7BBEA
FindWindowW.USER32 ref: 6BF7BBFD
FindWindowW.USER32 ref: 6BF7BC10
FindWindowW.USER32 ref: 6BF7BC23
FindWindowW.USER32 ref: 6BF7BC36
FindWindowW.USER32 ref: 6BF7BC49
FindWindowW.USER32 ref: 6BF7BC5C
FindWindowW.USER32 ref: 6BF7BC6F
FindWindowW.USER32 ref: 6BF7BC82
FindWindowW.USER32 ref: 6BF7BC95
FindWindowW.USER32 ref: 6BF7BCA8
FindWindowW.USER32 ref: 6BF7BCBB
FindWindowW.USER32 ref: 6BF7BCCE
FindWindowW.USER32 ref: 6BF7BCE1
FindWindowW.USER32 ref: 6BF7BCF4
FindWindowW.USER32 ref: 6BF7BD07
FindWindowW.USER32 ref: 6BF7BD1A
FindWindowW.USER32 ref: 6BF7BD2D
FindWindowW.USER32 ref: 6BF7BD40
FindWindowW.USER32 ref: 6BF7BD53
FindWindowW.USER32 ref: 6BF7BD66
FindWindowW.USER32 ref: 6BF7BD79
FindWindowW.USER32 ref: 6BF7BD8C
FindWindowW.USER32 ref: 6BF7BD9F
FindWindowW.USER32 ref: 6BF7BDB2
FindWindowW.USER32 ref: 6BF7BDC5
FindWindowW.USER32 ref: 6BF7BDD8
FindWindowW.USER32 ref: 6BF7BDEB
FindWindowW.USER32 ref: 6BF7BDFE
FindWindowW.USER32 ref: 6BF7BE11
FindWindowW.USER32 ref: 6BF7BE24
FindWindowW.USER32 ref: 6BF7BE37
FindWindowW.USER32 ref: 6BF7BE4A
FindWindowW.USER32 ref: 6BF7BE5D
FindWindowW.USER32 ref: 6BF7BE70
FindWindowW.USER32 ref: 6BF7BE83
FindWindowW.USER32 ref: 6BF7BE96
FindWindowW.USER32 ref: 6BF7BEA9
FindWindowW.USER32 ref: 6BF7BEBC
FindWindowW.USER32 ref: 6BF7BECF
FindWindowW.USER32 ref: 6BF7BEE2
FindWindowW.USER32 ref: 6BF7BEF5
FindWindowW.USER32 ref: 6BF7BF08
FindWindowW.USER32 ref: 6BF7BF1B
FindWindowW.USER32 ref: 6BF7BF2E
FindWindowW.USER32 ref: 6BF7BF41
FindWindowW.USER32 ref: 6BF7BF54
FindWindowW.USER32 ref: 6BF7BF67
FindWindowW.USER32 ref: 6BF7BF7A
FindWindowW.USER32 ref: 6BF7BF8D
FindWindowW.USER32 ref: 6BF7BFA0
FindWindowW.USER32 ref: 6BF7BFB3
FindWindowW.USER32 ref: 6BF7BFC6
FindWindowW.USER32 ref: 6BF7BFD9
FindWindowW.USER32 ref: 6BF7BFEC
FindWindowW.USER32 ref: 6BF7BFFF
FindWindowW.USER32 ref: 6BF7C012
FindWindowW.USER32 ref: 6BF7C025
FindWindowW.USER32 ref: 6BF7C038
FindWindowW.USER32 ref: 6BF7C04B
FindWindowW.USER32 ref: 6BF7C05E
FindWindowW.USER32 ref: 6BF7C071
FindWindowW.USER32 ref: 6BF7C084
FindWindowW.USER32 ref: 6BF7C097
FindWindowW.USER32 ref: 6BF7C0AA
FindWindowW.USER32 ref: 6BF7C0BD
FindWindowW.USER32 ref: 6BF7C0D0
FindWindowW.USER32 ref: 6BF7C0E3
FindWindowW.USER32 ref: 6BF7C0F6
FindWindowW.USER32 ref: 6BF7C109
FindWindowW.USER32 ref: 6BF7C11C
FindWindowW.USER32 ref: 6BF7C12F
FindWindowW.USER32 ref: 6BF7C142
FindWindowW.USER32 ref: 6BF7C155
FindWindowW.USER32 ref: 6BF7C168
FindWindowW.USER32 ref: 6BF7C17B
FindWindowW.USER32 ref: 6BF7C18E
FindWindowW.USER32 ref: 6BF7C1A1
FindWindowW.USER32 ref: 6BF7C1B4
FindWindowW.USER32 ref: 6BF7C1C7
FindWindowW.USER32 ref: 6BF7C1DA
FindWindowW.USER32 ref: 6BF7C1ED
FindWindowW.USER32 ref: 6BF7C200
FindWindowW.USER32 ref: 6BF7C213
FindWindowW.USER32 ref: 6BF7C226
FindWindowW.USER32 ref: 6BF7C239
FindWindowW.USER32 ref: 6BF7C24C
FindWindowW.USER32 ref: 6BF7C25F
FindWindowW.USER32 ref: 6BF7C272
FindWindowW.USER32 ref: 6BF7C285
FindWindowW.USER32 ref: 6BF7C298
FindWindowW.USER32 ref: 6BF7C2AB
FindWindowW.USER32 ref: 6BF7C2BE
FindWindowW.USER32 ref: 6BF7C2D1
FindWindowW.USER32 ref: 6BF7C2E4
FindWindowW.USER32 ref: 6BF7C2F7
FindWindowW.USER32 ref: 6BF7C30A
FindWindowW.USER32 ref: 6BF7C31D
FindWindowW.USER32 ref: 6BF7C330
FindWindowW.USER32 ref: 6BF7C343
FindWindowW.USER32 ref: 6BF7C356
FindWindowW.USER32 ref: 6BF7C369
FindWindowW.USER32 ref: 6BF7C37C
FindWindowW.USER32 ref: 6BF7C38F
FindWindowW.USER32 ref: 6BF7C3A2
FindWindowW.USER32 ref: 6BF7C3B5
FindWindowW.USER32 ref: 6BF7C3C8
FindWindowW.USER32 ref: 6BF7C3DB
FindWindowW.USER32 ref: 6BF7C3EE
FindWindowW.USER32 ref: 6BF7C401
FindWindowW.USER32 ref: 6BF7C414
FindWindowW.USER32 ref: 6BF7C427
FindWindowW.USER32 ref: 6BF7C43A
FindWindowW.USER32 ref: 6BF7C44D
FindWindowW.USER32 ref: 6BF7C460
FindWindowW.USER32 ref: 6BF7C473
FindWindowW.USER32 ref: 6BF7C486
FindWindowW.USER32 ref: 6BF7C499
FindWindowW.USER32 ref: 6BF7C4AC
FindWindowW.USER32 ref: 6BF7C4BF
FindWindowW.USER32 ref: 6BF7C4D2
FindWindowW.USER32 ref: 6BF7C4E5
FindWindowW.USER32 ref: 6BF7C4F8
FindWindowW.USER32 ref: 6BF7C50B
FindWindowW.USER32 ref: 6BF7C51E
FindWindowW.USER32 ref: 6BF7C531
FindWindowW.USER32 ref: 6BF7C544
FindWindowW.USER32 ref: 6BF7C557
FindWindowW.USER32 ref: 6BF7C56A
FindWindowW.USER32 ref: 6BF7C57D
FindWindowW.USER32 ref: 6BF7C590
FindWindowW.USER32 ref: 6BF7C5A3
FindWindowW.USER32 ref: 6BF7C5B6
FindWindowW.USER32 ref: 6BF7C5C9
FindWindowW.USER32 ref: 6BF7C5DC
FindWindowW.USER32 ref: 6BF7C5EF
FindWindowW.USER32 ref: 6BF7C602
FindWindowW.USER32 ref: 6BF7C615
FindWindowW.USER32 ref: 6BF7C628
FindWindowW.USER32 ref: 6BF7C63B
FindWindowW.USER32 ref: 6BF7C64E
FindWindowW.USER32 ref: 6BF7C661
FindWindowW.USER32 ref: 6BF7C674
FindWindowW.USER32 ref: 6BF7C687
FindWindowW.USER32 ref: 6BF7C69A
FindWindowW.USER32 ref: 6BF7C6AD
FindWindowW.USER32 ref: 6BF7C6C0
FindWindowW.USER32 ref: 6BF7C6D3
FindWindowW.USER32 ref: 6BF7C6E6
FindWindowW.USER32 ref: 6BF7C6F9
FindWindowW.USER32 ref: 6BF7C70C
FindWindowW.USER32 ref: 6BF7C71F
FindWindowW.USER32 ref: 6BF7C732
FindWindowW.USER32 ref: 6BF7C745
FindWindowW.USER32 ref: 6BF7C758
FindWindowW.USER32 ref: 6BF7C76B
FindWindowW.USER32 ref: 6BF7C77E
FindWindowW.USER32 ref: 6BF7C791
FindWindowW.USER32 ref: 6BF7C7A4
FindWindowW.USER32 ref: 6BF7C7B7
FindWindowW.USER32 ref: 6BF7C7CA
FindWindowW.USER32 ref: 6BF7C7DD
FindWindowW.USER32 ref: 6BF7C7F0
FindWindowW.USER32 ref: 6BF7C803
FindWindowW.USER32 ref: 6BF7C816
FindWindowW.USER32 ref: 6BF7C829
FindWindowW.USER32 ref: 6BF7C83C
FindWindowW.USER32 ref: 6BF7C84F
FindWindowW.USER32 ref: 6BF7C862
FindWindowW.USER32 ref: 6BF7C875
FindWindowW.USER32 ref: 6BF7C888
FindWindowW.USER32 ref: 6BF7C89B
FindWindowW.USER32 ref: 6BF7C8AE
FindWindowW.USER32 ref: 6BF7C8C1
FindWindowW.USER32 ref: 6BF7C8D4
FindWindowW.USER32 ref: 6BF7C8E7
FindWindowW.USER32 ref: 6BF7C8FA
FindWindowW.USER32 ref: 6BF7C90D
FindWindowW.USER32 ref: 6BF7C920
FindWindowW.USER32 ref: 6BF7C933
FindWindowW.USER32 ref: 6BF7C946
FindWindowW.USER32 ref: 6BF7C959
FindWindowW.USER32 ref: 6BF7C96C
FindWindowW.USER32 ref: 6BF7C97F
FindWindowW.USER32 ref: 6BF7C992
FindWindowW.USER32 ref: 6BF7C9A5
FindWindowW.USER32 ref: 6BF7C9B8
FindWindowW.USER32 ref: 6BF7C9CB
FindWindowW.USER32 ref: 6BF7C9DE
FindWindowW.USER32 ref: 6BF7C9F1
FindWindowW.USER32 ref: 6BF7CA04
FindWindowW.USER32 ref: 6BF7CA17
FindWindowW.USER32 ref: 6BF7CA2A
FindWindowW.USER32 ref: 6BF7CA3D
FindWindowW.USER32 ref: 6BF7CA50
FindWindowW.USER32 ref: 6BF7CA63
FindWindowW.USER32 ref: 6BF7CA76
FindWindowW.USER32 ref: 6BF7CA89
FindWindowW.USER32 ref: 6BF7CA9C
FindWindowW.USER32 ref: 6BF7CAAF
FindWindowW.USER32 ref: 6BF7CAC2
FindWindowW.USER32 ref: 6BF7CAD5
FindWindowW.USER32 ref: 6BF7CAE8
FindWindowW.USER32 ref: 6BF7CAFB
FindWindowW.USER32 ref: 6BF7CB0E
FindWindowW.USER32 ref: 6BF7CB21
FindWindowW.USER32 ref: 6BF7CB34
FindWindowW.USER32 ref: 6BF7CB47
FindWindowW.USER32 ref: 6BF7CB5A
FindWindowW.USER32 ref: 6BF7CB6D
FindWindowW.USER32 ref: 6BF7CB80
FindWindowW.USER32 ref: 6BF7CB93
FindWindowW.USER32 ref: 6BF7CBA6
FindWindowW.USER32 ref: 6BF7CBB9
FindWindowW.USER32 ref: 6BF7CBCC
FindWindowW.USER32 ref: 6BF7CBDF
FindWindowW.USER32 ref: 6BF7CBF2
FindWindowW.USER32 ref: 6BF7CC05
FindWindowW.USER32 ref: 6BF7CC18
FindWindowW.USER32 ref: 6BF7CC2B
FindWindowW.USER32 ref: 6BF7CC3E
FindWindowW.USER32 ref: 6BF7CC51
FindWindowW.USER32 ref: 6BF7CC64
FindWindowW.USER32 ref: 6BF7CC77
FindWindowW.USER32 ref: 6BF7CC8A
FindWindowW.USER32 ref: 6BF7CC9D
FindWindowW.USER32 ref: 6BF7CCB0
FindWindowW.USER32 ref: 6BF7CCC3
FindWindowW.USER32 ref: 6BF7CCD6
FindWindowW.USER32 ref: 6BF7CCE9
FindWindowW.USER32 ref: 6BF7CCFC
FindWindowW.USER32 ref: 6BF7CD0F
FindWindowW.USER32 ref: 6BF7CD22
FindWindowW.USER32 ref: 6BF7CD35
FindWindowW.USER32 ref: 6BF7CD48
FindWindowW.USER32 ref: 6BF7CD5B
FindWindowW.USER32 ref: 6BF7CD6E
FindWindowW.USER32 ref: 6BF7CD81
FindWindowW.USER32 ref: 6BF7CD94
FindWindowW.USER32 ref: 6BF7CDA7
FindWindowW.USER32 ref: 6BF7CDBA
FindWindowW.USER32 ref: 6BF7CDCD
FindWindowW.USER32 ref: 6BF7CDE0
FindWindowW.USER32 ref: 6BF7CDF3
FindWindowW.USER32 ref: 6BF7CE06
FindWindowW.USER32 ref: 6BF7CE19
FindWindowW.USER32 ref: 6BF7CE2C
FindWindowW.USER32 ref: 6BF7CE3F
FindWindowW.USER32 ref: 6BF7CE52
FindWindowW.USER32 ref: 6BF7CE65
FindWindowW.USER32 ref: 6BF7CE78
FindWindowW.USER32 ref: 6BF7CE8B
FindWindowW.USER32 ref: 6BF7CE9E
FindWindowW.USER32 ref: 6BF7CEB1
FindWindowW.USER32 ref: 6BF7CEC4
FindWindowW.USER32 ref: 6BF7CED7
FindWindowW.USER32 ref: 6BF7CEEA
FindWindowW.USER32 ref: 6BF7CEFD
FindWindowW.USER32 ref: 6BF7CF10
FindWindowW.USER32 ref: 6BF7CF23
FindWindowW.USER32 ref: 6BF7CF36
FindWindowW.USER32 ref: 6BF7CF49
FindWindowW.USER32 ref: 6BF7CF5C
FindWindowW.USER32 ref: 6BF7CF6F
FindWindowW.USER32 ref: 6BF7CF82
FindWindowW.USER32 ref: 6BF7CF95
FindWindowW.USER32 ref: 6BF7CFA8
FindWindowW.USER32 ref: 6BF7CFBB
FindWindowW.USER32 ref: 6BF7CFCE
FindWindowW.USER32 ref: 6BF7CFE1
FindWindowW.USER32 ref: 6BF7CFF4
FindWindowW.USER32 ref: 6BF7D007
FindWindowW.USER32 ref: 6BF7D01A
FindWindowW.USER32 ref: 6BF7D02D
FindWindowW.USER32 ref: 6BF7D040
FindWindowW.USER32 ref: 6BF7D053
FindWindowW.USER32 ref: 6BF7D066
FindWindowW.USER32 ref: 6BF7D079
FindWindowW.USER32 ref: 6BF7D08C
FindWindowW.USER32 ref: 6BF7D09F
FindWindowW.USER32 ref: 6BF7D0B2
FindWindowW.USER32 ref: 6BF7D0C5
FindWindowW.USER32 ref: 6BF7D0D8
FindWindowW.USER32 ref: 6BF7D0EB
FindWindowW.USER32 ref: 6BF7D0FE
FindWindowW.USER32 ref: 6BF7D111
FindWindowW.USER32 ref: 6BF7D124
FindWindowW.USER32 ref: 6BF7D137
FindWindowW.USER32 ref: 6BF7D14A
FindWindowW.USER32 ref: 6BF7D15D
FindWindowW.USER32 ref: 6BF7D170
FindWindowW.USER32 ref: 6BF7D183
FindWindowW.USER32 ref: 6BF7D196
FindWindowW.USER32 ref: 6BF7D1A9
FindWindowW.USER32 ref: 6BF7D1BC
FindWindowW.USER32 ref: 6BF7D1CF
FindWindowW.USER32 ref: 6BF7D1E2
FindWindowW.USER32 ref: 6BF7D1F5
FindWindowW.USER32 ref: 6BF7D208
FindWindowW.USER32 ref: 6BF7D21B
FindWindowW.USER32 ref: 6BF7D22E
FindWindowW.USER32 ref: 6BF7D241
FindWindowW.USER32 ref: 6BF7D254
FindWindowW.USER32 ref: 6BF7D267
FindWindowW.USER32 ref: 6BF7D27A
FindWindowW.USER32 ref: 6BF7D28D
FindWindowW.USER32 ref: 6BF7D2A0
FindWindowW.USER32 ref: 6BF7D2B3
FindWindowW.USER32 ref: 6BF7D2C6
FindWindowW.USER32 ref: 6BF7D2D9
FindWindowW.USER32 ref: 6BF7D2EC
FindWindowW.USER32 ref: 6BF7D2FF
FindWindowW.USER32 ref: 6BF7D312
FindWindowW.USER32 ref: 6BF7D325
FindWindowW.USER32 ref: 6BF7D338
FindWindowW.USER32 ref: 6BF7D34B
FindWindowW.USER32 ref: 6BF7D35E
FindWindowW.USER32 ref: 6BF7D371
FindWindowW.USER32 ref: 6BF7D384
FindWindowW.USER32 ref: 6BF7D397
FindWindowW.USER32 ref: 6BF7D3AA
FindWindowW.USER32 ref: 6BF7D3BD
FindWindowW.USER32 ref: 6BF7D3D0
FindWindowW.USER32 ref: 6BF7D3E3
FindWindowW.USER32 ref: 6BF7D3F6
FindWindowW.USER32 ref: 6BF7D409
FindWindowW.USER32 ref: 6BF7D41C
FindWindowW.USER32 ref: 6BF7D42F
FindWindowW.USER32 ref: 6BF7D442
FindWindowW.USER32 ref: 6BF7D455
FindWindowW.USER32 ref: 6BF7D468
FindWindowW.USER32 ref: 6BF7D47B
FindWindowW.USER32 ref: 6BF7D48E
FindWindowW.USER32 ref: 6BF7D4A1
FindWindowW.USER32 ref: 6BF7D4B4
FindWindowW.USER32 ref: 6BF7D4C7
FindWindowW.USER32 ref: 6BF7D4DA
FindWindowW.USER32 ref: 6BF7D4ED
FindWindowW.USER32 ref: 6BF7D500
FindWindowW.USER32 ref: 6BF7D513
FindWindowW.USER32 ref: 6BF7D526
FindWindowW.USER32 ref: 6BF7D539
FindWindowW.USER32 ref: 6BF7D54C
FindWindowW.USER32 ref: 6BF7D55F
FindWindowW.USER32 ref: 6BF7D572
FindWindowW.USER32 ref: 6BF7D585
FindWindowW.USER32 ref: 6BF7D598
FindWindowW.USER32 ref: 6BF7D5AB
FindWindowW.USER32 ref: 6BF7D5BE
FindWindowW.USER32 ref: 6BF7D5D1
FindWindowW.USER32 ref: 6BF7D5E4
FindWindowW.USER32 ref: 6BF7D5F7
FindWindowW.USER32 ref: 6BF7D60A
FindWindowW.USER32 ref: 6BF7D61D
FindWindowW.USER32 ref: 6BF7D630
FindWindowW.USER32 ref: 6BF7D643
FindWindowW.USER32 ref: 6BF7D656
FindWindowW.USER32 ref: 6BF7D669
FindWindowW.USER32 ref: 6BF7D67C
FindWindowW.USER32 ref: 6BF7D68F
FindWindowW.USER32 ref: 6BF7D6A2
FindWindowW.USER32 ref: 6BF7D6B5
FindWindowW.USER32 ref: 6BF7D6C8
FindWindowW.USER32 ref: 6BF7D6DB
FindWindowW.USER32 ref: 6BF7D6EE
FindWindowW.USER32 ref: 6BF7D701
FindWindowW.USER32 ref: 6BF7D714
FindWindowW.USER32 ref: 6BF7D727
FindWindowW.USER32 ref: 6BF7D73A
FindWindowW.USER32 ref: 6BF7D74D
FindWindowW.USER32 ref: 6BF7D760
FindWindowW.USER32 ref: 6BF7D773
FindWindowW.USER32 ref: 6BF7D786
FindWindowW.USER32 ref: 6BF7D799
FindWindowW.USER32 ref: 6BF7D7AC
FindWindowW.USER32 ref: 6BF7D7BF
FindWindowW.USER32 ref: 6BF7D7D2
FindWindowW.USER32 ref: 6BF7D7E5
FindWindowW.USER32 ref: 6BF7D7F8
FindWindowW.USER32 ref: 6BF7D80B
FindWindowW.USER32 ref: 6BF7D81E
FindWindowW.USER32 ref: 6BF7D831
FindWindowW.USER32 ref: 6BF7D844
FindWindowW.USER32 ref: 6BF7D857
FindWindowW.USER32 ref: 6BF7D86A
FindWindowW.USER32 ref: 6BF7D87D
FindWindowW.USER32 ref: 6BF7D890
FindWindowW.USER32 ref: 6BF7D8A3
FindWindowW.USER32 ref: 6BF7D8B6
FindWindowW.USER32 ref: 6BF7D8C9
FindWindowW.USER32 ref: 6BF7D8DC
FindWindowW.USER32 ref: 6BF7D8EF
FindWindowW.USER32 ref: 6BF7D902
FindWindowW.USER32 ref: 6BF7D915
FindWindowW.USER32 ref: 6BF7D928
FindWindowW.USER32 ref: 6BF7D93B
FindWindowW.USER32 ref: 6BF7D94E
FindWindowW.USER32 ref: 6BF7D961
FindWindowW.USER32 ref: 6BF7D974
FindWindowW.USER32 ref: 6BF7D987
FindWindowW.USER32 ref: 6BF7D99A
FindWindowW.USER32 ref: 6BF7D9AD
FindWindowW.USER32 ref: 6BF7D9C0
FindWindowW.USER32 ref: 6BF7D9D3
FindWindowW.USER32 ref: 6BF7D9E6
FindWindowW.USER32 ref: 6BF7D9F9
FindWindowW.USER32 ref: 6BF7DA0C
FindWindowW.USER32 ref: 6BF7DA1F
FindWindowW.USER32 ref: 6BF7DA32
FindWindowW.USER32 ref: 6BF7DA45
FindWindowW.USER32 ref: 6BF7DA58
FindWindowW.USER32 ref: 6BF7DA6B
FindWindowW.USER32 ref: 6BF7DA7E
FindWindowW.USER32 ref: 6BF7DA91
FindWindowW.USER32 ref: 6BF7DAA4
FindWindowW.USER32 ref: 6BF7DAB7
FindWindowW.USER32 ref: 6BF7DACA
FindWindowW.USER32 ref: 6BF7DADD
FindWindowW.USER32 ref: 6BF7DAF0
FindWindowW.USER32 ref: 6BF7DB03
FindWindowW.USER32 ref: 6BF7DB16
FindWindowW.USER32 ref: 6BF7DB29
FindWindowW.USER32 ref: 6BF7DB3C
FindWindowW.USER32 ref: 6BF7DB4F
FindWindowW.USER32 ref: 6BF7DB62
FindWindowW.USER32 ref: 6BF7DB75
FindWindowW.USER32 ref: 6BF7DB88
FindWindowW.USER32 ref: 6BF7DB9B
FindWindowW.USER32 ref: 6BF7DBAE
FindWindowW.USER32 ref: 6BF7DBC1
FindWindowW.USER32 ref: 6BF7DBD4
FindWindowW.USER32 ref: 6BF7DBE7
FindWindowW.USER32 ref: 6BF7DBFA
FindWindowW.USER32 ref: 6BF7DC0D
FindWindowW.USER32 ref: 6BF7DC20
FindWindowW.USER32 ref: 6BF7DC33
FindWindowW.USER32 ref: 6BF7DC46
FindWindowW.USER32 ref: 6BF7DC59
FindWindowW.USER32 ref: 6BF7DC6C
FindWindowW.USER32 ref: 6BF7DC7F
FindWindowW.USER32 ref: 6BF7DC92
FindWindowW.USER32 ref: 6BF7DCA5
FindWindowW.USER32 ref: 6BF7DCB8
FindWindowW.USER32 ref: 6BF7DCCB
FindWindowW.USER32 ref: 6BF7DCDE
FindWindowW.USER32 ref: 6BF7DCF1
FindWindowW.USER32 ref: 6BF7DD04
FindWindowW.USER32 ref: 6BF7DD17
FindWindowW.USER32 ref: 6BF7DD2A
FindWindowW.USER32 ref: 6BF7DD3D
FindWindowW.USER32 ref: 6BF7DD50
FindWindowW.USER32 ref: 6BF7DD63
FindWindowW.USER32 ref: 6BF7DD76
FindWindowW.USER32 ref: 6BF7DD89
FindWindowW.USER32 ref: 6BF7DD9C
FindWindowW.USER32 ref: 6BF7DDAF
FindWindowW.USER32 ref: 6BF7DDC2
FindWindowW.USER32 ref: 6BF7DDD5
FindWindowW.USER32 ref: 6BF7DDE8
FindWindowW.USER32 ref: 6BF7DDFB
FindWindowW.USER32 ref: 6BF7DE0E
FindWindowW.USER32 ref: 6BF7DE21
FindWindowW.USER32 ref: 6BF7DE34
FindWindowW.USER32 ref: 6BF7DE47
FindWindowW.USER32 ref: 6BF7DE5A
FindWindowW.USER32 ref: 6BF7DE6D
FindWindowW.USER32 ref: 6BF7DE80
FindWindowW.USER32 ref: 6BF7DE93
FindWindowW.USER32 ref: 6BF7DEA6
FindWindowW.USER32 ref: 6BF7DEB9
FindWindowW.USER32 ref: 6BF7DECC
FindWindowW.USER32 ref: 6BF7DEDF
FindWindowW.USER32 ref: 6BF7DEF2
FindWindowW.USER32 ref: 6BF7DF05
FindWindowW.USER32 ref: 6BF7DF18
FindWindowW.USER32 ref: 6BF7DF2B
FindWindowW.USER32 ref: 6BF7DF3E
FindWindowW.USER32 ref: 6BF7DF51
FindWindowW.USER32 ref: 6BF7DF64
FindWindowW.USER32 ref: 6BF7DF77
FindWindowW.USER32 ref: 6BF7DF8A
FindWindowW.USER32 ref: 6BF7DF9D
FindWindowW.USER32 ref: 6BF7DFB0
FindWindowW.USER32 ref: 6BF7DFC3
FindWindowW.USER32 ref: 6BF7DFD6
FindWindowW.USER32 ref: 6BF7DFE9
FindWindowW.USER32 ref: 6BF7DFFC
FindWindowW.USER32 ref: 6BF7E00F
FindWindowW.USER32 ref: 6BF7E022
FindWindowW.USER32 ref: 6BF7E035
FindWindowW.USER32 ref: 6BF7E048
FindWindowW.USER32 ref: 6BF7E05B
FindWindowW.USER32 ref: 6BF7E06E
FindWindowW.USER32 ref: 6BF7E081
FindWindowW.USER32 ref: 6BF7E094
FindWindowW.USER32 ref: 6BF7E0A7
FindWindowW.USER32 ref: 6BF7E0BA
FindWindowW.USER32 ref: 6BF7E0CD
FindWindowW.USER32 ref: 6BF7E0E0
FindWindowW.USER32 ref: 6BF7E0F3
FindWindowW.USER32 ref: 6BF7E106
FindWindowW.USER32 ref: 6BF7E119
FindWindowW.USER32 ref: 6BF7E12C
FindWindowW.USER32 ref: 6BF7E13F
FindWindowW.USER32 ref: 6BF7E152
FindWindowW.USER32 ref: 6BF7E165
FindWindowW.USER32 ref: 6BF7E178
FindWindowW.USER32 ref: 6BF7E18B
FindWindowW.USER32 ref: 6BF7E19E
FindWindowW.USER32 ref: 6BF7E1B1
FindWindowW.USER32 ref: 6BF7E1C4
FindWindowW.USER32 ref: 6BF7E1D7
FindWindowW.USER32 ref: 6BF7E1EA
FindWindowW.USER32 ref: 6BF7E1FD
FindWindowW.USER32 ref: 6BF7E210
FindWindowW.USER32 ref: 6BF7E223
FindWindowW.USER32 ref: 6BF7E236
FindWindowW.USER32 ref: 6BF7E249
FindWindowW.USER32 ref: 6BF7E25C
FindWindowW.USER32 ref: 6BF7E26F
FindWindowW.USER32 ref: 6BF7E282
FindWindowW.USER32 ref: 6BF7E295
FindWindowW.USER32 ref: 6BF7E2A8
FindWindowW.USER32 ref: 6BF7E2BB
FindWindowW.USER32 ref: 6BF7E2CE
FindWindowW.USER32 ref: 6BF7E2E1
FindWindowW.USER32 ref: 6BF7E2F4
FindWindowW.USER32 ref: 6BF7E307
FindWindowW.USER32 ref: 6BF7E31A
FindWindowW.USER32 ref: 6BF7E32D
FindWindowW.USER32 ref: 6BF7E340
FindWindowW.USER32 ref: 6BF7E353
FindWindowW.USER32 ref: 6BF7E366
FindWindowW.USER32 ref: 6BF7E379
FindWindowW.USER32 ref: 6BF7E38C
FindWindowW.USER32 ref: 6BF7E39F
FindWindowW.USER32 ref: 6BF7E3B2
FindWindowW.USER32 ref: 6BF7E3C5
FindWindowW.USER32 ref: 6BF7E3D8
FindWindowW.USER32 ref: 6BF7E3EB
FindWindowW.USER32 ref: 6BF7E3FE
FindWindowW.USER32 ref: 6BF7E411
FindWindowW.USER32 ref: 6BF7E424
FindWindowW.USER32 ref: 6BF7E437
FindWindowW.USER32 ref: 6BF7E44A
FindWindowW.USER32 ref: 6BF7E45D
FindWindowW.USER32 ref: 6BF7E470
FindWindowW.USER32 ref: 6BF7E483
FindWindowW.USER32 ref: 6BF7E496
FindWindowW.USER32 ref: 6BF7E4A9
FindWindowW.USER32 ref: 6BF7E4BC
FindWindowW.USER32 ref: 6BF7E4CF
FindWindowW.USER32 ref: 6BF7E4E2
FindWindowW.USER32 ref: 6BF7E4F5
FindWindowW.USER32 ref: 6BF7E508
FindWindowW.USER32 ref: 6BF7E51B
FindWindowW.USER32 ref: 6BF7E52E
FindWindowW.USER32 ref: 6BF7E541
FindWindowW.USER32 ref: 6BF7E554
FindWindowW.USER32 ref: 6BF7E567
FindWindowW.USER32 ref: 6BF7E57A
FindWindowW.USER32 ref: 6BF7E58D
FindWindowW.USER32 ref: 6BF7E5A0
FindWindowW.USER32 ref: 6BF7E5B3
FindWindowW.USER32 ref: 6BF7E5C6
FindWindowW.USER32 ref: 6BF7E5D9
FindWindowW.USER32 ref: 6BF7E5EC
FindWindowW.USER32 ref: 6BF7E5FF
FindWindowW.USER32 ref: 6BF7E612
FindWindowW.USER32 ref: 6BF7E625
FindWindowW.USER32 ref: 6BF7E638
FindWindowW.USER32 ref: 6BF7E64B
FindWindowW.USER32 ref: 6BF7E65E
FindWindowW.USER32 ref: 6BF7E671
FindWindowW.USER32 ref: 6BF7E684
FindWindowW.USER32 ref: 6BF7E697
FindWindowW.USER32 ref: 6BF7E6AA
FindWindowW.USER32 ref: 6BF7E6BD
FindWindowW.USER32 ref: 6BF7E6D0
FindWindowW.USER32 ref: 6BF7E6E3
FindWindowW.USER32 ref: 6BF7E6F6
FindWindowW.USER32 ref: 6BF7E709
FindWindowW.USER32 ref: 6BF7E71C
FindWindowW.USER32 ref: 6BF7E72F
FindWindowW.USER32 ref: 6BF7E742
FindWindowW.USER32 ref: 6BF7E755
FindWindowW.USER32 ref: 6BF7E768
FindWindowW.USER32 ref: 6BF7E77B
FindWindowW.USER32 ref: 6BF7E78E
FindWindowW.USER32 ref: 6BF7E7A1
FindWindowW.USER32 ref: 6BF7E7B4
FindWindowW.USER32 ref: 6BF7E7C7
FindWindowW.USER32 ref: 6BF7E7DA
FindWindowW.USER32 ref: 6BF7E7ED
FindWindowW.USER32 ref: 6BF7E800
FindWindowW.USER32 ref: 6BF7E813
FindWindowW.USER32 ref: 6BF7E826
FindWindowW.USER32 ref: 6BF7E839
FindWindowW.USER32 ref: 6BF7E84C
FindWindowW.USER32 ref: 6BF7E85F
FindWindowW.USER32 ref: 6BF7E872
FindWindowW.USER32 ref: 6BF7E885
FindWindowW.USER32 ref: 6BF7E898
FindWindowW.USER32 ref: 6BF7E8AB
FindWindowW.USER32 ref: 6BF7E8BE
FindWindowW.USER32 ref: 6BF7E8D1
FindWindowW.USER32 ref: 6BF7E8E4
FindWindowW.USER32 ref: 6BF7E8F7
FindWindowW.USER32 ref: 6BF7E90A
FindWindowW.USER32 ref: 6BF7E91D
FindWindowW.USER32 ref: 6BF7E930
FindWindowW.USER32 ref: 6BF7E943
FindWindowW.USER32 ref: 6BF7E956
FindWindowW.USER32 ref: 6BF7E969
FindWindowW.USER32 ref: 6BF7E97C
FindWindowW.USER32 ref: 6BF7E98F
FindWindowW.USER32 ref: 6BF7E9A2
FindWindowW.USER32 ref: 6BF7E9B5
FindWindowW.USER32 ref: 6BF7E9C8
FindWindowW.USER32 ref: 6BF7E9DB
FindWindowW.USER32 ref: 6BF7E9EE
FindWindowW.USER32 ref: 6BF7EA01
FindWindowW.USER32 ref: 6BF7EA14
FindWindowW.USER32 ref: 6BF7EA27
FindWindowW.USER32 ref: 6BF7EA3A
FindWindowW.USER32 ref: 6BF7EA4D
FindWindowW.USER32 ref: 6BF7EA60
FindWindowW.USER32 ref: 6BF7EA73
FindWindowW.USER32 ref: 6BF7EA86
FindWindowW.USER32 ref: 6BF7EA99
FindWindowW.USER32 ref: 6BF7EAAC
FindWindowW.USER32 ref: 6BF7EABF
FindWindowW.USER32 ref: 6BF7EAD2
FindWindowW.USER32 ref: 6BF7EAE5
FindWindowW.USER32 ref: 6BF7EAF8
FindWindowW.USER32 ref: 6BF7EB0B
FindWindowW.USER32 ref: 6BF7EB1E
FindWindowW.USER32 ref: 6BF7EB31
FindWindowW.USER32 ref: 6BF7EB44
FindWindowW.USER32 ref: 6BF7EB57
FindWindowW.USER32 ref: 6BF7EB6A
FindWindowW.USER32 ref: 6BF7EB7D
FindWindowW.USER32 ref: 6BF7EB90
FindWindowW.USER32 ref: 6BF7EBA3
FindWindowW.USER32 ref: 6BF7EBB6
FindWindowW.USER32 ref: 6BF7EBC9
FindWindowW.USER32 ref: 6BF7EBDC
FindWindowW.USER32 ref: 6BF7EBEF
FindWindowW.USER32 ref: 6BF7EC02
FindWindowW.USER32 ref: 6BF7EC15
FindWindowW.USER32 ref: 6BF7EC28
FindWindowW.USER32 ref: 6BF7EC3B
FindWindowW.USER32 ref: 6BF7EC4E
FindWindowW.USER32 ref: 6BF7EC61
FindWindowW.USER32 ref: 6BF7EC74
FindWindowW.USER32 ref: 6BF7EC87
FindWindowW.USER32 ref: 6BF7EC9A
FindWindowW.USER32 ref: 6BF7ECAD
FindWindowW.USER32 ref: 6BF7ECC0
FindWindowW.USER32 ref: 6BF7ECD3
FindWindowW.USER32 ref: 6BF7ECE6
FindWindowW.USER32 ref: 6BF7ECF9
FindWindowW.USER32 ref: 6BF7ED0C
FindWindowW.USER32 ref: 6BF7ED1F
FindWindowW.USER32 ref: 6BF7ED32
FindWindowW.USER32 ref: 6BF7ED45
FindWindowW.USER32 ref: 6BF7ED58
FindWindowW.USER32 ref: 6BF7ED6B
FindWindowW.USER32 ref: 6BF7ED7E
FindWindowW.USER32 ref: 6BF7ED91
FindWindowW.USER32 ref: 6BF7EDA4
FindWindowW.USER32 ref: 6BF7EDB7
FindWindowW.USER32 ref: 6BF7EDCA
FindWindowW.USER32 ref: 6BF7EDDD
FindWindowW.USER32 ref: 6BF7EDF0
FindWindowW.USER32 ref: 6BF7EE03
FindWindowW.USER32 ref: 6BF7EE16
FindWindowW.USER32 ref: 6BF7EE29
FindWindowW.USER32 ref: 6BF7EE3C
FindWindowW.USER32 ref: 6BF7EE4F
FindWindowW.USER32 ref: 6BF7EE62
FindWindowW.USER32 ref: 6BF7EE75
FindWindowW.USER32 ref: 6BF7EE88
FindWindowW.USER32 ref: 6BF7EE9B
FindWindowW.USER32 ref: 6BF7EEAE
FindWindowW.USER32 ref: 6BF7EEC1
FindWindowW.USER32 ref: 6BF7EED4
FindWindowW.USER32 ref: 6BF7EEE7
FindWindowW.USER32 ref: 6BF7EEFA
FindWindowW.USER32 ref: 6BF7EF0D
FindWindowW.USER32 ref: 6BF7EF20
FindWindowW.USER32 ref: 6BF7EF33
FindWindowW.USER32 ref: 6BF7EF46
FindWindowW.USER32 ref: 6BF7EF59
FindWindowW.USER32 ref: 6BF7EF6C
FindWindowW.USER32 ref: 6BF7EF7F
FindWindowW.USER32 ref: 6BF7EF92
FindWindowW.USER32 ref: 6BF7EFA5
FindWindowW.USER32 ref: 6BF7EFB8
FindWindowW.USER32 ref: 6BF7EFCB
FindWindowW.USER32 ref: 6BF7EFDE
FindWindowW.USER32 ref: 6BF7EFF1
FindWindowW.USER32 ref: 6BF7F004
FindWindowW.USER32 ref: 6BF7F017
FindWindowW.USER32 ref: 6BF7F02A
FindWindowW.USER32 ref: 6BF7F03D
FindWindowW.USER32 ref: 6BF7F050
FindWindowW.USER32 ref: 6BF7F063
FindWindowW.USER32 ref: 6BF7F076
FindWindowW.USER32 ref: 6BF7F089
FindWindowW.USER32 ref: 6BF7F09C
FindWindowW.USER32 ref: 6BF7F0AF
FindWindowW.USER32 ref: 6BF7F0C2
FindWindowW.USER32 ref: 6BF7F0D5
FindWindowW.USER32 ref: 6BF7F0E8
FindWindowW.USER32 ref: 6BF7F0FB
FindWindowW.USER32 ref: 6BF7F10E
FindWindowW.USER32 ref: 6BF7F121
FindWindowW.USER32 ref: 6BF7F134
FindWindowW.USER32 ref: 6BF7F147
FindWindowW.USER32 ref: 6BF7F15A
FindWindowW.USER32 ref: 6BF7F16D
FindWindowW.USER32 ref: 6BF7F180
FindWindowW.USER32 ref: 6BF7F193
FindWindowW.USER32 ref: 6BF7F1A6
FindWindowW.USER32 ref: 6BF7F1B9
FindWindowW.USER32 ref: 6BF7F1CC
FindWindowW.USER32 ref: 6BF7F1DF
FindWindowW.USER32 ref: 6BF7F1F2
FindWindowW.USER32 ref: 6BF7F205
FindWindowW.USER32 ref: 6BF7F218
FindWindowW.USER32 ref: 6BF7F22B
FindWindowW.USER32 ref: 6BF7F23E
FindWindowW.USER32 ref: 6BF7F251
FindWindowW.USER32 ref: 6BF7F264
FindWindowW.USER32 ref: 6BF7F277
FindWindowW.USER32 ref: 6BF7F28A
FindWindowW.USER32 ref: 6BF7F29D
FindWindowW.USER32 ref: 6BF7F2B0
FindWindowW.USER32 ref: 6BF7F2C3
FindWindowW.USER32 ref: 6BF7F2D6
FindWindowW.USER32 ref: 6BF7F2E9
FindWindowW.USER32 ref: 6BF7F2FC
FindWindowW.USER32 ref: 6BF7F30F
FindWindowW.USER32 ref: 6BF7F322
FindWindowW.USER32 ref: 6BF7F335
FindWindowW.USER32 ref: 6BF7F348
FindWindowW.USER32 ref: 6BF7F35B
FindWindowW.USER32 ref: 6BF7F36E
FindWindowW.USER32 ref: 6BF7F381
FindWindowW.USER32 ref: 6BF7F394
FindWindowW.USER32 ref: 6BF7F3A7
FindWindowW.USER32 ref: 6BF7F3BA
FindWindowW.USER32 ref: 6BF7F3CD
FindWindowW.USER32 ref: 6BF7F3E0
FindWindowW.USER32 ref: 6BF7F3F3
FindWindowW.USER32 ref: 6BF7F406
FindWindowW.USER32 ref: 6BF7F419
FindWindowW.USER32 ref: 6BF7F42C
FindWindowW.USER32 ref: 6BF7F43F
FindWindowW.USER32 ref: 6BF7F452
FindWindowW.USER32 ref: 6BF7F465
FindWindowW.USER32 ref: 6BF7F478
FindWindowW.USER32 ref: 6BF7F48B
FindWindowW.USER32 ref: 6BF7F49E
FindWindowW.USER32 ref: 6BF7F4B1
FindWindowW.USER32 ref: 6BF7F4C4
FindWindowW.USER32 ref: 6BF7F4D7
FindWindowW.USER32 ref: 6BF7F4EA
FindWindowW.USER32 ref: 6BF7F4FD
FindWindowW.USER32 ref: 6BF7F510
FindWindowW.USER32 ref: 6BF7F523
FindWindowW.USER32 ref: 6BF7F536
FindWindowW.USER32 ref: 6BF7F549
FindWindowW.USER32 ref: 6BF7F55C
FindWindowW.USER32 ref: 6BF7F56F
FindWindowW.USER32 ref: 6BF7F582
FindWindowW.USER32 ref: 6BF7F595
FindWindowW.USER32 ref: 6BF7F5A8
FindWindowW.USER32 ref: 6BF7F5BB
FindWindowW.USER32 ref: 6BF7F5CE
FindWindowW.USER32 ref: 6BF7F5E1
FindWindowW.USER32 ref: 6BF7F5F4
FindWindowW.USER32 ref: 6BF7F607
FindWindowW.USER32 ref: 6BF7F61A
FindWindowW.USER32 ref: 6BF7F62D
FindWindowW.USER32 ref: 6BF7F640
FindWindowW.USER32 ref: 6BF7F653
FindWindowW.USER32 ref: 6BF7F666
FindWindowW.USER32 ref: 6BF7F679
FindWindowW.USER32 ref: 6BF7F68C
FindWindowW.USER32 ref: 6BF7F69F
FindWindowW.USER32 ref: 6BF7F6B2
FindWindowW.USER32 ref: 6BF7F6C5
FindWindowW.USER32 ref: 6BF7F6D8
FindWindowW.USER32 ref: 6BF7F6EB
FindWindowW.USER32 ref: 6BF7F6FE
FindWindowW.USER32 ref: 6BF7F711
FindWindowW.USER32 ref: 6BF7F724
FindWindowW.USER32 ref: 6BF7F737
FindWindowW.USER32 ref: 6BF7F74A
FindWindowW.USER32 ref: 6BF7F75D
FindWindowW.USER32 ref: 6BF7F770
FindWindowW.USER32 ref: 6BF7F783
FindWindowW.USER32 ref: 6BF7F796
FindWindowW.USER32 ref: 6BF7F7A9
FindWindowW.USER32 ref: 6BF7F7BC
FindWindowW.USER32 ref: 6BF7F7CF
FindWindowW.USER32 ref: 6BF7F7E2
FindWindowW.USER32 ref: 6BF7F7F5
FindWindowW.USER32 ref: 6BF7F808
FindWindowW.USER32 ref: 6BF7F81B
FindWindowW.USER32 ref: 6BF7F82E
FindWindowW.USER32 ref: 6BF7F841
FindWindowW.USER32 ref: 6BF7F854
FindWindowW.USER32 ref: 6BF7F867
FindWindowW.USER32 ref: 6BF7F87A
FindWindowW.USER32 ref: 6BF7F88D
FindWindowW.USER32 ref: 6BF7F8A0
FindWindowW.USER32 ref: 6BF7F8B3
FindWindowW.USER32 ref: 6BF7F8C6
FindWindowW.USER32 ref: 6BF7F8D9
FindWindowW.USER32 ref: 6BF7F8EC
FindWindowW.USER32 ref: 6BF7F8FF
FindWindowW.USER32 ref: 6BF7F912
FindWindowW.USER32 ref: 6BF7F925
FindWindowW.USER32 ref: 6BF7F938
FindWindowW.USER32 ref: 6BF7F94B
FindWindowW.USER32 ref: 6BF7F95E
FindWindowW.USER32 ref: 6BF7F971
FindWindowW.USER32 ref: 6BF7F984
FindWindowW.USER32 ref: 6BF7F997
FindWindowW.USER32 ref: 6BF7F9AA
FindWindowW.USER32 ref: 6BF7F9BD
FindWindowW.USER32 ref: 6BF7F9D0
FindWindowW.USER32 ref: 6BF7F9E3
FindWindowW.USER32 ref: 6BF7F9F6
FindWindowW.USER32 ref: 6BF7FA09
FindWindowW.USER32 ref: 6BF7FA1C
FindWindowW.USER32 ref: 6BF7FA2F
FindWindowW.USER32 ref: 6BF7FA42
FindWindowW.USER32 ref: 6BF7FA55
FindWindowW.USER32 ref: 6BF7FA68
FindWindowW.USER32 ref: 6BF7FA7B
FindWindowW.USER32 ref: 6BF7FA8E
FindWindowW.USER32 ref: 6BF7FAA1
FindWindowW.USER32 ref: 6BF7FAB4
FindWindowW.USER32 ref: 6BF7FAC7
FindWindowW.USER32 ref: 6BF7FADA
FindWindowW.USER32 ref: 6BF7FAED
FindWindowW.USER32 ref: 6BF7FB00
FindWindowW.USER32 ref: 6BF7FB13
FindWindowW.USER32 ref: 6BF7FB26
FindWindowW.USER32 ref: 6BF7FB39
FindWindowW.USER32 ref: 6BF7FB4C
FindWindowW.USER32 ref: 6BF7FB5F
FindWindowW.USER32 ref: 6BF7FB72
FindWindowW.USER32 ref: 6BF7FB85
FindWindowW.USER32 ref: 6BF7FB98
FindWindowW.USER32 ref: 6BF7FBAB
FindWindowW.USER32 ref: 6BF7FBBE
FindWindowW.USER32 ref: 6BF7FBD1
FindWindowW.USER32 ref: 6BF7FBE4
FindWindowW.USER32 ref: 6BF7FBF7
FindWindowW.USER32 ref: 6BF7FC0A
FindWindowW.USER32 ref: 6BF7FC1D
FindWindowW.USER32 ref: 6BF7FC30
FindWindowW.USER32 ref: 6BF7FC43
FindWindowW.USER32 ref: 6BF7FC56
FindWindowW.USER32 ref: 6BF7FC69
FindWindowW.USER32 ref: 6BF7FC7C
FindWindowW.USER32 ref: 6BF7FC8F
FindWindowW.USER32 ref: 6BF7FCA2
FindWindowW.USER32 ref: 6BF7FCB5
FindWindowW.USER32 ref: 6BF7FCC8
FindWindowW.USER32 ref: 6BF7FCDB
FindWindowW.USER32 ref: 6BF7FCEE
FindWindowW.USER32 ref: 6BF7FD01
FindWindowW.USER32 ref: 6BF7FD14
FindWindowW.USER32 ref: 6BF7FD27
FindWindowW.USER32 ref: 6BF7FD3A
FindWindowW.USER32 ref: 6BF7FD4D
FindWindowW.USER32 ref: 6BF7FD60
FindWindowW.USER32 ref: 6BF7FD73
FindWindowW.USER32 ref: 6BF7FD86
FindWindowW.USER32 ref: 6BF7FD99
FindWindowW.USER32 ref: 6BF7FDAC
FindWindowW.USER32 ref: 6BF7FDBF
FindWindowW.USER32 ref: 6BF7FDD2
FindWindowW.USER32 ref: 6BF7FDE5
FindWindowW.USER32 ref: 6BF7FDF8
FindWindowW.USER32 ref: 6BF7FE0B
FindWindowW.USER32 ref: 6BF7FE1E
FindWindowW.USER32 ref: 6BF7FE31
FindWindowW.USER32 ref: 6BF7FE44
FindWindowW.USER32 ref: 6BF7FE57
FindWindowW.USER32 ref: 6BF7FE6A
FindWindowW.USER32 ref: 6BF7FE7D
FindWindowW.USER32 ref: 6BF7FE90
FindWindowW.USER32 ref: 6BF7FEA3
FindWindowW.USER32 ref: 6BF7FEB6
FindWindowW.USER32 ref: 6BF7FEC9
FindWindowW.USER32 ref: 6BF7FEDC
FindWindowW.USER32 ref: 6BF7FEEF
FindWindowW.USER32 ref: 6BF7FF02
FindWindowW.USER32 ref: 6BF7FF15
FindWindowW.USER32 ref: 6BF7FF28
FindWindowW.USER32 ref: 6BF7FF3B
FindWindowW.USER32 ref: 6BF7FF4E
FindWindowW.USER32 ref: 6BF7FF61
FindWindowW.USER32 ref: 6BF7FF74
FindWindowW.USER32 ref: 6BF7FF87
FindWindowW.USER32 ref: 6BF7FF9A
FindWindowW.USER32 ref: 6BF7FFAD
FindWindowW.USER32 ref: 6BF7FFC0
FindWindowW.USER32 ref: 6BF7FFD3
FindWindowW.USER32 ref: 6BF7FFE6
FindWindowW.USER32 ref: 6BF7FFF9
FindWindowW.USER32 ref: 6BF8000C
FindWindowW.USER32 ref: 6BF8001F
FindWindowW.USER32 ref: 6BF80032
FindWindowW.USER32 ref: 6BF80045
FindWindowW.USER32 ref: 6BF80058
FindWindowW.USER32 ref: 6BF8006B
FindWindowW.USER32 ref: 6BF8007E
FindWindowW.USER32 ref: 6BF80091
FindWindowW.USER32 ref: 6BF800A4
FindWindowW.USER32 ref: 6BF800B7
FindWindowW.USER32 ref: 6BF800CA
FindWindowW.USER32 ref: 6BF800DD
FindWindowW.USER32 ref: 6BF800F0
FindWindowW.USER32 ref: 6BF80103
FindWindowW.USER32 ref: 6BF80116
FindWindowW.USER32 ref: 6BF80129
FindWindowW.USER32 ref: 6BF8013C
FindWindowW.USER32 ref: 6BF8014F
FindWindowW.USER32 ref: 6BF80162
FindWindowW.USER32 ref: 6BF80175
FindWindowW.USER32 ref: 6BF80188
FindWindowW.USER32 ref: 6BF8019B
FindWindowW.USER32 ref: 6BF801AE
FindWindowW.USER32 ref: 6BF801C1
FindWindowW.USER32 ref: 6BF801D4
FindWindowW.USER32 ref: 6BF801E7
FindWindowW.USER32 ref: 6BF801FA
FindWindowW.USER32 ref: 6BF8020D
FindWindowW.USER32 ref: 6BF80220
FindWindowW.USER32 ref: 6BF80233
FindWindowW.USER32 ref: 6BF80246
FindWindowW.USER32 ref: 6BF80259
FindWindowW.USER32 ref: 6BF8026C
FindWindowW.USER32 ref: 6BF8027F
FindWindowW.USER32 ref: 6BF80292
FindWindowW.USER32 ref: 6BF802A5
FindWindowW.USER32 ref: 6BF802B8
FindWindowW.USER32 ref: 6BF802CB
FindWindowW.USER32 ref: 6BF802DE
FindWindowW.USER32 ref: 6BF802F1
FindWindowW.USER32 ref: 6BF80304
FindWindowW.USER32 ref: 6BF80317
FindWindowW.USER32 ref: 6BF8032A
FindWindowW.USER32 ref: 6BF8033D
FindWindowW.USER32 ref: 6BF80350
FindWindowW.USER32 ref: 6BF80363
FindWindowW.USER32 ref: 6BF80376
FindWindowW.USER32 ref: 6BF80389
FindWindowW.USER32 ref: 6BF8039C
FindWindowW.USER32 ref: 6BF803AF
FindWindowW.USER32 ref: 6BF803C2
FindWindowW.USER32 ref: 6BF803D5
FindWindowW.USER32 ref: 6BF803E8
FindWindowW.USER32 ref: 6BF803FB
FindWindowW.USER32 ref: 6BF8040E
FindWindowW.USER32 ref: 6BF80421
FindWindowW.USER32 ref: 6BF80434
FindWindowW.USER32 ref: 6BF80447
FindWindowW.USER32 ref: 6BF8045A
FindWindowW.USER32 ref: 6BF8046D
FindWindowW.USER32 ref: 6BF80480
FindWindowW.USER32 ref: 6BF80493
FindWindowW.USER32 ref: 6BF804A6
FindWindowW.USER32 ref: 6BF804B9
FindWindowW.USER32 ref: 6BF804CC
FindWindowW.USER32 ref: 6BF804DF
FindWindowW.USER32 ref: 6BF804F2
FindWindowW.USER32 ref: 6BF80505
FindWindowW.USER32 ref: 6BF80518
FindWindowW.USER32 ref: 6BF8052B
FindWindowW.USER32 ref: 6BF8053E
FindWindowW.USER32 ref: 6BF80551
FindWindowW.USER32 ref: 6BF80564
FindWindowW.USER32 ref: 6BF80577
FindWindowW.USER32 ref: 6BF8058A
FindWindowW.USER32 ref: 6BF8059D
FindWindowW.USER32 ref: 6BF805B0
FindWindowW.USER32 ref: 6BF805C3
FindWindowW.USER32 ref: 6BF805D6
FindWindowW.USER32 ref: 6BF805E9
FindWindowW.USER32 ref: 6BF805FC
FindWindowW.USER32 ref: 6BF8060F
FindWindowW.USER32 ref: 6BF80622
FindWindowW.USER32 ref: 6BF80635
FindWindowW.USER32 ref: 6BF80648
FindWindowW.USER32 ref: 6BF8065B
FindWindowW.USER32 ref: 6BF8066E
FindWindowW.USER32 ref: 6BF80681
FindWindowW.USER32 ref: 6BF80694
FindWindowW.USER32 ref: 6BF806A7
FindWindowW.USER32 ref: 6BF806BA
FindWindowW.USER32 ref: 6BF806CD
FindWindowW.USER32 ref: 6BF806E0
FindWindowW.USER32 ref: 6BF806F3
FindWindowW.USER32 ref: 6BF80706
FindWindowW.USER32 ref: 6BF80719
FindWindowW.USER32 ref: 6BF8072C
FindWindowW.USER32 ref: 6BF8073F
FindWindowW.USER32 ref: 6BF80752
FindWindowW.USER32 ref: 6BF80765
FindWindowW.USER32 ref: 6BF80778
FindWindowW.USER32 ref: 6BF8078B
FindWindowW.USER32 ref: 6BF8079E
FindWindowW.USER32 ref: 6BF807B1
FindWindowW.USER32 ref: 6BF807C4
FindWindowW.USER32 ref: 6BF807D7
FindWindowW.USER32 ref: 6BF807EA
FindWindowW.USER32 ref: 6BF807FD
FindWindowW.USER32 ref: 6BF80810
FindWindowW.USER32 ref: 6BF80823
FindWindowW.USER32 ref: 6BF80836
FindWindowW.USER32 ref: 6BF80849
FindWindowW.USER32 ref: 6BF8085C
FindWindowW.USER32 ref: 6BF8086F
FindWindowW.USER32 ref: 6BF80882
FindWindowW.USER32 ref: 6BF80895
FindWindowW.USER32 ref: 6BF808A8
FindWindowW.USER32 ref: 6BF808BB
FindWindowW.USER32 ref: 6BF808CE
FindWindowW.USER32 ref: 6BF808E1
FindWindowW.USER32 ref: 6BF808F4
FindWindowW.USER32 ref: 6BF80907
FindWindowW.USER32 ref: 6BF8091A
FindWindowW.USER32 ref: 6BF8092D
FindWindowW.USER32 ref: 6BF80940
FindWindowW.USER32 ref: 6BF80953
FindWindowW.USER32 ref: 6BF80966
FindWindowW.USER32 ref: 6BF80979
FindWindowW.USER32 ref: 6BF8098C
FindWindowW.USER32 ref: 6BF8099F
FindWindowW.USER32 ref: 6BF809B2
FindWindowW.USER32 ref: 6BF809C5
FindWindowW.USER32 ref: 6BF809D8
FindWindowW.USER32 ref: 6BF809EB
FindWindowW.USER32 ref: 6BF809FE
FindWindowW.USER32 ref: 6BF80A11
FindWindowW.USER32 ref: 6BF80A24
FindWindowW.USER32 ref: 6BF80A37
FindWindowW.USER32 ref: 6BF80A4A
FindWindowW.USER32 ref: 6BF80A5D
FindWindowW.USER32 ref: 6BF80A70
FindWindowW.USER32 ref: 6BF80A83
FindWindowW.USER32 ref: 6BF80A96
FindWindowW.USER32 ref: 6BF80AA9
FindWindowW.USER32 ref: 6BF80ABC
FindWindowW.USER32 ref: 6BF80ACF
FindWindowW.USER32 ref: 6BF80AE2
FindWindowW.USER32 ref: 6BF80AF5
FindWindowW.USER32 ref: 6BF80B08
FindWindowW.USER32 ref: 6BF80B1B
FindWindowW.USER32 ref: 6BF80B2E
FindWindowW.USER32 ref: 6BF80B41
FindWindowW.USER32 ref: 6BF80B54
FindWindowW.USER32 ref: 6BF80B67
FindWindowW.USER32 ref: 6BF80B7A
FindWindowW.USER32 ref: 6BF80B8D
FindWindowW.USER32 ref: 6BF80BA0
FindWindowW.USER32 ref: 6BF80BB3
FindWindowW.USER32 ref: 6BF80BC6
FindWindowW.USER32 ref: 6BF80BD9
FindWindowW.USER32 ref: 6BF80BEC
FindWindowW.USER32 ref: 6BF80BFF
FindWindowW.USER32 ref: 6BF80C12
FindWindowW.USER32 ref: 6BF80C25
FindWindowW.USER32 ref: 6BF80C38
FindWindowW.USER32 ref: 6BF80C4B
FindWindowW.USER32 ref: 6BF80C5E
FindWindowW.USER32 ref: 6BF80C71
FindWindowW.USER32 ref: 6BF80C84
FindWindowW.USER32 ref: 6BF80C97
FindWindowW.USER32 ref: 6BF80CAA
FindWindowW.USER32 ref: 6BF80CBD
FindWindowW.USER32 ref: 6BF80CD0
FindWindowW.USER32 ref: 6BF80CE3
FindWindowW.USER32 ref: 6BF80CF6
FindWindowW.USER32 ref: 6BF80D09
FindWindowW.USER32 ref: 6BF80D1C
FindWindowW.USER32 ref: 6BF80D2F
FindWindowW.USER32 ref: 6BF80D42
FindWindowW.USER32 ref: 6BF80D55
FindWindowW.USER32 ref: 6BF80D68
FindWindowW.USER32 ref: 6BF80D7B
FindWindowW.USER32 ref: 6BF80D8E
FindWindowW.USER32 ref: 6BF80DA1
FindWindowW.USER32 ref: 6BF80DB4
FindWindowW.USER32 ref: 6BF80DC7
FindWindowW.USER32 ref: 6BF80DDA
FindWindowW.USER32 ref: 6BF80DED
FindWindowW.USER32 ref: 6BF80E00
FindWindowW.USER32 ref: 6BF80E13
FindWindowW.USER32 ref: 6BF80E26
FindWindowW.USER32 ref: 6BF80E39
FindWindowW.USER32 ref: 6BF80E4C
FindWindowW.USER32 ref: 6BF80E5F
FindWindowW.USER32 ref: 6BF80E72
FindWindowW.USER32 ref: 6BF80E85
FindWindowW.USER32 ref: 6BF80E98
FindWindowW.USER32 ref: 6BF80EAB
FindWindowW.USER32 ref: 6BF80EBE
FindWindowW.USER32 ref: 6BF80ED1
FindWindowW.USER32 ref: 6BF80EE4
FindWindowW.USER32 ref: 6BF80EF7
FindWindowW.USER32 ref: 6BF80F0A
FindWindowW.USER32 ref: 6BF80F1D
FindWindowW.USER32 ref: 6BF80F30
FindWindowW.USER32 ref: 6BF80F43
FindWindowW.USER32 ref: 6BF80F56
FindWindowW.USER32 ref: 6BF80F69
FindWindowW.USER32 ref: 6BF80F7C
FindWindowW.USER32 ref: 6BF80F8F
FindWindowW.USER32 ref: 6BF80FA2
FindWindowW.USER32 ref: 6BF80FB5
FindWindowW.USER32 ref: 6BF80FC8
FindWindowW.USER32 ref: 6BF80FDB
FindWindowW.USER32 ref: 6BF80FEE
FindWindowW.USER32 ref: 6BF81001
FindWindowW.USER32 ref: 6BF81014
FindWindowW.USER32 ref: 6BF81027
FindWindowW.USER32 ref: 6BF8103A
FindWindowW.USER32 ref: 6BF8104D
FindWindowW.USER32 ref: 6BF81060
FindWindowW.USER32 ref: 6BF81073
FindWindowW.USER32 ref: 6BF81086
FindWindowW.USER32 ref: 6BF81099
FindWindowW.USER32 ref: 6BF810AC
FindWindowW.USER32 ref: 6BF810BF
FindWindowW.USER32 ref: 6BF810D2
FindWindowW.USER32 ref: 6BF810E5
FindWindowW.USER32 ref: 6BF810F8
FindWindowW.USER32 ref: 6BF8110B
FindWindowW.USER32 ref: 6BF8111E
FindWindowW.USER32 ref: 6BF81131
FindWindowW.USER32 ref: 6BF81144
FindWindowW.USER32 ref: 6BF81157
FindWindowW.USER32 ref: 6BF8116A
FindWindowW.USER32 ref: 6BF8117D
FindWindowW.USER32 ref: 6BF81190
FindWindowW.USER32 ref: 6BF811A3
FindWindowW.USER32 ref: 6BF811B6
FindWindowW.USER32 ref: 6BF811C9
FindWindowW.USER32 ref: 6BF811DC
FindWindowW.USER32 ref: 6BF811EF
FindWindowW.USER32 ref: 6BF81202
FindWindowW.USER32 ref: 6BF81215
FindWindowW.USER32 ref: 6BF81228
FindWindowW.USER32 ref: 6BF8123B
FindWindowW.USER32 ref: 6BF8124E
FindWindowW.USER32 ref: 6BF81261
FindWindowW.USER32 ref: 6BF81274
FindWindowW.USER32 ref: 6BF81287
FindWindowW.USER32 ref: 6BF8129A
FindWindowW.USER32 ref: 6BF812AD
FindWindowW.USER32 ref: 6BF812C0
FindWindowW.USER32 ref: 6BF812D3
FindWindowW.USER32 ref: 6BF812E6
FindWindowW.USER32 ref: 6BF812F9
FindWindowW.USER32 ref: 6BF8130C
FindWindowW.USER32 ref: 6BF8131F
FindWindowW.USER32 ref: 6BF81332
FindWindowW.USER32 ref: 6BF81345
FindWindowW.USER32 ref: 6BF81358
FindWindowW.USER32 ref: 6BF8136B
FindWindowW.USER32 ref: 6BF8137E
FindWindowW.USER32 ref: 6BF81391
FindWindowW.USER32 ref: 6BF813A4
FindWindowW.USER32 ref: 6BF813B7
FindWindowW.USER32 ref: 6BF813CA
FindWindowW.USER32 ref: 6BF813DD
FindWindowW.USER32 ref: 6BF813F0
FindWindowW.USER32 ref: 6BF81403
FindWindowW.USER32 ref: 6BF81416
FindWindowW.USER32 ref: 6BF81429
FindWindowW.USER32 ref: 6BF8143C
FindWindowW.USER32 ref: 6BF8144F
FindWindowW.USER32 ref: 6BF81462
FindWindowW.USER32 ref: 6BF81475
FindWindowW.USER32 ref: 6BF81488
FindWindowW.USER32 ref: 6BF8149B
FindWindowW.USER32 ref: 6BF814AE
FindWindowW.USER32 ref: 6BF814C1
FindWindowW.USER32 ref: 6BF814D4
FindWindowW.USER32 ref: 6BF814E7
FindWindowW.USER32 ref: 6BF814FA
FindWindowW.USER32 ref: 6BF8150D
FindWindowW.USER32 ref: 6BF81520
FindWindowW.USER32 ref: 6BF81533
FindWindowW.USER32 ref: 6BF81546
FindWindowW.USER32 ref: 6BF81559
FindWindowW.USER32 ref: 6BF8156C
FindWindowW.USER32 ref: 6BF8157F
FindWindowW.USER32 ref: 6BF81592
FindWindowW.USER32 ref: 6BF815A5
FindWindowW.USER32 ref: 6BF815B8
FindWindowW.USER32 ref: 6BF815CB
FindWindowW.USER32 ref: 6BF815DE
FindWindowW.USER32 ref: 6BF815F1
FindWindowW.USER32 ref: 6BF81604
FindWindowW.USER32 ref: 6BF81617
FindWindowW.USER32 ref: 6BF8162A
FindWindowW.USER32 ref: 6BF8163D
FindWindowW.USER32 ref: 6BF81650
FindWindowW.USER32 ref: 6BF81663
FindWindowW.USER32 ref: 6BF81676
FindWindowW.USER32 ref: 6BF81689
FindWindowW.USER32 ref: 6BF8169C
FindWindowW.USER32 ref: 6BF816AF
FindWindowW.USER32 ref: 6BF816C2
FindWindowW.USER32 ref: 6BF816D5
FindWindowW.USER32 ref: 6BF816E8
FindWindowW.USER32 ref: 6BF816FB
FindWindowW.USER32 ref: 6BF8170E
FindWindowW.USER32 ref: 6BF81721
FindWindowW.USER32 ref: 6BF81734
FindWindowW.USER32 ref: 6BF81747
FindWindowW.USER32 ref: 6BF8175A
FindWindowW.USER32 ref: 6BF8176D
FindWindowW.USER32 ref: 6BF81780
FindWindowW.USER32 ref: 6BF81793
FindWindowW.USER32 ref: 6BF817A6
FindWindowW.USER32 ref: 6BF817B9
FindWindowW.USER32 ref: 6BF817CC
FindWindowW.USER32 ref: 6BF817DF
FindWindowW.USER32 ref: 6BF817F2
FindWindowW.USER32 ref: 6BF81805
FindWindowW.USER32 ref: 6BF81818
FindWindowW.USER32 ref: 6BF8182B
FindWindowW.USER32 ref: 6BF8183E
FindWindowW.USER32 ref: 6BF81851
FindWindowW.USER32 ref: 6BF81864
FindWindowW.USER32 ref: 6BF81877
FindWindowW.USER32 ref: 6BF8188A
FindWindowW.USER32 ref: 6BF8189D
FindWindowW.USER32 ref: 6BF818B0
FindWindowW.USER32 ref: 6BF818C3
FindWindowW.USER32 ref: 6BF818D6
FindWindowW.USER32 ref: 6BF818E9
FindWindowW.USER32 ref: 6BF818FC
FindWindowW.USER32 ref: 6BF8190F
FindWindowW.USER32 ref: 6BF81922
FindWindowW.USER32 ref: 6BF81935
FindWindowW.USER32 ref: 6BF81948
FindWindowW.USER32 ref: 6BF8195B
FindWindowW.USER32 ref: 6BF8196E
FindWindowW.USER32 ref: 6BF81981
FindWindowW.USER32 ref: 6BF81994
FindWindowW.USER32 ref: 6BF819A7
FindWindowW.USER32 ref: 6BF819BA
FindWindowW.USER32 ref: 6BF819CD
FindWindowW.USER32 ref: 6BF819E0
FindWindowW.USER32 ref: 6BF819F3
FindWindowW.USER32 ref: 6BF81A06
FindWindowW.USER32 ref: 6BF81A19
FindWindowW.USER32 ref: 6BF81A2C
FindWindowW.USER32 ref: 6BF81A3F
FindWindowW.USER32 ref: 6BF81A52
FindWindowW.USER32 ref: 6BF81A65
FindWindowW.USER32 ref: 6BF81A78
FindWindowW.USER32 ref: 6BF81A8B
FindWindowW.USER32 ref: 6BF81A9E
FindWindowW.USER32 ref: 6BF81AB1
FindWindowW.USER32 ref: 6BF81AC4
FindWindowW.USER32 ref: 6BF81AD7
FindWindowW.USER32 ref: 6BF81AEA
FindWindowW.USER32 ref: 6BF81AFD
FindWindowW.USER32 ref: 6BF81B10
FindWindowW.USER32 ref: 6BF81B23
FindWindowW.USER32 ref: 6BF81B36
FindWindowW.USER32 ref: 6BF81B49
FindWindowW.USER32 ref: 6BF81B5C
FindWindowW.USER32 ref: 6BF81B6F
FindWindowW.USER32 ref: 6BF81B82
FindWindowW.USER32 ref: 6BF81B95
FindWindowW.USER32 ref: 6BF81BA8
FindWindowW.USER32 ref: 6BF81BBB
FindWindowW.USER32 ref: 6BF81BCE
FindWindowW.USER32 ref: 6BF81BE1
FindWindowW.USER32 ref: 6BF81BF4
FindWindowW.USER32 ref: 6BF81C07
FindWindowW.USER32 ref: 6BF81C1A
FindWindowW.USER32 ref: 6BF81C2D
FindWindowW.USER32 ref: 6BF81C40
FindWindowW.USER32 ref: 6BF81C53
FindWindowW.USER32 ref: 6BF81C66
FindWindowW.USER32 ref: 6BF81C79
FindWindowW.USER32 ref: 6BF81C8C
FindWindowW.USER32 ref: 6BF81C9F
FindWindowW.USER32 ref: 6BF81CB2
FindWindowW.USER32 ref: 6BF81CC5
FindWindowW.USER32 ref: 6BF81CD8
FindWindowW.USER32 ref: 6BF81CEB
FindWindowW.USER32 ref: 6BF81CFE
FindWindowW.USER32 ref: 6BF81D11
FindWindowW.USER32 ref: 6BF81D24
FindWindowW.USER32 ref: 6BF81D37
FindWindowW.USER32 ref: 6BF81D4A
FindWindowW.USER32 ref: 6BF81D5D
FindWindowW.USER32 ref: 6BF81D70
FindWindowW.USER32 ref: 6BF81D83
FindWindowW.USER32 ref: 6BF81D96
FindWindowW.USER32 ref: 6BF81DA9
FindWindowW.USER32 ref: 6BF81DBC
FindWindowW.USER32 ref: 6BF81DCF
FindWindowW.USER32 ref: 6BF81DE2
FindWindowW.USER32 ref: 6BF81DF5
FindWindowW.USER32 ref: 6BF81E08
FindWindowW.USER32 ref: 6BF81E1B
FindWindowW.USER32 ref: 6BF81E2E
FindWindowW.USER32 ref: 6BF81E41
FindWindowW.USER32 ref: 6BF81E54
FindWindowW.USER32 ref: 6BF81E67
FindWindowW.USER32 ref: 6BF81E7A
FindWindowW.USER32 ref: 6BF81E8D
FindWindowW.USER32 ref: 6BF81EA0
FindWindowW.USER32 ref: 6BF81EB3
FindWindowW.USER32 ref: 6BF81EC6
FindWindowW.USER32 ref: 6BF81ED9
FindWindowW.USER32 ref: 6BF81EEC
FindWindowW.USER32 ref: 6BF81EFF
FindWindowW.USER32 ref: 6BF81F12
FindWindowW.USER32 ref: 6BF81F25
FindWindowW.USER32 ref: 6BF81F38
FindWindowW.USER32 ref: 6BF81F4B
FindWindowW.USER32 ref: 6BF81F5E
FindWindowW.USER32 ref: 6BF81F71
FindWindowW.USER32 ref: 6BF81F84
FindWindowW.USER32 ref: 6BF81F97
FindWindowW.USER32 ref: 6BF81FAA
FindWindowW.USER32 ref: 6BF81FBD
FindWindowW.USER32 ref: 6BF81FD0
FindWindowW.USER32 ref: 6BF81FE3
FindWindowW.USER32 ref: 6BF81FF6
FindWindowW.USER32 ref: 6BF82009
FindWindowW.USER32 ref: 6BF8201C
FindWindowW.USER32 ref: 6BF8202F
FindWindowW.USER32 ref: 6BF82042
FindWindowW.USER32 ref: 6BF82055
FindWindowW.USER32 ref: 6BF82068
FindWindowW.USER32 ref: 6BF8207B
FindWindowW.USER32 ref: 6BF8208E
FindWindowW.USER32 ref: 6BF820A1
FindWindowW.USER32 ref: 6BF820B4
FindWindowW.USER32 ref: 6BF820C7
FindWindowW.USER32 ref: 6BF820DA
FindWindowW.USER32 ref: 6BF820ED
FindWindowW.USER32 ref: 6BF82100
FindWindowW.USER32 ref: 6BF82113
FindWindowW.USER32 ref: 6BF82126
FindWindowW.USER32 ref: 6BF82139
FindWindowW.USER32 ref: 6BF8214C
FindWindowW.USER32 ref: 6BF8215F
FindWindowW.USER32 ref: 6BF82172
FindWindowW.USER32 ref: 6BF82185
FindWindowW.USER32 ref: 6BF82198
FindWindowW.USER32 ref: 6BF821AB
FindWindowW.USER32 ref: 6BF821BE
FindWindowW.USER32 ref: 6BF821D1
FindWindowW.USER32 ref: 6BF821E4
FindWindowW.USER32 ref: 6BF821F7
FindWindowW.USER32 ref: 6BF8220A
FindWindowW.USER32 ref: 6BF8221D
FindWindowW.USER32 ref: 6BF82230
FindWindowW.USER32 ref: 6BF82243
FindWindowW.USER32 ref: 6BF82256
FindWindowW.USER32 ref: 6BF82269
FindWindowW.USER32 ref: 6BF8227C
FindWindowW.USER32 ref: 6BF8228F
FindWindowW.USER32 ref: 6BF822A2
FindWindowW.USER32 ref: 6BF822B5
FindWindowW.USER32 ref: 6BF822C8
FindWindowW.USER32 ref: 6BF822DB
FindWindowW.USER32 ref: 6BF822EE
FindWindowW.USER32 ref: 6BF82301
FindWindowW.USER32 ref: 6BF82314
FindWindowW.USER32 ref: 6BF82327
FindWindowW.USER32 ref: 6BF8233A
FindWindowW.USER32 ref: 6BF8234D
FindWindowW.USER32 ref: 6BF82360
FindWindowW.USER32 ref: 6BF82373
FindWindowW.USER32 ref: 6BF82386
FindWindowW.USER32 ref: 6BF82399
FindWindowW.USER32 ref: 6BF823AC
FindWindowW.USER32 ref: 6BF823BF
FindWindowW.USER32 ref: 6BF823D2
FindWindowW.USER32 ref: 6BF823E5
FindWindowW.USER32 ref: 6BF823F8
FindWindowW.USER32 ref: 6BF8240B
FindWindowW.USER32 ref: 6BF8241E
FindWindowW.USER32 ref: 6BF82431
FindWindowW.USER32 ref: 6BF82444
FindWindowW.USER32 ref: 6BF82457
FindWindowW.USER32 ref: 6BF8246A
FindWindowW.USER32 ref: 6BF8247D
FindWindowW.USER32 ref: 6BF82490
FindWindowW.USER32 ref: 6BF824A3
FindWindowW.USER32 ref: 6BF824B6
FindWindowW.USER32 ref: 6BF824C9
FindWindowW.USER32 ref: 6BF824DC
FindWindowW.USER32 ref: 6BF824EF
FindWindowW.USER32 ref: 6BF82502
FindWindowW.USER32 ref: 6BF82515
FindWindowW.USER32 ref: 6BF82528
FindWindowW.USER32 ref: 6BF8253B
FindWindowW.USER32 ref: 6BF8254E
FindWindowW.USER32 ref: 6BF82561
FindWindowW.USER32 ref: 6BF82574
FindWindowW.USER32 ref: 6BF82587
FindWindowW.USER32 ref: 6BF8259A
FindWindowW.USER32 ref: 6BF825AD
FindWindowW.USER32 ref: 6BF825C0
FindWindowW.USER32 ref: 6BF825D3
FindWindowW.USER32 ref: 6BF825E6
FindWindowW.USER32 ref: 6BF825F9
FindWindowW.USER32 ref: 6BF8260C
FindWindowW.USER32 ref: 6BF8261F
FindWindowW.USER32 ref: 6BF82632
FindWindowW.USER32 ref: 6BF82645
FindWindowW.USER32 ref: 6BF82658
FindWindowW.USER32 ref: 6BF8266B
FindWindowW.USER32 ref: 6BF8267E
FindWindowW.USER32 ref: 6BF82691
FindWindowW.USER32 ref: 6BF826A4
FindWindowW.USER32 ref: 6BF826B7
FindWindowW.USER32 ref: 6BF826CA
FindWindowW.USER32 ref: 6BF826DD
FindWindowW.USER32 ref: 6BF826F0
FindWindowW.USER32 ref: 6BF82703
FindWindowW.USER32 ref: 6BF82716
FindWindowW.USER32 ref: 6BF82729
FindWindowW.USER32 ref: 6BF8273C
FindWindowW.USER32 ref: 6BF8274F
FindWindowW.USER32 ref: 6BF82762
FindWindowW.USER32 ref: 6BF82775
FindWindowW.USER32 ref: 6BF82788
FindWindowW.USER32 ref: 6BF8279B
FindWindowW.USER32 ref: 6BF827AE
FindWindowW.USER32 ref: 6BF827C1
FindWindowW.USER32 ref: 6BF827D4
FindWindowW.USER32 ref: 6BF827E7
FindWindowW.USER32 ref: 6BF827FA
FindWindowW.USER32 ref: 6BF8280D
FindWindowW.USER32 ref: 6BF82820
FindWindowW.USER32 ref: 6BF82833
FindWindowW.USER32 ref: 6BF82846
FindWindowW.USER32 ref: 6BF82859
FindWindowW.USER32 ref: 6BF8286C
FindWindowW.USER32 ref: 6BF8287F
FindWindowW.USER32 ref: 6BF82892
FindWindowW.USER32 ref: 6BF828A5
FindWindowW.USER32 ref: 6BF828B8
FindWindowW.USER32 ref: 6BF828CB
FindWindowW.USER32 ref: 6BF828DE
FindWindowW.USER32 ref: 6BF828F1
FindWindowW.USER32 ref: 6BF82904
FindWindowW.USER32 ref: 6BF82917
FindWindowW.USER32 ref: 6BF8292A
FindWindowW.USER32 ref: 6BF8293D
FindWindowW.USER32 ref: 6BF82950
FindWindowW.USER32 ref: 6BF82963
FindWindowW.USER32 ref: 6BF82976
FindWindowW.USER32 ref: 6BF82989
FindWindowW.USER32 ref: 6BF8299C
FindWindowW.USER32 ref: 6BF829AF
FindWindowW.USER32 ref: 6BF829C2
FindWindowW.USER32 ref: 6BF829D5
FindWindowW.USER32 ref: 6BF829E8
FindWindowW.USER32 ref: 6BF829FB
FindWindowW.USER32 ref: 6BF82A0E
FindWindowW.USER32 ref: 6BF82A21
FindWindowW.USER32 ref: 6BF82A34
FindWindowW.USER32 ref: 6BF82A47
FindWindowW.USER32 ref: 6BF82A5A
FindWindowW.USER32 ref: 6BF82A6D
FindWindowW.USER32 ref: 6BF82A80
FindWindowW.USER32 ref: 6BF82A93
FindWindowW.USER32 ref: 6BF82AA6
FindWindowW.USER32 ref: 6BF82AB9
FindWindowW.USER32 ref: 6BF82ACC
FindWindowW.USER32 ref: 6BF82ADF
FindWindowW.USER32 ref: 6BF82AF2
FindWindowW.USER32 ref: 6BF82B05
FindWindowW.USER32 ref: 6BF82B18
FindWindowW.USER32 ref: 6BF82B2B
FindWindowW.USER32 ref: 6BF82B3E
FindWindowW.USER32 ref: 6BF82B51
FindWindowW.USER32 ref: 6BF82B64
FindWindowW.USER32 ref: 6BF82B77
FindWindowW.USER32 ref: 6BF82B8A
FindWindowW.USER32 ref: 6BF82B9D
FindWindowW.USER32 ref: 6BF82BB0
FindWindowW.USER32 ref: 6BF82BC3
FindWindowW.USER32 ref: 6BF82BD6
FindWindowW.USER32 ref: 6BF82BE9
FindWindowW.USER32 ref: 6BF82BFC
FindWindowW.USER32 ref: 6BF82C0F
FindWindowW.USER32 ref: 6BF82C22
FindWindowW.USER32 ref: 6BF82C35
FindWindowW.USER32 ref: 6BF82C48
FindWindowW.USER32 ref: 6BF82C5B
FindWindowW.USER32 ref: 6BF82C6E
FindWindowW.USER32 ref: 6BF82C81
FindWindowW.USER32 ref: 6BF82C94
FindWindowW.USER32 ref: 6BF82CA7
FindWindowW.USER32 ref: 6BF82CBA
FindWindowW.USER32 ref: 6BF82CCD
FindWindowW.USER32 ref: 6BF82CE0
FindWindowW.USER32 ref: 6BF82CF3
FindWindowW.USER32 ref: 6BF82D06
FindWindowW.USER32 ref: 6BF82D19
FindWindowW.USER32 ref: 6BF82D2C
FindWindowW.USER32 ref: 6BF82D3F
FindWindowW.USER32 ref: 6BF82D52
FindWindowW.USER32 ref: 6BF82D65
FindWindowW.USER32 ref: 6BF82D78
FindWindowW.USER32 ref: 6BF82D8B
FindWindowW.USER32 ref: 6BF82D9E
FindWindowW.USER32 ref: 6BF82DB1
FindWindowW.USER32 ref: 6BF82DC4
FindWindowW.USER32 ref: 6BF82DD7
FindWindowW.USER32 ref: 6BF82DEA
FindWindowW.USER32 ref: 6BF82DFD
FindWindowW.USER32 ref: 6BF82E10
FindWindowW.USER32 ref: 6BF82E23
FindWindowW.USER32 ref: 6BF82E36
FindWindowW.USER32 ref: 6BF82E49
FindWindowW.USER32 ref: 6BF82E5C
FindWindowW.USER32 ref: 6BF82E6F
FindWindowW.USER32 ref: 6BF82E82
FindWindowW.USER32 ref: 6BF82E95
FindWindowW.USER32 ref: 6BF82EA8
FindWindowW.USER32 ref: 6BF82EBB
FindWindowW.USER32 ref: 6BF82ECE
FindWindowW.USER32 ref: 6BF82EE1
FindWindowW.USER32 ref: 6BF82EF4
FindWindowW.USER32 ref: 6BF82F07
FindWindowW.USER32 ref: 6BF82F1A
FindWindowW.USER32 ref: 6BF82F2D
FindWindowW.USER32 ref: 6BF82F40
FindWindowW.USER32 ref: 6BF82F53
FindWindowW.USER32 ref: 6BF82F66
FindWindowW.USER32 ref: 6BF82F79
FindWindowW.USER32 ref: 6BF82F8C
FindWindowW.USER32 ref: 6BF82F9F
FindWindowW.USER32 ref: 6BF82FB2
FindWindowW.USER32 ref: 6BF82FC5
FindWindowW.USER32 ref: 6BF82FD8
FindWindowW.USER32 ref: 6BF82FEB
FindWindowW.USER32 ref: 6BF82FFE
FindWindowW.USER32 ref: 6BF83011
FindWindowW.USER32 ref: 6BF83024
FindWindowW.USER32 ref: 6BF83037
FindWindowW.USER32 ref: 6BF8304A
FindWindowW.USER32 ref: 6BF8305D
FindWindowW.USER32 ref: 6BF83070
FindWindowW.USER32 ref: 6BF83083
FindWindowW.USER32 ref: 6BF83096
FindWindowW.USER32 ref: 6BF830A9
FindWindowW.USER32 ref: 6BF830BC
FindWindowW.USER32 ref: 6BF830CF
FindWindowW.USER32 ref: 6BF830E2
FindWindowW.USER32 ref: 6BF830F5
FindWindowW.USER32 ref: 6BF83108
FindWindowW.USER32 ref: 6BF8311B
FindWindowW.USER32 ref: 6BF8312E
FindWindowW.USER32 ref: 6BF83141
FindWindowW.USER32 ref: 6BF83154
FindWindowW.USER32 ref: 6BF83167
FindWindowW.USER32 ref: 6BF8317A
FindWindowW.USER32 ref: 6BF8318D
FindWindowW.USER32 ref: 6BF831A0
FindWindowW.USER32 ref: 6BF831B3
FindWindowW.USER32 ref: 6BF831C6
FindWindowW.USER32 ref: 6BF831D9
FindWindowW.USER32 ref: 6BF831EC
FindWindowW.USER32 ref: 6BF831FF
FindWindowW.USER32 ref: 6BF83212
FindWindowW.USER32 ref: 6BF83225
FindWindowW.USER32 ref: 6BF83238
FindWindowW.USER32 ref: 6BF8324B
FindWindowW.USER32 ref: 6BF8325E
FindWindowW.USER32 ref: 6BF83271
FindWindowW.USER32 ref: 6BF83284
FindWindowW.USER32 ref: 6BF83297
FindWindowW.USER32 ref: 6BF832AA
FindWindowW.USER32 ref: 6BF832BD
FindWindowW.USER32 ref: 6BF832D0
FindWindowW.USER32 ref: 6BF832E3
FindWindowW.USER32 ref: 6BF832F6
FindWindowW.USER32 ref: 6BF83309
FindWindowW.USER32 ref: 6BF8331C
FindWindowW.USER32 ref: 6BF8332F
FindWindowW.USER32 ref: 6BF83342
FindWindowW.USER32 ref: 6BF83355
FindWindowW.USER32 ref: 6BF83368
FindWindowW.USER32 ref: 6BF8337B
FindWindowW.USER32 ref: 6BF8338E
FindWindowW.USER32 ref: 6BF833A1
FindWindowW.USER32 ref: 6BF833B4
FindWindowW.USER32 ref: 6BF833C7
FindWindowW.USER32 ref: 6BF833DA
FindWindowW.USER32 ref: 6BF833ED
FindWindowW.USER32 ref: 6BF83400
FindWindowW.USER32 ref: 6BF83413
FindWindowW.USER32 ref: 6BF83426
FindWindowW.USER32 ref: 6BF83439
FindWindowW.USER32 ref: 6BF8344C
FindWindowW.USER32 ref: 6BF8345F
FindWindowW.USER32 ref: 6BF83472
FindWindowW.USER32 ref: 6BF83485
FindWindowW.USER32 ref: 6BF83498
FindWindowW.USER32 ref: 6BF834AB
FindWindowW.USER32 ref: 6BF834BE
FindWindowW.USER32 ref: 6BF834D1
FindWindowW.USER32 ref: 6BF834E4
FindWindowW.USER32 ref: 6BF834F7
FindWindowW.USER32 ref: 6BF8350A
FindWindowW.USER32 ref: 6BF8351D
FindWindowW.USER32 ref: 6BF83530
FindWindowW.USER32 ref: 6BF83543
FindWindowW.USER32 ref: 6BF83556
FindWindowW.USER32 ref: 6BF83569
FindWindowW.USER32 ref: 6BF8357C
FindWindowW.USER32 ref: 6BF8358F
FindWindowW.USER32 ref: 6BF835A2
FindWindowW.USER32 ref: 6BF835B5
FindWindowW.USER32 ref: 6BF835C8
FindWindowW.USER32 ref: 6BF835DB
FindWindowW.USER32 ref: 6BF835EE
FindWindowW.USER32 ref: 6BF83601
FindWindowW.USER32 ref: 6BF83614
FindWindowW.USER32 ref: 6BF83627
FindWindowW.USER32 ref: 6BF8363A
FindWindowW.USER32 ref: 6BF8364D
FindWindowW.USER32 ref: 6BF83660
FindWindowW.USER32 ref: 6BF83673
FindWindowW.USER32 ref: 6BF83686
FindWindowW.USER32 ref: 6BF83699
FindWindowW.USER32 ref: 6BF836AC
FindWindowW.USER32 ref: 6BF836BF
FindWindowW.USER32 ref: 6BF836D2
FindWindowW.USER32 ref: 6BF836E5
FindWindowW.USER32 ref: 6BF836F8
FindWindowW.USER32 ref: 6BF8370B
FindWindowW.USER32 ref: 6BF8371E
FindWindowW.USER32 ref: 6BF83731
FindWindowW.USER32 ref: 6BF83744
FindWindowW.USER32 ref: 6BF83757
FindWindowW.USER32 ref: 6BF8376A
FindWindowW.USER32 ref: 6BF8377D
FindWindowW.USER32 ref: 6BF83790
FindWindowW.USER32 ref: 6BF837A3
FindWindowW.USER32 ref: 6BF837B6
FindWindowW.USER32 ref: 6BF837C9
FindWindowW.USER32 ref: 6BF837DC
FindWindowW.USER32 ref: 6BF837EF
FindWindowW.USER32 ref: 6BF83802
FindWindowW.USER32 ref: 6BF83815
FindWindowW.USER32 ref: 6BF83828
FindWindowW.USER32 ref: 6BF8383B
FindWindowW.USER32 ref: 6BF8384E
FindWindowW.USER32 ref: 6BF83861
FindWindowW.USER32 ref: 6BF83874
FindWindowW.USER32 ref: 6BF83887
FindWindowW.USER32 ref: 6BF8389A
FindWindowW.USER32 ref: 6BF838AD
FindWindowW.USER32 ref: 6BF838C0
FindWindowW.USER32 ref: 6BF838D3
FindWindowW.USER32 ref: 6BF838E6
FindWindowW.USER32 ref: 6BF838F9
FindWindowW.USER32 ref: 6BF8390C
FindWindowW.USER32 ref: 6BF8391F
FindWindowW.USER32 ref: 6BF83932
FindWindowW.USER32 ref: 6BF83945
FindWindowW.USER32 ref: 6BF83958
FindWindowW.USER32 ref: 6BF8396B
FindWindowW.USER32 ref: 6BF8397E
FindWindowW.USER32 ref: 6BF83991
FindWindowW.USER32 ref: 6BF839A4
FindWindowW.USER32 ref: 6BF839B7
FindWindowW.USER32 ref: 6BF839CA
FindWindowW.USER32 ref: 6BF839DD
FindWindowW.USER32 ref: 6BF839F0
FindWindowW.USER32 ref: 6BF83A03
FindWindowW.USER32 ref: 6BF83A16
FindWindowW.USER32 ref: 6BF83A29
FindWindowW.USER32 ref: 6BF83A3C
FindWindowW.USER32 ref: 6BF83A4F
FindWindowW.USER32 ref: 6BF83A62
FindWindowW.USER32 ref: 6BF83A75
FindWindowW.USER32 ref: 6BF83A88
FindWindowW.USER32 ref: 6BF83A9B
FindWindowW.USER32 ref: 6BF83AAE
FindWindowW.USER32 ref: 6BF83AC1
FindWindowW.USER32 ref: 6BF83AD4
FindWindowW.USER32 ref: 6BF83AE7
FindWindowW.USER32 ref: 6BF83AFA
FindWindowW.USER32 ref: 6BF83B0D
FindWindowW.USER32 ref: 6BF83B20
FindWindowW.USER32 ref: 6BF83B33
FindWindowW.USER32 ref: 6BF83B46
FindWindowW.USER32 ref: 6BF83B59
FindWindowW.USER32 ref: 6BF83B6C
FindWindowW.USER32 ref: 6BF83B7F
FindWindowW.USER32 ref: 6BF83B92
FindWindowW.USER32 ref: 6BF83BA5
FindWindowW.USER32 ref: 6BF83BB8
FindWindowW.USER32 ref: 6BF83BCB
FindWindowW.USER32 ref: 6BF83BDE
FindWindowW.USER32 ref: 6BF83BF1
FindWindowW.USER32 ref: 6BF83C04
FindWindowW.USER32 ref: 6BF83C17
FindWindowW.USER32 ref: 6BF83C2A
FindWindowW.USER32 ref: 6BF83C3D
FindWindowW.USER32 ref: 6BF83C50
FindWindowW.USER32 ref: 6BF83C63
FindWindowW.USER32 ref: 6BF83C76
FindWindowW.USER32 ref: 6BF83C89
FindWindowW.USER32 ref: 6BF83C9C
FindWindowW.USER32 ref: 6BF83CAF
FindWindowW.USER32 ref: 6BF83CC2
FindWindowW.USER32 ref: 6BF83CD5
FindWindowW.USER32 ref: 6BF83CE8
FindWindowW.USER32 ref: 6BF83CFB
FindWindowW.USER32 ref: 6BF83D0E
FindWindowW.USER32 ref: 6BF83D21
FindWindowW.USER32 ref: 6BF83D34
FindWindowW.USER32 ref: 6BF83D47
FindWindowW.USER32 ref: 6BF83D5A
FindWindowW.USER32 ref: 6BF83D6D
FindWindowW.USER32 ref: 6BF83D80
FindWindowW.USER32 ref: 6BF83D93
FindWindowW.USER32 ref: 6BF83DA6
FindWindowW.USER32 ref: 6BF83DB9
FindWindowW.USER32 ref: 6BF83DCC
FindWindowW.USER32 ref: 6BF83DDF
FindWindowW.USER32 ref: 6BF83DF2
FindWindowW.USER32 ref: 6BF83E05
FindWindowW.USER32 ref: 6BF83E18
FindWindowW.USER32 ref: 6BF83E2B
FindWindowW.USER32 ref: 6BF83E3E
FindWindowW.USER32 ref: 6BF83E51
FindWindowW.USER32 ref: 6BF83E64
FindWindowW.USER32 ref: 6BF83E77
FindWindowW.USER32 ref: 6BF83E8A
FindWindowW.USER32 ref: 6BF83E9D
FindWindowW.USER32 ref: 6BF83EB0
FindWindowW.USER32 ref: 6BF83EC3
FindWindowW.USER32 ref: 6BF83ED6
FindWindowW.USER32 ref: 6BF83EE9
FindWindowW.USER32 ref: 6BF83EFC
FindWindowW.USER32 ref: 6BF83F0F
FindWindowW.USER32 ref: 6BF83F22
FindWindowW.USER32 ref: 6BF83F35
FindWindowW.USER32 ref: 6BF83F48
FindWindowW.USER32 ref: 6BF83F5B
FindWindowW.USER32 ref: 6BF83F6E
FindWindowW.USER32 ref: 6BF83F81
FindWindowW.USER32 ref: 6BF83F94
FindWindowW.USER32 ref: 6BF83FA7
FindWindowW.USER32 ref: 6BF83FBA
FindWindowW.USER32 ref: 6BF83FCD
FindWindowW.USER32 ref: 6BF83FE0
FindWindowW.USER32 ref: 6BF83FF3
FindWindowW.USER32 ref: 6BF84006
FindWindowW.USER32 ref: 6BF84019
FindWindowW.USER32 ref: 6BF8402C
FindWindowW.USER32 ref: 6BF8403F
FindWindowW.USER32 ref: 6BF84052
FindWindowW.USER32 ref: 6BF84065
FindWindowW.USER32 ref: 6BF84078
FindWindowW.USER32 ref: 6BF8408B
FindWindowW.USER32 ref: 6BF8409E
FindWindowW.USER32 ref: 6BF840B1
FindWindowW.USER32 ref: 6BF840C4
FindWindowW.USER32 ref: 6BF840D7
FindWindowW.USER32 ref: 6BF840EA
FindWindowW.USER32 ref: 6BF840FD
FindWindowW.USER32 ref: 6BF84110
FindWindowW.USER32 ref: 6BF84123
FindWindowW.USER32 ref: 6BF84136
FindWindowW.USER32 ref: 6BF84149
FindWindowW.USER32 ref: 6BF8415C
FindWindowW.USER32 ref: 6BF8416F
FindWindowW.USER32 ref: 6BF84182
FindWindowW.USER32 ref: 6BF84195
FindWindowW.USER32 ref: 6BF841A8
FindWindowW.USER32 ref: 6BF841BB
FindWindowW.USER32 ref: 6BF841CE
FindWindowW.USER32 ref: 6BF841E1
FindWindowW.USER32 ref: 6BF841F4
FindWindowW.USER32 ref: 6BF84207
FindWindowW.USER32 ref: 6BF8421A
FindWindowW.USER32 ref: 6BF8422D
FindWindowW.USER32 ref: 6BF84240
FindWindowW.USER32 ref: 6BF84253
FindWindowW.USER32 ref: 6BF84266
FindWindowW.USER32 ref: 6BF84279
FindWindowW.USER32 ref: 6BF8428C
FindWindowW.USER32 ref: 6BF8429F
FindWindowW.USER32 ref: 6BF842B2
FindWindowW.USER32 ref: 6BF842C5
FindWindowW.USER32 ref: 6BF842D8
FindWindowW.USER32 ref: 6BF842EB
FindWindowW.USER32 ref: 6BF842FE
FindWindowW.USER32 ref: 6BF84311
FindWindowW.USER32 ref: 6BF84324
FindWindowW.USER32 ref: 6BF84337
FindWindowW.USER32 ref: 6BF8434A
FindWindowW.USER32 ref: 6BF8435D
FindWindowW.USER32 ref: 6BF84370
FindWindowW.USER32 ref: 6BF84383
FindWindowW.USER32 ref: 6BF84396
FindWindowW.USER32 ref: 6BF843A9
FindWindowW.USER32 ref: 6BF843BC
FindWindowW.USER32 ref: 6BF843CF
FindWindowW.USER32 ref: 6BF843E2
FindWindowW.USER32 ref: 6BF843F5
FindWindowW.USER32 ref: 6BF84408
FindWindowW.USER32 ref: 6BF8441B
FindWindowW.USER32 ref: 6BF8442E
FindWindowW.USER32 ref: 6BF84441
FindWindowW.USER32 ref: 6BF84454
FindWindowW.USER32 ref: 6BF84467
FindWindowW.USER32 ref: 6BF8447A
FindWindowW.USER32 ref: 6BF8448D
FindWindowW.USER32 ref: 6BF844A0
FindWindowW.USER32 ref: 6BF844B3
FindWindowW.USER32 ref: 6BF844C6
FindWindowW.USER32 ref: 6BF844D9
FindWindowW.USER32 ref: 6BF844EC
FindWindowW.USER32 ref: 6BF844FF
FindWindowW.USER32 ref: 6BF84512
FindWindowW.USER32 ref: 6BF84525
FindWindowW.USER32 ref: 6BF84538
FindWindowW.USER32 ref: 6BF8454B
FindWindowW.USER32 ref: 6BF8455E
FindWindowW.USER32 ref: 6BF84571
FindWindowW.USER32 ref: 6BF84584
FindWindowW.USER32 ref: 6BF84597
FindWindowW.USER32 ref: 6BF845AA
FindWindowW.USER32 ref: 6BF845BD
FindWindowW.USER32 ref: 6BF845D0
FindWindowW.USER32 ref: 6BF845E3
FindWindowW.USER32 ref: 6BF845F6
FindWindowW.USER32 ref: 6BF84609
FindWindowW.USER32 ref: 6BF8461C
FindWindowW.USER32 ref: 6BF8462F
FindWindowW.USER32 ref: 6BF84642
FindWindowW.USER32 ref: 6BF84655
FindWindowW.USER32 ref: 6BF84668
FindWindowW.USER32 ref: 6BF8467B
FindWindowW.USER32 ref: 6BF8468E
FindWindowW.USER32 ref: 6BF846A1
FindWindowW.USER32 ref: 6BF846B4
FindWindowW.USER32 ref: 6BF846C7
FindWindowW.USER32 ref: 6BF846DA
FindWindowW.USER32 ref: 6BF846ED
FindWindowW.USER32 ref: 6BF84700
FindWindowW.USER32 ref: 6BF84713
FindWindowW.USER32 ref: 6BF84726
FindWindowW.USER32 ref: 6BF84739

Strings

sqlite3.dll, xrefs: 6BF8477D
eXAWVDek, xrefs: 6BF847F9

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: FindWindow
String ID: eXAWVDek$sqlite3.dll
API String ID: 134000473-1838081297
Opcode ID: a099714d48622af70f3a1d44238d0f3e7f57dd0d9f8efb68de67f3dc1db09ec3
Instruction ID: a8d95cd9b85fbfd9e5cd002bfb476a1c9fabda238d14d4928a65c4f6e730ef5e
Opcode Fuzzy Hash: a099714d48622af70f3a1d44238d0f3e7f57dd0d9f8efb68de67f3dc1db09ec3
Instruction Fuzzy Hash: 69A402A1612ADEA8EB01DF64FC9139433BFAB50388FA49066D50D87175AF7AC5BDC310

Uniqueness

Uniqueness Score: -1.00%

Function 6BE475A0 Relevance: 4.6, APIs: 3, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(?,?,?,?,04000001FF000200,?,?,?,?,?,6BE47DCE,00000000,?,?,6BE54D6F), ref: 6BE475E0
VirtualQuery.KERNEL32(?,?,?,?,04000001FF000200,?,?,?,?,?,6BE47DCE,00000000,?,?,6BE54D6F), ref: 6BE4760B
VirtualFree.KERNEL32(?,?,?,?,04000001FF000200,?,?,?,?,?,6BE47DCE,00000000,?,?,6BE54D6F), ref: 6BE4761B

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: cb14e02b5b1262c4c80436262aa9a827977ef83d82f69b3c54b78fbfa432d047
Instruction ID: 5ace4a8378a4853ebe867ca4645b801c1e9ea21412b6ca32c4149fc0e38bd371
Opcode Fuzzy Hash: cb14e02b5b1262c4c80436262aa9a827977ef83d82f69b3c54b78fbfa432d047
Instruction Fuzzy Hash: 40110E22715A4488EB158EBFAD807462A56A749FFCF248275EE6D077D0EE3CC096C3C1

Uniqueness

Uniqueness Score: -1.00%

Function 6BE47BC0 Relevance: 3.9, APIs: 3, Instructions: 144
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,6BE54D6F), ref: 6BE47C7A
Sleep.KERNEL32(00000000,?,?,6BE54D6F), ref: 6BE47C9D
VirtualFree.KERNEL32(00000000,?,?,6BE54D6F), ref: 6BE47D81

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: Sleep$FreeVirtual
String ID:
API String ID: 3067263416-0
Opcode ID: ba0596d1ca3feefe854a59417e374075e2396f26a19a312980241e517d486a34
Instruction ID: 9a5032c41a38199bce404ecc2c07b86cd697154ef3fe0ca0a4a25c21abcb62cc
Opcode Fuzzy Hash: ba0596d1ca3feefe854a59417e374075e2396f26a19a312980241e517d486a34
Instruction Fuzzy Hash: D5510362715B8489DB05CF35F84035A73A5F70AB98F648A69CB9D83394DF3DC4A1C390

Uniqueness

Uniqueness Score: -1.00%

Function 6BE477F0 Relevance: 2.7, APIs: 2, Instructions: 243
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,-00000001,?,?,6BE54D92), ref: 6BE478EC
Sleep.KERNEL32(00000000,-00000001,?,?,6BE54D92), ref: 6BE47905

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a7940c8d2bcb379a833bc8a05a627e19325e3d50e0ea9088011264fddc1aa2d4
Instruction ID: 35c5be128bf17c3b7da47d7fe516fbada29811a484a6f31c3f630a59c1f54072
Opcode Fuzzy Hash: a7940c8d2bcb379a833bc8a05a627e19325e3d50e0ea9088011264fddc1aa2d4
Instruction Fuzzy Hash: E8B124B3601B94C6D7098F28F95035977A2F344B68F648669C7AD877E8DB7CC4A5C380

Uniqueness

Uniqueness Score: -1.00%

Function 6BE550A0 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultUILanguage.KERNEL32 ref: 6BE55206

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: DefaultLanguageSystem
String ID:
API String ID: 4166810957-0
Opcode ID: ba58b57206b961e2ede13d1ad3d9845d373a64c1f4a0d5312e55fa51b502b159
Instruction ID: 21991e4c8622bc98bbad1c447e97e5e5996e2ee39d0f3a9f64ab90e37ab35cce
Opcode Fuzzy Hash: ba58b57206b961e2ede13d1ad3d9845d373a64c1f4a0d5312e55fa51b502b159
Instruction Fuzzy Hash: D951E136210B8489DB20DF75D8913D927B2F785B9CF60545AEA0D8BB5CDF7AC5A4C380

Uniqueness

Uniqueness Score: -1.00%

Function 6BE4E240 Relevance: 1.6, APIs: 1, Instructions: 79
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 6BE4E2A7

Part of subcall function 6BE4E970: GetCurrentThreadId.KERNEL32 ref: 6BE4E9A0
Part of subcall function 6BE4E970: FreeLibrary.KERNEL32 ref: 6BE4EA79
Part of subcall function 6BE4E970: ExitProcess.KERNEL32 ref: 6BE4EACD

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: CurrentThread$ExitFreeLibraryProcess
String ID:
API String ID: 274535261-0
Opcode ID: 36baff47e50286e30d3a3b4b7f003f29b19bf662a8361128b7cd608225014bfb
Instruction ID: c4aca540193fee8b3b5ada60c415d8e200a6461943663505acf2253c04877aec
Opcode Fuzzy Hash: 36baff47e50286e30d3a3b4b7f003f29b19bf662a8361128b7cd608225014bfb
Instruction Fuzzy Hash: C2312132514B88DAD766DF30EC487CA37BAF708748F900569CA4D5B764CB39869AC300

Uniqueness

Uniqueness Score: -1.00%

Function 6BE552D0 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 6BE5530A

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 46fb0f7c4070b9b99976c0860fe073ee63c1241d33055de5d8568f91400fe819
Instruction ID: 28aa76233de8b45be41787bbbfb170d2f4e5e5bbe597e768f942f77c95b6e564
Opcode Fuzzy Hash: 46fb0f7c4070b9b99976c0860fe073ee63c1241d33055de5d8568f91400fe819
Instruction Fuzzy Hash: 03112733220A5498DB14DF75D8913DE37A6EB4478CF61101AFA4E47B98DF3AC199C391

Uniqueness

Uniqueness Score: -1.00%

Function 6BE53A90 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 6BE53AB4

Part of subcall function 6BE552D0: GetModuleFileNameW.KERNEL32 ref: 6BE5530A

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: edf2d650bc4e554e2b0285e89424bff7a73989e8a2ac95c98a52a611111222a2
Instruction ID: 941983dae522f8b1f6beb3c9b2f9a83a0508df30fe56c27f5ccdccd64b900558
Opcode Fuzzy Hash: edf2d650bc4e554e2b0285e89424bff7a73989e8a2ac95c98a52a611111222a2
Instruction Fuzzy Hash: 9AF01573611A4888CB20EF71E44478823B4F308B9CFA602159F8C4B708DF39C1A9C751

Uniqueness

Uniqueness Score: -1.00%

Function 6BF2FF40 Relevance: 1.4, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 6BF30057

Part of subcall function 6BE756E0: FormatMessageW.KERNEL32 ref: 6BE7573D
Part of subcall function 6BE756E0: LocalFree.KERNEL32(?,?,?,?,?,?,6BF30105), ref: 6BE75786

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: f9b2c7e2fa627628687a79c1cc929e69810122754fabbd751b442b2068f9ce5f
Instruction ID: 3514e7b02147ad7b4a0f89de5ee724d2bacf6d6665345e2f4c68dcf721f00ac0
Opcode Fuzzy Hash: f9b2c7e2fa627628687a79c1cc929e69810122754fabbd751b442b2068f9ce5f
Instruction Fuzzy Hash: A8511322214BC089D760EF75DC803D937A2F7457ACF50421ADA5D4BBA9DF78C285C381

Uniqueness

Uniqueness Score: -1.00%

Function 020AB690 Relevance: 1.3, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h, xrefs: 020AB77F

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 442c6f943ac74300e4206b99736ae9c0906ad149fadfac253a815631173d7754
Instruction ID: cee0e6261492dfb32f9d8171de9fac70ab6116525a4f5a531ba6a6b5da01dec5
Opcode Fuzzy Hash: 442c6f943ac74300e4206b99736ae9c0906ad149fadfac253a815631173d7754
Instruction Fuzzy Hash: F841F672210BC489DB20EF64D8503DA3366F79879CF504126EB8D4BB59DF39C659DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6BE47420 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,000000A6,6BE47B02,00000000,-00000001,?,?,6BE54D92), ref: 6BE4743F

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de32b4ce74140b0b0cdb301210abc82cb23a06824cf6700066aaa7589803317f
Instruction ID: b5e1fcb1fd531f00e12809e3f1b1e62b03fd8d48f90827dab2e15ca4876f19e0
Opcode Fuzzy Hash: de32b4ce74140b0b0cdb301210abc82cb23a06824cf6700066aaa7589803317f
Instruction Fuzzy Hash: A90162F170174882E7198FA5FE9531536D5B7087C4F20483D994CC77A9DB3D84E58390

Uniqueness

Uniqueness Score: -1.00%

Function 020839F0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7132d283c06bc50ce9c3c8e1b5a28c95314462bb8e22dae744d50f314d62f8e5
Instruction ID: b4acd3e5b605d79eea01d287dd74f0226724f21ccfb9d26b30d853c051709c0a
Opcode Fuzzy Hash: 7132d283c06bc50ce9c3c8e1b5a28c95314462bb8e22dae744d50f314d62f8e5
Instruction Fuzzy Hash: 7711CE12311B5584EB52ABA7888079B2A85B7C8FF8F048275DEEE077D0EF78C0869701

Uniqueness

Uniqueness Score: -1.00%

Function 0209FA70 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eabe2a85996a0ae572f73cb1f3c17a934dad9572fbe308bc41528f79607734a
Instruction ID: 1cfe21677ebc00804e94291b02b60b3d2cf562f86d3a272f5ebd71c28bfbf2f8
Opcode Fuzzy Hash: 7eabe2a85996a0ae572f73cb1f3c17a934dad9572fbe308bc41528f79607734a
Instruction Fuzzy Hash: 9511023270430642EE619B64A47CB9B50A267857BCF140318EDBB8BBD0D7BEC1467B80

Uniqueness

Uniqueness Score: -1.00%

Function 020AB0E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38353b98ae9a1d6985d56118dd9ad0aae3614e4aada85c4b5d40afc17fa07205
Instruction ID: 02d00760c2ce81a278ca2f33eba390503f96bf0ff1c4282acb0e30ef89b0e514
Opcode Fuzzy Hash: 38353b98ae9a1d6985d56118dd9ad0aae3614e4aada85c4b5d40afc17fa07205
Instruction Fuzzy Hash: 7C21F932200B8489DB60EF31D8507DE3761F785B9CF504255EA9D8BB98CF39D545DB80

Uniqueness

Uniqueness Score: -1.00%

Function 020AB510 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe3b72e9833a4b4593f3f47fd918ccb52ebb3cadc8e5792c7c5bc990570bf1c
Instruction ID: c06cf3fc55c8f32abe94668172ffcd3f5e48ed66175737cfc032298bb827b4e1
Opcode Fuzzy Hash: 8fe3b72e9833a4b4593f3f47fd918ccb52ebb3cadc8e5792c7c5bc990570bf1c
Instruction Fuzzy Hash: 8711AC32214680CECB64EF75D8503DA3BA1F7447ACF540225EA9D87B88DF39C104DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02083870 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8bdeb87a8631300c3fef7b7405dd7071bdecebcfa691e024f7b4587126d749b
Instruction ID: 22706eef09bfebeda5548a6a20bf35e56aa8b7bce3f229d2c12789bf346e0b9a
Opcode Fuzzy Hash: d8bdeb87a8631300c3fef7b7405dd7071bdecebcfa691e024f7b4587126d749b
Instruction Fuzzy Hash: 8D01AFB1701B4086EF269FA9A9A875632FCB748B84F10403DDE8C87B55DF3D84E58340

Uniqueness

Uniqueness Score: -1.00%

Function 020AB210 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25425ccb6c87b66e7923e28144418a009784fd44be6d15fa51691ad4df885e27
Instruction ID: 2c840654cc10a2ec703ed5d1e3942a5c5ddfe01b8b5a2e50ae1716583c4383b7
Opcode Fuzzy Hash: 25425ccb6c87b66e7923e28144418a009784fd44be6d15fa51691ad4df885e27
Instruction Fuzzy Hash: 5D01A832210A9489CB44EFB2D850AEE37A6F794B9CF446016BA4E47B18CF74C595DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02083960 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21b2ad953f11bd3813ea5922c5b1a76f1f3dbb64f2cc659bd3c0852c9c44d59
Instruction ID: 2903cc861fcd1c3dbeec7b1d0fac90be18eb976c1bfa54ae95979ee57ca9ff15
Opcode Fuzzy Hash: f21b2ad953f11bd3813ea5922c5b1a76f1f3dbb64f2cc659bd3c0852c9c44d59
Instruction Fuzzy Hash: E6F0C832701BA851FB569B15BD5474B369CB758FE5F004266DED81BBC8DF3884528344

Uniqueness

Uniqueness Score: -1.00%

Function 020AB5F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e85fe103782232840bb8e4297862addda2d3ef7a8cab38930b298ccddd7ccd1
Instruction ID: 7615e9bbaaa413265fdbd238e84abbd387824418a5a7c190dbe2d7b91755ee45
Opcode Fuzzy Hash: 7e85fe103782232840bb8e4297862addda2d3ef7a8cab38930b298ccddd7ccd1
Instruction Fuzzy Hash: 8CF06862304B40CECB18FFB9C8501EE3762EB547C8B645425EA4D87B19DE2AC5519740

Uniqueness

Uniqueness Score: -1.00%

Function 0209FD00 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab45715fd224079492e3c8adb59841c3543c788a526f069b6961e297cf81663b
Instruction ID: a37124da089df02eee8ca7fc1553aca02ab4965467a40c0b8061990dcfaf820f
Opcode Fuzzy Hash: ab45715fd224079492e3c8adb59841c3543c788a526f069b6961e297cf81663b
Instruction Fuzzy Hash: F9B01214F03300825E0C73730C9315B00472BC4310F95C0608A06D1310FC2D80A23F81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000013FBD40A0 Relevance: 65.0, APIs: 15, Strings: 22, Instructions: 232memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD3CE0: GetCurrentProcessId.KERNEL32 ref: 000000013FBD3D05
Part of subcall function 000000013FBD3CE0: ProcessIdToSessionId.KERNEL32 ref: 000000013FBD3D12

kCFAllocatorDefault.COREFOUNDATION ref: 000000013FBD410F
kCFAllocatorDefault.COREFOUNDATION ref: 000000013FBD4131
kCFAllocatorDefault.COREFOUNDATION ref: 000000013FBD413D
kCFAllocatorDefault.COREFOUNDATION ref: 000000013FBD414E
kCFAllocatorDefault.COREFOUNDATION ref: 000000013FBD415A
kCFAllocatorDefault.COREFOUNDATION ref: 000000013FBD416B
kCFAllocatorDefault.COREFOUNDATION ref: 000000013FBD4177
kCFAllocatorDefault.COREFOUNDATION ref: 000000013FBD4184
kCFAllocatorDefault.COREFOUNDATION ref: 000000013FBD4445

Strings

/iTunes_Control/iTunes/iTunesPrefs, xrefs: 000000013FBD436F
StartAFCService(), xrefs: 000000013FBD4281, 000000013FBD42A6, 000000013FBD42C8
iPod, xrefs: 000000013FBD4147
frpd, xrefs: 000000013FBD43FC
iPad, xrefs: 000000013FBD4164
AMDeviceStartService failed (0x%08X), xrefs: 000000013FBD4277
AMDeviceStopSession failed (0x%08X), xrefs: 000000013FBD429F
IDAMConfig, xrefs: 000000013FBD41A3
iPhone, xrefs: 000000013FBD412A
AMDevicePair failed (0x%08X), xrefs: 000000013FBD4231
ReadIPodPrefsFile failed (0x%08X), xrefs: 000000013FBD43E2
DeviceClass, xrefs: 000000013FBD4108
com.apple.afc, xrefs: 000000013FBD4251
AMDeviceStartSession failed (0x%08X), xrefs: 000000013FBD4248
AMDeviceConnect failed (0x%08X), xrefs: 000000013FBD420E
StartAFCService failed (0x%08X), xrefs: 000000013FBD42DB
AFCFileRefRead failed (0x%08X), xrefs: 000000013FBD43B3
AMDeviceDisconnect failed (0x%08X), xrefs: 000000013FBD42C1
ReadIPodPrefsFile(), xrefs: 000000013FBD43BD
AFCConnectionCreate failed, xrefs: 000000013FBD4326
CMobileDeviceListener::ShouldLaunchITunes(), xrefs: 000000013FBD42E2, 000000013FBD432D, 000000013FBD43E9
AFCFileRefOpen failed (0x%08X), xrefs: 000000013FBD4384

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: AllocatorDefault$Process$CurrentSession
String ID: /iTunes_Control/iTunes/iTunesPrefs$AFCConnectionCreate failed$AFCFileRefOpen failed (0x%08X)$AFCFileRefRead failed (0x%08X)$AMDeviceConnect failed (0x%08X)$AMDeviceDisconnect failed (0x%08X)$AMDevicePair failed (0x%08X)$AMDeviceStartService failed (0x%08X)$AMDeviceStartSession failed (0x%08X)$AMDeviceStopSession failed (0x%08X)$CMobileDeviceListener::ShouldLaunchITunes()$DeviceClass$IDAMConfig$ReadIPodPrefsFile failed (0x%08X)$ReadIPodPrefsFile()$StartAFCService failed (0x%08X)$StartAFCService()$com.apple.afc$frpd$iPad$iPhone$iPod
API String ID: 4290606924-2229242306
Opcode ID: ffb21d7c695aebd7964d1d867e65381e4fb1564960902828b67369dd3a48e189
Instruction ID: cb445fc82b2b701ffdb94643f96404fa4fb1028dbf4d7b8306fce7aaa92de773
Opcode Fuzzy Hash: ffb21d7c695aebd7964d1d867e65381e4fb1564960902828b67369dd3a48e189
Instruction Fuzzy Hash: F3A17EF1A14B4181FA50AF25E9517EAE391AB85BC4F80103DE94A476EDEF2DC74B8703

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBEA3D4 Relevance: 50.9, APIs: 25, Strings: 3, Instructions: 1888COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FBEA70B
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBEA96E
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBEAC31
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBEAED1
memcpy_s.LIBCPMT ref: 000000013FBEB0DE
memcpy_s.LIBCPMT ref: 000000013FBEB17A
memcpy_s.LIBCPMT ref: 000000013FBEB632
memcpy_s.LIBCPMT ref: 000000013FBEB66D
memcpy_s.LIBCPMT ref: 000000013FBEB799
memcpy_s.LIBCPMT ref: 000000013FBEB8C0
memcpy_s.LIBCPMT ref: 000000013FBEB96B
memcpy_s.LIBCPMT ref: 000000013FBEB9B3
memcpy_s.LIBCPMT ref: 000000013FBEB9DD
memcpy_s.LIBCPMT ref: 000000013FBEBA8E
memcpy_s.LIBCPMT ref: 000000013FBEBC8E
memcpy_s.LIBCPMT ref: 000000013FBEBCD3
memcpy_s.LIBCPMT ref: 000000013FBEBD8A
memcpy_s.LIBCPMT ref: 000000013FBEBEB7
memcpy_s.LIBCPMT ref: 000000013FBEB582

Part of subcall function 000000013FBED778: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBED7AA

memcpy_s.LIBCPMT ref: 000000013FBEB5FD
memcpy_s.LIBCPMT ref: 000000013FBEC071

Strings

%u.%u.%u.%u, xrefs: 000000013FBEA3DA
, xrefs: 000000013FBEBE37
, xrefs: 000000013FBEBF64

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $ $%u.%u.%u.%u
API String ID: 2880407647-333474860
Opcode ID: 37302c880c3373059cb8d03f5e94873b4cdb5fc3cfa3a9e2d99862e06c4b6e40
Instruction ID: ea657f15b5f5f5f54e3fda3bb5936a3a809fb38113518552e7a3e5fe0007f701
Opcode Fuzzy Hash: 37302c880c3373059cb8d03f5e94873b4cdb5fc3cfa3a9e2d99862e06c4b6e40
Instruction Fuzzy Hash: 1103C3B2A112C08FE7758F25E9507EEB7A5F764788F009129EA0A57B9CD735DB02CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD4790 Relevance: 45.8, APIs: 8, Strings: 18, Instructions: 255fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000013FBD485B
WideCharToMultiByte.KERNEL32 ref: 000000013FBD4925

Part of subcall function 000000013FBD62D0: GetCurrentThreadId.KERNEL32(000000013FBD2E4F), ref: 000000013FBD63B8
Part of subcall function 000000013FBD62D0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6469
Part of subcall function 000000013FBD62D0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6480
Part of subcall function 000000013FBD62D0: CreateFileW.KERNEL32 ref: 000000013FBD64AA
Part of subcall function 000000013FBD62D0: SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD1469), ref: 000000013FBD64CB

FindFirstFileW.KERNEL32 ref: 000000013FBD4A8D
FindFirstFileW.KERNEL32 ref: 000000013FBD4B14
FindNextFileW.KERNEL32 ref: 000000013FBD4B87
FindClose.KERNEL32 ref: 000000013FBD4BAC
FindNextFileW.KERNEL32 ref: 000000013FBD4BC1
FindClose.KERNEL32 ref: 000000013FBD4BD9

Strings

%s\DCIM\%s, xrefs: 000000013FBD4ACA
JPG, xrefs: 000000013FBD4B47
MP4, xrefs: 000000013FBD4B6D
%s\*, xrefs: 000000013FBD4AF3
%s\DCIM\*, xrefs: 000000013FBD4A67
usbstor\diskapple, xrefs: 000000013FBD4945
CQueryCancelAutoPlay::AllowAutoPlay() - path = %s, xrefs: 000000013FBD4870
CQueryCancelAutoPlay::AllowAutoPlay() - allowing autoplay, xrefs: 000000013FBD49E6
sbp2\apple, xrefs: 000000013FBD496A
pszVolumePath != NULL, xrefs: 000000013FBD4A10
CQueryCancelAutoPlay::AllowAutoPlay() - GetDeviceHardwareIDForDiskDrive() failed, xrefs: 000000013FBD4895
CQueryCancelAutoPlay::DirectoryHasPhotos() - found photo file "%S", xrefs: 000000013FBD4B97
CQueryCancelAutoPlay::AllowAutoPlay() - allowing autoplay due to photos/video, xrefs: 000000013FBD4BE8
CQueryCancelAutoPlay::AllowAutoPlay() - disabling autoplay, xrefs: 000000013FBD4A21
1394\apple, xrefs: 000000013FBD495C
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\QueryCancelAutoPlay.cpp, xrefs: 000000013FBD4A03
MOV, xrefs: 000000013FBD4B5A
CQueryCancelAutoPlay::AllowAutoPlay() - Device hardware ID is %s, xrefs: 000000013FBD4939

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: FileFind$ByteCharCloseCriticalEnterFirstMultiNextSectionWide$CreateCurrentPointerThread
String ID: %s\*$%s\DCIM\%s$%s\DCIM\*$1394\apple$CQueryCancelAutoPlay::AllowAutoPlay() - Device hardware ID is %s$CQueryCancelAutoPlay::AllowAutoPlay() - GetDeviceHardwareIDForDiskDrive() failed$CQueryCancelAutoPlay::AllowAutoPlay() - allowing autoplay$CQueryCancelAutoPlay::AllowAutoPlay() - allowing autoplay due to photos/video$CQueryCancelAutoPlay::AllowAutoPlay() - disabling autoplay$CQueryCancelAutoPlay::AllowAutoPlay() - path = %s$CQueryCancelAutoPlay::DirectoryHasPhotos() - found photo file "%S"$D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\QueryCancelAutoPlay.cpp$JPG$MOV$MP4$pszVolumePath != NULL$sbp2\apple$usbstor\diskapple
API String ID: 856764332-2576380498
Opcode ID: 8dca3533f24add9705210e7ef3250922d93146d7b336a4a8a7e9003adce5ce03
Instruction ID: dcbcf1c8e671bea43089fd0a83be04c924815de51c96283040397ba6293c0688
Opcode Fuzzy Hash: 8dca3533f24add9705210e7ef3250922d93146d7b336a4a8a7e9003adce5ce03
Instruction Fuzzy Hash: A7C180B5A11A80C5EB20DF25E8407D9F3A5F7547A8F84433AEA29476DDDB39C70AC302

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD2E00 Relevance: 43.9, APIs: 15, Strings: 10, Instructions: 175windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD68A0: RegOpenKeyExW.ADVAPI32 ref: 000000013FBD6977
Part of subcall function 000000013FBD68A0: MultiByteToWideChar.KERNEL32 ref: 000000013FBD69AA
Part of subcall function 000000013FBD68A0: RegQueryValueExW.ADVAPI32 ref: 000000013FBD69E4
Part of subcall function 000000013FBD68A0: GetModuleHandleA.KERNEL32 ref: 000000013FBD6A24
Part of subcall function 000000013FBD68A0: GetModuleFileNameW.KERNEL32 ref: 000000013FBD6A36

Part of subcall function 000000013FBD6C50: GetModuleHandleA.KERNEL32 ref: 000000013FBD6C79
Part of subcall function 000000013FBD6C50: GetModuleFileNameA.KERNEL32 ref: 000000013FBD6C8D

Part of subcall function 000000013FBD62D0: GetCurrentThreadId.KERNEL32(000000013FBD2E4F), ref: 000000013FBD63B8
Part of subcall function 000000013FBD62D0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6469
Part of subcall function 000000013FBD62D0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6480
Part of subcall function 000000013FBD62D0: CreateFileW.KERNEL32 ref: 000000013FBD64AA
Part of subcall function 000000013FBD62D0: SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD1469), ref: 000000013FBD64CB

CreateEventA.KERNEL32 ref: 000000013FBD2E63

Part of subcall function 000000013FBD65B0: GetCurrentThreadId.KERNEL32(000000013FBD305E), ref: 000000013FBD66A8
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD675A
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6771
Part of subcall function 000000013FBD65B0: CreateFileW.KERNEL32 ref: 000000013FBD679B

CreateEventA.KERNEL32 ref: 000000013FBD2F5D
CreateThread.KERNEL32 ref: 000000013FBD2F88
CloseHandle.KERNEL32 ref: 000000013FBD2F9A
CoResumeClassObjects.OLE32 ref: 000000013FBD2FA9
SetEvent.KERNEL32 ref: 000000013FBD2FB9
WaitForSingleObject.KERNEL32 ref: 000000013FBD2FC7
CloseHandle.KERNEL32 ref: 000000013FBD2FD0
GetMessageA.USER32 ref: 000000013FBD2FF8
TranslateMessage.USER32 ref: 000000013FBD3007
DispatchMessageA.USER32 ref: 000000013FBD3012
SetEvent.KERNEL32 ref: 000000013FBD3065

Strings

CItunesHelperModule::Run() - Started the helper listener successfully!, xrefs: 000000013FBD2EA2
CItunesHelperModule::Run() - Registered for AutoPlay Cancelling successfully!, xrefs: 000000013FBD2F38
CItunesHelperModule::Run() - Registered with IPodService successfully!, xrefs: 000000013FBD2F00
12.12.9.4, xrefs: 000000013FBD2E3C
RegisterIQueryCancelAutoplay failed!!, xrefs: 000000013FBD2F23
iTunesHelper version: %s, xrefs: 000000013FBD2E43
CItunesHelperModule::Run() - Started the MobileDevice listener successfully!, xrefs: 000000013FBD2ED8
MonitorExtShutdownRequest, xrefs: 000000013FBD2E70
CItunesHelperModule::Run() - SHUTTING DOWN!, xrefs: 000000013FBD304D
./iTunesHelperLog.txt, xrefs: 000000013FBD2E24

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CreateFile$CriticalEnterEventHandleModuleSection$MessageThread$CloseCurrentName$ByteCharClassDispatchMultiObjectObjectsOpenPointerQueryResumeSingleTranslateValueWaitWide
String ID: ./iTunesHelperLog.txt$12.12.9.4$CItunesHelperModule::Run() - Registered for AutoPlay Cancelling successfully!$CItunesHelperModule::Run() - Registered with IPodService successfully!$CItunesHelperModule::Run() - SHUTTING DOWN!$CItunesHelperModule::Run() - Started the MobileDevice listener successfully!$CItunesHelperModule::Run() - Started the helper listener successfully!$MonitorExtShutdownRequest$RegisterIQueryCancelAutoplay failed!!$iTunesHelper version: %s
API String ID: 3227733304-831640750
Opcode ID: a841b3e6b0e8f9473a6691708c9d0c3eeb4914b4072dfb395cf6a9eb80851c73
Instruction ID: f8eed4d85ec76a2f5facd21e44a62c67e7069eab98a66ff9e7c79373bcb6f044
Opcode Fuzzy Hash: a841b3e6b0e8f9473a6691708c9d0c3eeb4914b4072dfb395cf6a9eb80851c73
Instruction Fuzzy Hash: AE816FB1E00B4582FB50AF65E8517E9A392EB84B44F48443DE949436EEEE39C74BC313

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD1720 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 238processmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBDBFB0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FBDAADB), ref: 000000013FBDBFF4
Part of subcall function 000000013FBDBFB0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FBDAADB), ref: 000000013FBDC03A

SysStringLen.OLEAUT32 ref: 000000013FBD179F
SysFreeString.OLEAUT32 ref: 000000013FBD17AF
MultiByteToWideChar.KERNEL32 ref: 000000013FBD17CE
SysAllocStringLen.OLEAUT32 ref: 000000013FBD17DB
MultiByteToWideChar.KERNEL32 ref: 000000013FBD1802

Part of subcall function 000000013FBD9930: LoadLibraryW.KERNEL32(?,?,00000000,000000013FBD308F), ref: 000000013FBD9943
Part of subcall function 000000013FBD9930: GetProcAddress.KERNEL32(?,?,00000000,000000013FBD308F), ref: 000000013FBD995B
Part of subcall function 000000013FBD9930: FreeLibrary.KERNEL32(?,?,00000000,000000013FBD308F), ref: 000000013FBD997C

SysStringLen.OLEAUT32 ref: 000000013FBD1824
VarBstrCat.OLEAUT32 ref: 000000013FBD183C
SysFreeString.OLEAUT32 ref: 000000013FBD1848
SysStringLen.OLEAUT32 ref: 000000013FBD186D
VarBstrCat.OLEAUT32 ref: 000000013FBD1889
SysFreeString.OLEAUT32 ref: 000000013FBD1895
SysStringLen.OLEAUT32 ref: 000000013FBD18AC
WideCharToMultiByte.KERNEL32 ref: 000000013FBD19A2
CreateProcessA.KERNEL32 ref: 000000013FBD19E2
CloseHandle.KERNEL32 ref: 000000013FBD19F5
CloseHandle.KERNEL32 ref: 000000013FBD1A04
GetLastError.KERNEL32 ref: 000000013FBD1A0E
SysFreeString.OLEAUT32 ref: 000000013FBD1A33
SysFreeString.OLEAUT32 ref: 000000013FBD1A3D
SysFreeString.OLEAUT32 ref: 000000013FBD1A54
SysFreeString.OLEAUT32 ref: 000000013FBD1A93

Strings

Launching iTunes FAILED! Last error = %d, xrefs: 000000013FBD1A17
LaunchApp(), xrefs: 000000013FBD1A1E

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: String$Free$ByteCharMultiWide$BstrCloseHandleLibrary$AddressAllocCreateErrorExceptionFileHeaderLastLoadProcProcessRaise
String ID: LaunchApp()$Launching iTunes FAILED! Last error = %d
API String ID: 1820409946-2021163453
Opcode ID: dd8e8bd76365ef0acc3ad98bb9ebcd124b38134f4b31957367bb96cc906e41b2
Instruction ID: d21ebd8ad3bbd83f764120e52980b8de6d5d7a527ab24638461a2d780e26091a
Opcode Fuzzy Hash: dd8e8bd76365ef0acc3ad98bb9ebcd124b38134f4b31957367bb96cc906e41b2
Instruction Fuzzy Hash: C9A152B6A00B8186F7149F21D8403E9B3A5F794798F04563EEA5A47BDCDF39C65AC302

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD9780 Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 92libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000013FBD97AF
PathRemoveFileSpecW.SHLWAPI ref: 000000013FBD97CA
PathAppendW.SHLWAPI ref: 000000013FBD97DC
LoadLibraryW.KERNEL32 ref: 000000013FBD97E7
GetProcAddress.KERNEL32 ref: 000000013FBD9813
GetProcAddress.KERNEL32 ref: 000000013FBD9826
GetLastError.KERNEL32 ref: 000000013FBD9848

Part of subcall function 000000013FBD65B0: GetCurrentThreadId.KERNEL32(000000013FBD305E), ref: 000000013FBD66A8
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD675A
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6771
Part of subcall function 000000013FBD65B0: CreateFileW.KERNEL32 ref: 000000013FBD679B

MultiByteToWideChar.KERNEL32 ref: 000000013FBD98C4
FreeLibrary.KERNEL32 ref: 000000013FBD98DE

Strings

!iTunes, xrefs: 000000013FBD982C
LaunchStoreApp(), xrefs: 000000013FBD987C
ITUWP_LaunchWindowsStoreApp, xrefs: 000000013FBD9819
iTunesUWP.dll, xrefs: 000000013FBD97D0
Launching %s, xrefs: 000000013FBD9875
Launching iTunes (Store), xrefs: 000000013FBD9851
ITUWP_LaunchITunesApp, xrefs: 000000013FBD9801
LaunchApp(), xrefs: 000000013FBD9858

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: File$AddressCriticalEnterLibraryPathProcSection$AppendByteCharCreateCurrentErrorFreeLastLoadModuleMultiNameRemoveSpecThreadWide
String ID: !iTunes$ITUWP_LaunchITunesApp$ITUWP_LaunchWindowsStoreApp$LaunchApp()$LaunchStoreApp()$Launching %s$Launching iTunes (Store)$iTunesUWP.dll
API String ID: 471342995-1849230143
Opcode ID: 6676378a911c4ab0c17924663ccb58b133300766b24a30abb92e964e73fdd41f
Instruction ID: d4a078e53d5f87ac7611e5080c5990971012646e013add9b5c04c53d988e1a2a
Opcode Fuzzy Hash: 6676378a911c4ab0c17924663ccb58b133300766b24a30abb92e964e73fdd41f
Instruction Fuzzy Hash: 5B417DB1A05B8585FA609F21E8407EAA351FB45B94F44103DAA4E477A8EF3CC34BC701

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD5510 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 173COMMON

Download Yara Rule

Strings

deviceInfoSet != INVALID_HANDLE_VALUE, xrefs: 000000013FBD55F6
status, xrefs: 000000013FBD55AA, 000000013FBD5702, 000000013FBD5725, 000000013FBD57C8
deviceInfoSet != NULL, xrefs: 000000013FBD577B
, xrefs: 000000013FBD5664
status && dwBytes != 0 && dwBytes < sizeof(spdiddBuffer), xrefs: 000000013FBD5741
drivePath != NULL, xrefs: 000000013FBD5551
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DeviceUtilitiesW32.cpp, xrefs: 000000013FBD5544, 000000013FBD556C, 000000013FBD559D, 000000013FBD55E9, 000000013FBD574B, 000000013FBD5774, 000000013FBD57BB
hardwareID != NULL, xrefs: 000000013FBD5579
, xrefs: 000000013FBD566C

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID: $ $D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DeviceUtilitiesW32.cpp$deviceInfoSet != INVALID_HANDLE_VALUE$deviceInfoSet != NULL$drivePath != NULL$hardwareID != NULL$status$status && dwBytes != 0 && dwBytes < sizeof(spdiddBuffer)
API String ID: 0-1910626470
Opcode ID: a1d823287b879730fa888e56055def56d5764e75485ddf83e1af861f1919742d
Instruction ID: 45cdd3589d622890728d1bd12ea3ab522a27893ed2b7d34be2cb63393431a941
Opcode Fuzzy Hash: a1d823287b879730fa888e56055def56d5764e75485ddf83e1af861f1919742d
Instruction Fuzzy Hash: 9D8183B6B14B8185F720CF20E8407DAA764F795798F901239EA4947ADDDF79C34ACB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF73F8 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 000000013FBF7446
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBF7AB2
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBF7C28
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBF7EE6
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBF8106
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBF8343
memcpy_s.LIBCPMT ref: 000000013FBF841E
memcpy_s.LIBCPMT ref: 000000013FBF84C9
memcpy_s.LIBCPMT ref: 000000013FBF8598

Strings

1#QNAN, xrefs: 000000013FBF755F
1#IND, xrefs: 000000013FBF7533
1#INF, xrefs: 000000013FBF756F
1#SNAN, xrefs: 000000013FBF7556

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 6ae264541e756970514cfb8374d4aed9e44816f913b83c599fbcc441da964d90
Instruction ID: e4085ec2091034669c0a863042098819959a8c28d7e5ee0f01c4d24296333363
Opcode Fuzzy Hash: 6ae264541e756970514cfb8374d4aed9e44816f913b83c599fbcc441da964d90
Instruction Fuzzy Hash: 4AB2EFB2E103818BE7658F68D540BEDB7A1F354788F605239DA0A57E8CD735DB0ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD3670 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 79registryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 000000013FBD3680
GetModuleHandleA.KERNEL32 ref: 000000013FBD36BD
RegisterClassA.USER32 ref: 000000013FBD371D
GetLastError.KERNEL32 ref: 000000013FBD3728

Part of subcall function 000000013FBD5FF0: GetCurrentThreadId.KERNEL32(000000013FBD1165), ref: 000000013FBD60E1
Part of subcall function 000000013FBD5FF0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6193
Part of subcall function 000000013FBD5FF0: EnterCriticalSection.KERNEL32 ref: 000000013FBD61AA
Part of subcall function 000000013FBD5FF0: CreateFileW.KERNEL32 ref: 000000013FBD61D4
Part of subcall function 000000013FBD5FF0: SetFilePointer.KERNEL32 ref: 000000013FBD61F5

Strings

CItunesHelperMsgListener::DoMsgPump(), xrefs: 000000013FBD3691
Failed to initialize COM!, xrefs: 000000013FBD368A
CItunesHelperMsgListener::DoMsgPump() - Thread EXIT, xrefs: 000000013FBD37C4

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalEnterFileSection$ClassCreateCurrentErrorHandleInitializeLastModulePointerRegisterThread
String ID: CItunesHelperMsgListener::DoMsgPump()$CItunesHelperMsgListener::DoMsgPump() - Thread EXIT$Failed to initialize COM!
API String ID: 30167652-1099895065
Opcode ID: 281426bffe93f4021ecd7fac14e311f3bcfb85454697e50211b08bbec54f0d9f
Instruction ID: 63d5a3d0589965066b786c800218e4ad2c66985fd5fc157eef2f50237401aee2
Opcode Fuzzy Hash: 281426bffe93f4021ecd7fac14e311f3bcfb85454697e50211b08bbec54f0d9f
Instruction Fuzzy Hash: C84142B2A14BC581F7309F24F8517EAB3A5F798740F444139E58943A99DF7DC28AC741

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD5830 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 108COMMON

Download Yara Rule

Strings

success, xrefs: 000000013FBD5953
pid_, xrefs: 000000013FBD59B5
deviceInfoSet != NULL, xrefs: 000000013FBD5867
vid_, xrefs: 000000013FBD5990
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DeviceUtilitiesW32.cpp, xrefs: 000000013FBD585A, 000000013FBD5882, 000000013FBD58AA, 000000013FBD58D2, 000000013FBD5946
productID != NULL, xrefs: 000000013FBD58DF
usb\, xrefs: 000000013FBD5979
vendorID != NULL, xrefs: 000000013FBD58B7
deviceInfoData != NULL, xrefs: 000000013FBD588F

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID: D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DeviceUtilitiesW32.cpp$deviceInfoData != NULL$deviceInfoSet != NULL$pid_$productID != NULL$success$usb\$vendorID != NULL$vid_
API String ID: 0-2922642032
Opcode ID: 13e7816a43c8fcb64b4dd7a58fb29dd1463b4c2195ee8bca53f1dfa0632dc1f0
Instruction ID: b1aa30e0deedf1a13eb86c28adb8298f0928460d186237da5d57697344962314
Opcode Fuzzy Hash: 13e7816a43c8fcb64b4dd7a58fb29dd1463b4c2195ee8bca53f1dfa0632dc1f0
Instruction Fuzzy Hash: D5417CB6B14B4191FB609F20E8817D9E360FB95754F84413AA90947BEDEF79C70AC702

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD1310 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32 ref: 000000013FBD1372
CreateEventA.KERNEL32 ref: 000000013FBD13EE
GetLastError.KERNEL32 ref: 000000013FBD13F7
CloseHandle.KERNEL32 ref: 000000013FBD1407

Part of subcall function 000000013FBD1AB0: InitializeCriticalSectionEx.KERNEL32 ref: 000000013FBD1AF1
Part of subcall function 000000013FBD1AB0: GetLastError.KERNEL32 ref: 000000013FBD1AFB
Part of subcall function 000000013FBD1AB0: GetCurrentThreadId.KERNEL32 ref: 000000013FBD1B21

CoInitialize.OLE32 ref: 000000013FBD142E
GetModuleHandleA.KERNEL32 ref: 000000013FBD1448
GetCommandLineA.KERNEL32 ref: 000000013FBD1459
CoUninitialize.OLE32 ref: 000000013FBD1471
CloseHandle.KERNEL32 ref: 000000013FBD147A

Strings

Mscoree.dll, xrefs: 000000013FBD1441

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Handle$CloseErrorInitializeLast$CommandCreateCriticalCurrentEventLineModuleNameSectionThreadUninitializeUser
String ID: Mscoree.dll
API String ID: 1789185286-4150509846
Opcode ID: 82f0d0863addba462c51383d29244683d30cbdb968aeaae6b9861de5197e7c29
Instruction ID: 8dc8f3e9bd9616dd3b418fd7ae40a14222728cde15db95544a84827b7ef25904
Opcode Fuzzy Hash: 82f0d0863addba462c51383d29244683d30cbdb968aeaae6b9861de5197e7c29
Instruction Fuzzy Hash: 46419EB1A04B8482FB619F61E8013E9A3A1F789B54F44413DE649437D9DF3DC20BCB12

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD53D0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

success || (GetLastError() == ERROR_NO_MORE_ITEMS), xrefs: 000000013FBD54D9
, xrefs: 000000013FBD548F
enumerator != NULL, xrefs: 000000013FBD53FD
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DeviceUtilitiesW32.cpp, xrefs: 000000013FBD53F0, 000000013FBD5424, 000000013FBD54CC
enumerationProc != NULL, xrefs: 000000013FBD5431

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID: $D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DeviceUtilitiesW32.cpp$enumerationProc != NULL$enumerator != NULL$success || (GetLastError() == ERROR_NO_MORE_ITEMS)
API String ID: 0-2046212529
Opcode ID: 60e2ac8267961a4f1a645438f9f36b85014625ce7cf50f0e481083618a58c81e
Instruction ID: 966382c4368efc4294b3eeb9bca40df487538ed0d436d41ec5102e0a13f00e4b
Opcode Fuzzy Hash: 60e2ac8267961a4f1a645438f9f36b85014625ce7cf50f0e481083618a58c81e
Instruction Fuzzy Hash: 1F318FB2F0474082FA209B24F4517EAA361F795B94F845229EA5D46ADDDF2DC3878B02

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD51D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 125COMMON

Download Yara Rule

Strings

success, xrefs: 000000013FBD537D
deviceNumber != NULL, xrefs: 000000013FBD5269
drivePath != NULL, xrefs: 000000013FBD5241
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DeviceUtilitiesW32.cpp, xrefs: 000000013FBD5234, 000000013FBD525C, 000000013FBD5315, 000000013FBD5370
hVolume != INVALID_HANDLE_VALUE, xrefs: 000000013FBD5322

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID: D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DeviceUtilitiesW32.cpp$deviceNumber != NULL$drivePath != NULL$hVolume != INVALID_HANDLE_VALUE$success
API String ID: 0-1709165609
Opcode ID: 282b79c589075b2d3a4d4d66b65f61de22bea39a0fa44490ac5fc2bfb5f6234a
Instruction ID: 8b771c24171302968288be045c740f8156b47f44d49b97e4c417ba1646b430d3
Opcode Fuzzy Hash: 282b79c589075b2d3a4d4d66b65f61de22bea39a0fa44490ac5fc2bfb5f6234a
Instruction Fuzzy Hash: AC51A6B6A1474086E760DF21F8507DAF360F7957A0F404239EA9943BDCDB38C64ACB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE8CE4 Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 608COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE8D2B

Strings

f, xrefs: 000000013FBE8EA8
f, xrefs: 000000013FBE8F12
f, xrefs: 000000013FBE9051
0, xrefs: 000000013FBE929C
p, xrefs: 000000013FBE8EB5
p, xrefs: 000000013FBE8F1A

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$f$f$p$p$f
API String ID: 3215553584-303101543
Opcode ID: de791896a9bdf1ac1a8c9b884b9349600cbad056898ab333e94f32d9097e201c
Instruction ID: e90eb28df3320ad23ec3bba0073527e5834b02ad8182d7e5ded2b5d486a86cc3
Opcode Fuzzy Hash: de791896a9bdf1ac1a8c9b884b9349600cbad056898ab333e94f32d9097e201c
Instruction Fuzzy Hash: 6D42ADB2E0464182FB749E15F1443E9B3A5F3A0B50F94453AE6ED47ACCDB38CA9AC750

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD92B0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 267COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FBD96BF
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FBD96C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FBD96D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FBD96D7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FBD96DD

Strings

nzyj5cx40ttqa, xrefs: 000000013FBD9502, 000000013FBD9525
!App, xrefs: 000000013FBD95EC

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: !App$nzyj5cx40ttqa
API String ID: 3936042273-459544931
Opcode ID: fd29b9d5983ebf8339565e5fd4bca1a13b84b592da347803a8e946e19208cc19
Instruction ID: c9db48c18c83016a67c7b6367a6a2b08fd0de3d68d3105aae30cbed76e485a41
Opcode Fuzzy Hash: fd29b9d5983ebf8339565e5fd4bca1a13b84b592da347803a8e946e19208cc19
Instruction Fuzzy Hash: 17B1A672A14B8481FB10DF65E4403DEA761E7857E4F505329FAAD17BEADB78C282C702

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD1E80 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 000000013FBD1EE6
SysAllocString.OLEAUT32 ref: 000000013FBD1F57
SysFreeString.OLEAUT32 ref: 000000013FBD2074

Strings

CItunesHelperModule::ConnectToService() - FAILED to create instance of the service!, xrefs: 000000013FBD1F0A
CItunesHelperModule::ConnectToService() - FAILED to log onto the service!, xrefs: 000000013FBD203A
CItunesHelperModule::ConnectToService() - FAILED to connect to the service!, xrefs: 000000013FBD1FAF

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: String$AllocCreateFreeInstance
String ID: CItunesHelperModule::ConnectToService() - FAILED to connect to the service!$CItunesHelperModule::ConnectToService() - FAILED to create instance of the service!$CItunesHelperModule::ConnectToService() - FAILED to log onto the service!
API String ID: 391255401-963199552
Opcode ID: 23cce98a9dc05818c2ed7a1637814fcb20c9e876ea27763ce566468d7959161c
Instruction ID: 308418bfa980eba19d56560b48fccf6ac7b640f0417c7e7045f9a6db22bc3ad5
Opcode Fuzzy Hash: 23cce98a9dc05818c2ed7a1637814fcb20c9e876ea27763ce566468d7959161c
Instruction Fuzzy Hash: 89616EB6A00B4582FB159F69D4503D9A3A1F784B94F54803AEB4E877A8DF3DC64AC302

Uniqueness

Uniqueness Score: -1.00%

Function 6BE54650 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141stringfileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 6BE547CE
FindClose.KERNEL32 ref: 6BE547DC
lstrlenW.KERNEL32 ref: 6BE547E8
lstrlenW.KERNEL32 ref: 6BE54825

Strings

GetLongPathNameW, xrefs: 6BE54685
kernel32.dll, xrefs: 6BE54671

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: Findlstrlen$CloseFileFirst
String ID: GetLongPathNameW$kernel32.dll
API String ID: 895237040-568771998
Opcode ID: f3af13454452512150709e4749a4765079f448c9bd14dbbcd07e410b59d875df
Instruction ID: 5eefd7333b7201abc1b9facb0035c1d22e367a176d82e67650c9763bfa7dc34b
Opcode Fuzzy Hash: f3af13454452512150709e4749a4765079f448c9bd14dbbcd07e410b59d875df
Instruction Fuzzy Hash: 97518F23700A8495CB11DF35E8503DA27B1F745BDCF69922A9E1E4BB5CEB7DC4A58340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDACA4 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000013FBDACC0
RtlCaptureContext.KERNEL32 ref: 000000013FBDACED
RtlLookupFunctionEntry.KERNEL32 ref: 000000013FBDAD07
RtlVirtualUnwind.KERNEL32 ref: 000000013FBDAD48
IsDebuggerPresent.KERNEL32 ref: 000000013FBDAD9C
SetUnhandledExceptionFilter.KERNEL32 ref: 000000013FBDADBD
UnhandledExceptionFilter.KERNEL32 ref: 000000013FBDADC8

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 12475bb690deb7294557565fbedf595a6b859d4afcbed29b979c01c53c1f48c3
Instruction ID: 066a08838cdcce18be2f7417c74e5023138997492531fcb8c27fd1707efc6191
Opcode Fuzzy Hash: 12475bb690deb7294557565fbedf595a6b859d4afcbed29b979c01c53c1f48c3
Instruction Fuzzy Hash: CA314BB2605B80CAEB609F64E8443EEB365F784754F44442EEA4E47B99EF38C649C711

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF2CD0 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 000000013FBF2D15

Part of subcall function 000000013FBF260C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBF2620

Part of subcall function 000000013FBEF990: HeapFree.KERNEL32 ref: 000000013FBEF9A6
Part of subcall function 000000013FBEF990: GetLastError.KERNEL32(?,?,000000013FBEF11F,000000013FBF6AA2,?,?,?,000000013FBF6ADF,?,?,00000000,000000013FBF6FA5,?,?,?,000000013FBF6ED7), ref: 000000013FBEF9B0

Part of subcall function 000000013FBEDBD4: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FBEDBDD
Part of subcall function 000000013FBEDBD4: GetCurrentProcess.KERNEL32(?,?,?,?,000000013FBEDB83,?,?,?,?,?,000000013FBEDA6E), ref: 000000013FBEDC02

Part of subcall function 000000013FBF8C04: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBF8B4F

_get_daylight.LIBCMT ref: 000000013FBF2D04

Part of subcall function 000000013FBF266C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBF2680

_get_daylight.LIBCMT ref: 000000013FBF2F7A
_get_daylight.LIBCMT ref: 000000013FBF2F8B
_get_daylight.LIBCMT ref: 000000013FBF2F9C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,000000013FBF31DC), ref: 000000013FBF2FC3

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 82b9ba2e1b88c1f3a2399e510979319977c3b60afc73acfeb687eb6c53c08a29
Instruction ID: 5c1f1ce70596b76b8b44b05f288ba19435a0ba3e8214ebf3025431dd7ae4a2e0
Opcode Fuzzy Hash: 82b9ba2e1b88c1f3a2399e510979319977c3b60afc73acfeb687eb6c53c08a29
Instruction Fuzzy Hash: A3D1E1B6F1034086EB24EF35D8517E9A765F784B84F44803EEE8947A9ADB3AC657C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF351C Relevance: 9.2, APIs: 6, Instructions: 227COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FBF353E
_get_daylight.LIBCMT ref: 000000013FBF359E
_get_daylight.LIBCMT ref: 000000013FBF35AF
_get_daylight.LIBCMT ref: 000000013FBF35C0
_isindst.LIBCMT ref: 000000013FBF3611
_isindst.LIBCMT ref: 000000013FBF3664

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: 8410a52a456c6869b3aee147b9b0b53b82a61bd195df82e7f6573e6a503da9da
Instruction ID: 6a88b9678e4682c8f9c644bc4631790f0c2955dfa046563b38742dc14551ca2d
Opcode Fuzzy Hash: 8410a52a456c6869b3aee147b9b0b53b82a61bd195df82e7f6573e6a503da9da
Instruction Fuzzy Hash: D581C6F2F003458BEB588F39C9517E8B7A1E754B88F08913DDA098A78DEB39D646C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBED8B8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000013FBED931
RtlLookupFunctionEntry.KERNEL32 ref: 000000013FBED949
RtlVirtualUnwind.KERNEL32 ref: 000000013FBED984
IsDebuggerPresent.KERNEL32 ref: 000000013FBED9BD
SetUnhandledExceptionFilter.KERNEL32 ref: 000000013FBED9C7
UnhandledExceptionFilter.KERNEL32 ref: 000000013FBED9D2

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 50be9513a6108a2b2545f041795edc1a2c842a50c6573b064a2f1a46a5c336c7
Instruction ID: 4c6a6cae791aa1cc275ce3040fa05fc23b061f6f5f5a7e9435d2a182628264dc
Opcode Fuzzy Hash: 50be9513a6108a2b2545f041795edc1a2c842a50c6573b064a2f1a46a5c336c7
Instruction Fuzzy Hash: 45316476614F8086EB60CF25E8443EEB3A4F789794F54012AEA9D43B9DDF39C656CB00

Uniqueness

Uniqueness Score: -1.00%

Function 6BE54060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32 ref: 6BE54151
GetLocaleInfoW.KERNEL32 ref: 6BE5417A
GetLocaleInfoW.KERNEL32 ref: 6BE54190

Strings

-;k, xrefs: 6BE5411C

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: Locale$Info$Valid
String ID: -;k
API String ID: 1826331170-387235514
Opcode ID: f77ff24fd46e7cd3c1bd0865a42a23233e8a74bd96ce10285b0f872ff9c8adfa
Instruction ID: 44c9fa927896a14fcb9a84af76a6237921b7fbdd7d4a3154f0a3a6afc8d839ac
Opcode Fuzzy Hash: f77ff24fd46e7cd3c1bd0865a42a23233e8a74bd96ce10285b0f872ff9c8adfa
Instruction Fuzzy Hash: 4941A976200A8489DB14CFB4D8517E93772F744B9DFA0001BEA5D87BA8DB3AC5A5C351

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD9A08 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000013FBD9A69
IsDebuggerPresent.KERNEL32 ref: 000000013FBD9A81
OutputDebugStringW.KERNEL32 ref: 000000013FBD9A92

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000000013FBD9A8B

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: e3e9938227c5c3d6e1ae55f664b7d3a284c29ecf403f2d98628c055ce3444f01
Instruction ID: 2dba34b652c73fd9b83e56e6c18f8bd6ab9fef9ebd2176b7ab1da423eeb19752
Opcode Fuzzy Hash: e3e9938227c5c3d6e1ae55f664b7d3a284c29ecf403f2d98628c055ce3444f01
Instruction Fuzzy Hash: 9511C272B10B81A7F7449F22E6503E973A4FB08344F40813CD64983AA8EF38D67AC702

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF2F4C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 000000013FBF2F7A

Part of subcall function 000000013FBF266C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBF2680

_get_daylight.LIBCMT ref: 000000013FBF2F8B

Part of subcall function 000000013FBF260C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBF2620

_get_daylight.LIBCMT ref: 000000013FBF2F9C

Part of subcall function 000000013FBF263C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBF2650

Part of subcall function 000000013FBEF990: HeapFree.KERNEL32 ref: 000000013FBEF9A6
Part of subcall function 000000013FBEF990: GetLastError.KERNEL32(?,?,000000013FBEF11F,000000013FBF6AA2,?,?,?,000000013FBF6ADF,?,?,00000000,000000013FBF6FA5,?,?,?,000000013FBF6ED7), ref: 000000013FBEF9B0

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,000000013FBF31DC), ref: 000000013FBF2FC3

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 59062b4e37cc9b53793044b4a1b077f89ea97d06a1955940054fc5849b73f1b2
Instruction ID: 1359aceb7edb3627dbc49608245e26ff08ae762bb73fa322e7d5a2f1ba4a89ab
Opcode Fuzzy Hash: 59062b4e37cc9b53793044b4a1b077f89ea97d06a1955940054fc5849b73f1b2
Instruction Fuzzy Hash: 1F519EB2E1074486E720EF36E8807D9B764F788B84F44513EEA4983B9ADB39C657C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBEC300 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 000000013FBEC366
memcpy_s.LIBCPMT ref: 000000013FBEC391

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: fe19abcd7e1bf5b9e82a49bcafccde751bd931cd582c908edc37772ec6748bf4
Instruction ID: c77a02f9fed45a6daddb5de5f9d1486e73f6270f16891aca559cb231e8c1057c
Opcode Fuzzy Hash: fe19abcd7e1bf5b9e82a49bcafccde751bd931cd582c908edc37772ec6748bf4
Instruction Fuzzy Hash: B1C1D4F2B1468487EB258F19F0447AAF7A1F3A4B84F449139DB4E47748DB39DA02CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE6EAC Relevance: 4.6, APIs: 3, Instructions: 99timeCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6EE4

Part of subcall function 000000013FBEDBD4: IsProcessorFeaturePresent.KERNEL32 ref: 000000013FBEDBDD
Part of subcall function 000000013FBEDBD4: GetCurrentProcess.KERNEL32(?,?,?,?,000000013FBEDB83,?,?,?,?,?,000000013FBEDA6E), ref: 000000013FBEDC02

_get_daylight.LIBCMT ref: 000000013FBE6EFC
GetTimeZoneInformation.KERNEL32(?), ref: 000000013FBE6F55

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CurrentFeatureInformationPresentProcessProcessorTimeZone_get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 341842238-0
Opcode ID: cf755bdbfef4c21fdeb246fa0357748b2cb5194f19ddbb773c5a0f943c67c445
Instruction ID: 34e32a620fb3683578568e7c676bff72cc4fba20e06a944ab60e48d3fecd7300
Opcode Fuzzy Hash: cf755bdbfef4c21fdeb246fa0357748b2cb5194f19ddbb773c5a0f943c67c445
Instruction Fuzzy Hash: E541E8B2A2478883E724CF65F4417D9F261F7A8380F509039EA5D87B99DB38C652CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBFC308 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000013FBFC557
RaiseException.KERNEL32 ref: 000000013FBFC568

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: b1055f2cce8ae84ca75c8e1745ea063b0329257c0d4b4aa355951fd6155e3742
Instruction ID: 295d86d4da59e948fb99022785cea9136ef37e84fb65c401f40787f8853aa664
Opcode Fuzzy Hash: b1055f2cce8ae84ca75c8e1745ea063b0329257c0d4b4aa355951fd6155e3742
Instruction Fuzzy Hash: 65B1FEB7610B848BEB55CF29C44639CBBE0F384B98F158925DB5D877A8CB3AC596C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE46C0 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 000000013FBE4A70
, xrefs: 000000013FBE482E

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: af9557c00983384184fd98ee11ee014316785f63be58c8b93da245438e1a4d05
Instruction ID: 4594df3a8f7cb7ad9bd677b7c6c044386e4e769210ceb0841e6b689aaaf68c7b
Opcode Fuzzy Hash: af9557c00983384184fd98ee11ee014316785f63be58c8b93da245438e1a4d05
Instruction Fuzzy Hash: 99E1D6BAA00644C5EB68CE29E050BADB3A0F765B98F24523DDE4E0779CCB35CA53D740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF12C8 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 000000013FBF13D5
gfff, xrefs: 000000013FBF1452

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 425215baa9b04c8d2d7de8fcbfe02f5eb5271786d3b8914f7b34ff6cbdf8d195
Instruction ID: d8f620a8b16edfc2a807c5273f9d3c2fb0a9fce788822c574364c1fbe6c90246
Opcode Fuzzy Hash: 425215baa9b04c8d2d7de8fcbfe02f5eb5271786d3b8914f7b34ff6cbdf8d195
Instruction Fuzzy Hash: FB516BB2B147D446E725CF35E800799F791F384B94F48D639CBA44BAC9CB3AC64A8B01

Uniqueness

Uniqueness Score: -1.00%

Function 02092AA0 Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

MZER, xrefs: 02092B09, 02092BA5

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID: MZER
API String ID: 0-2424380061
Opcode ID: 11903d68c46551233222a239cc1d18bb6d955aba6b47dd20026dba22df9cae2f
Instruction ID: b169f8bb87bcac2498d991a43519538074303be761067f020c670123e1b2f717
Opcode Fuzzy Hash: 11903d68c46551233222a239cc1d18bb6d955aba6b47dd20026dba22df9cae2f
Instruction Fuzzy Hash: 3B02EF33A19BC496DB02CF25C4147AC7BA5F35A798F8A9312DEAA57342DB34D589E300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF43C4 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fd4c3b3c60a78ba12478ee89a3277b408eadafa19b0e5bcd66cee5dafdac5e
Instruction ID: 0fe25c1570e6ed46c679d68c8165d55f0a8f5583a2ac3b8bb53d2e529be3185c
Opcode Fuzzy Hash: f8fd4c3b3c60a78ba12478ee89a3277b408eadafa19b0e5bcd66cee5dafdac5e
Instruction Fuzzy Hash: E351D372B0479085FB109F76E8407DABBA5F7447D8F144228AE5867B9DCB39C646C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF0E34 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 000000013FBF1176

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 3b2d617dece93885bed796e50f75cca4452f93044819b7efed569ac6f0124d8d
Instruction ID: 2e87ba9a63dfc7f214551ab105a449164477eb4bc9fa43053c9512ca99494de6
Opcode Fuzzy Hash: 3b2d617dece93885bed796e50f75cca4452f93044819b7efed569ac6f0124d8d
Instruction Fuzzy Hash: 67A144B2F097C486EB21CF29E4507DABBA1E754BD4F048139DE8947799DA3EC60AC701

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF5E3C Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000013FBF5E40

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b85aad14a30d38087b4c1c541ffffebabe0fb3e021c07450f80c32cae8d59637
Instruction ID: d25a3147876d35b7c56508cb4d4b1c02ec8a9867545073472300c659d1f95732
Opcode Fuzzy Hash: b85aad14a30d38087b4c1c541ffffebabe0fb3e021c07450f80c32cae8d59637
Instruction Fuzzy Hash: 26B09230E03B45C2EB482B11AC8274423E8BB88B10F99203CC00C80320EA2C02FA5700

Uniqueness

Uniqueness Score: -1.00%

Function 6BE6F350 Relevance: 1.0, Instructions: 954COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadb9a25bdad7f8ad675ccd0a6728a0d9943c25a205c963af29415434ac258d9
Instruction ID: 46006fee19b4287f4746e606e2c34a271cffec746ca9e48edcc5dd91e7d09962
Opcode Fuzzy Hash: cadb9a25bdad7f8ad675ccd0a6728a0d9943c25a205c963af29415434ac258d9
Instruction Fuzzy Hash: EB923732654AC48ACB30DF39C8503DA3761F745BDCF20416ADA5D8BB99EB3AD951C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE42BC Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e3e8f8bd9ce02589b53e78a26befe79145d09a21f9a2de836bef605702294b
Instruction ID: a5ab83ca72273ce091287d09fcb2db94270c417b209ddcb89b872616ccec6b1d
Opcode Fuzzy Hash: 20e3e8f8bd9ce02589b53e78a26befe79145d09a21f9a2de836bef605702294b
Instruction Fuzzy Hash: 8ED1CFBAA00644C6EB68CE29E550BADB7A0F765B48F24423DCE0E476DDCB35CA57C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE9EC8 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451b66544a734845406f178eca876b0f837a8b694a25782287d6be948b125704
Instruction ID: be835e525abbe7624e2678f1a9c4d5c6c6a5c30c5f2a5ac53b4032dafc5c3e03
Opcode Fuzzy Hash: 451b66544a734845406f178eca876b0f837a8b694a25782287d6be948b125704
Instruction Fuzzy Hash: 549137B6B1428586FE284E25F4107F9969CBB72798F04013D9E6E477CADA38CB0B9701

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE3928 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8688c0a2105936b2d26bca3483672b5af4039eda03cb02284d6d97dcf697a26
Instruction ID: 83a6f3c6396082920e77f4dbfe36200ea711c146571b0d110a64a5974e7d5bb7
Opcode Fuzzy Hash: e8688c0a2105936b2d26bca3483672b5af4039eda03cb02284d6d97dcf697a26
Instruction Fuzzy Hash: B3B181B6A0478485E7648F39E4543ACBFA5E365F48F2C6139CB8E47399CB36C642C760

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF1948 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490781c5b2d53e8886da94cb151c7f2d74b14f5f64342994769c56955948a435
Instruction ID: 326247da6313950667077f0682c8fdd98304cf48b18be0c5d9d19a8763515675
Opcode Fuzzy Hash: 490781c5b2d53e8886da94cb151c7f2d74b14f5f64342994769c56955948a435
Instruction Fuzzy Hash: EA81D6B2A0478086E774CF1AD4403AAF691F3467D4F54863DDA9947B9DDB3EC64A8B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE2E0C Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d14e1479904656f2dc463e089184b3eab9b6b0fbe432195a0a353565b7517f1
Instruction ID: 2b1cb44b090b355ce10731c2b0a0b850d2cfb18ead38e6272628295a0bad88da
Opcode Fuzzy Hash: 0d14e1479904656f2dc463e089184b3eab9b6b0fbe432195a0a353565b7517f1
Instruction Fuzzy Hash: 8D5172B6E10A6086E7248F29E050398B7A0E769B68F284129DECD177D8C736DE43C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE25EC Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c95aa000ad309a6844e625ce236abce253ecac2a8144127c847e48f7425a749
Instruction ID: ae636577350660ab9741ad1a0eb818274c19389d9f31c3eb50811f3cce72324b
Opcode Fuzzy Hash: 1c95aa000ad309a6844e625ce236abce253ecac2a8144127c847e48f7425a749
Instruction Fuzzy Hash: F45195B6E1065086E7248F29E45079CB7A0E365F68F245229CECD177ACD736DE53C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE29FC Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a2d878bb1d74cd29265bf6b911c0be47c6fff7617a8a21d6fdeb7896ff60f1
Instruction ID: 9dbf6bbd68de3a7613cbb39b80e56c6f1addf9bc14fb0c92c826fb0941131684
Opcode Fuzzy Hash: 18a2d878bb1d74cd29265bf6b911c0be47c6fff7617a8a21d6fdeb7896ff60f1
Instruction Fuzzy Hash: 495194B6F10A5086E7348F29E0503A8B7A0E764F68F249229DE8D577ADC736DE43C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE23E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4867b7e076116c38dbbc844cfa205fcff6898b475413c6d8616e12d5beac6ff7
Instruction ID: 1c43a54593bf41f4b78e7dd705854d97fcd7af57d91fb5ba71613b8c2a2b3180
Opcode Fuzzy Hash: 4867b7e076116c38dbbc844cfa205fcff6898b475413c6d8616e12d5beac6ff7
Instruction Fuzzy Hash: 015170B6E2065086E7248F29E15039DB7B0E768F58F245129CF8D177A8D736DA47C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE27F8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbcabbd989d1571db375c3d331aa933e063059400eede78d49dd596729ccc97a
Instruction ID: f784bbbd02b66dd9dd006d049c01c2f808c27c0d8750b19153fecd2bb24e554f
Opcode Fuzzy Hash: fbcabbd989d1571db375c3d331aa933e063059400eede78d49dd596729ccc97a
Instruction Fuzzy Hash: 4D51A4B6E1065086EB248F29E440398B7A0E768F58F285139CECD577ACD736DE53C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE2C08 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3218e4cdb86e5d9cf733c388ad54f5882477934b112a1d460d025d42eeb202bd
Instruction ID: 1111c7cd14a2b8610f6f2cc3a5960c31833a0fc2b12a6990c6b6b1818ea04134
Opcode Fuzzy Hash: 3218e4cdb86e5d9cf733c388ad54f5882477934b112a1d460d025d42eeb202bd
Instruction Fuzzy Hash: 475182B6F1065086E7258F29E040398B7A0E364F58F249129CF8D57BA8C736DE53C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBEF068 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: a82362e14e8f2afc2adb26396007c59266723cea2ede52880bf84144d3cec933
Instruction ID: 41113e88ae7daa4a42fe1f28002f890425f25c19db95210f26ad9ab48c134015
Opcode Fuzzy Hash: a82362e14e8f2afc2adb26396007c59266723cea2ede52880bf84144d3cec933
Instruction Fuzzy Hash: C841C072710A5882EF04CF2AE914799A3A1F759FD4F49A03ADE0D87B58DB3DC6838300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBEC940 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a518d5da21608cb97e35cf1ff8a4e21db4925d473fcd560f62d7b0e1e9313c1e
Instruction ID: d55e5bcbb36374eecad5a8244ffc8b812703515a9dadd5baf94f76cd4405c04e
Opcode Fuzzy Hash: a518d5da21608cb97e35cf1ff8a4e21db4925d473fcd560f62d7b0e1e9313c1e
Instruction Fuzzy Hash: BA3188F6F4414086FABADE2DF5157FDD242A7B2340E24E039850E02ACDD9328B47DA05

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBFBE00 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7641a39fc344002821f6cbb68519c9d40a52b2246b9ee317d9faeaf8a0d8ac3a
Instruction ID: 6a4aa57bf2663c05f04a30712f537c560ff36eaccf59f41fdaf661f88e15f780
Opcode Fuzzy Hash: 7641a39fc344002821f6cbb68519c9d40a52b2246b9ee317d9faeaf8a0d8ac3a
Instruction Fuzzy Hash: 93F096B1B242988FEBA4CF2CA842B5977D4F3083C0F90D02DD68983B14D23CC1A58F04

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDAE8C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2bef048be4368f2bf434bc2a64eaacddf25c1e4a4c8753777b4c9b7fa3d335
Instruction ID: 22a8ca0fc00c3789d6646d3e78be6935b6325b146e4de2001f8311aa332766e5
Opcode Fuzzy Hash: 6a2bef048be4368f2bf434bc2a64eaacddf25c1e4a4c8753777b4c9b7fa3d335
Instruction Fuzzy Hash: 35A002B1914F00D6F706AF49E8947A0B374E390700F505039D00D410A99B7DD746D302

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD6D10 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 168filethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000000013FBD6D6E
EnterCriticalSection.KERNEL32 ref: 000000013FBD6EE4
EnterCriticalSection.KERNEL32 ref: 000000013FBD6EFB
CreateFileW.KERNEL32 ref: 000000013FBD6F2C
SetFilePointer.KERNEL32 ref: 000000013FBD6F4D
WriteFile.KERNEL32 ref: 000000013FBD6F78
FlushFileBuffers.KERNEL32 ref: 000000013FBD6F81
CloseHandle.KERNEL32 ref: 000000013FBD6F8A
LeaveCriticalSection.KERNEL32 ref: 000000013FBD6F97
OutputDebugStringA.KERNEL32 ref: 000000013FBD6FA7
LeaveCriticalSection.KERNEL32 ref: 000000013FBD6FCA

Strings

ERROR, xrefs: 000000013FBD6DAC
heapSetInfoResult, xrefs: 000000013FBD6D15
ASSERT, xrefs: 000000013FBD6DB5
[%s: 0x%X,%s %s] , xrefs: 000000013FBD6E02
[%s: 0x%X,%s %s] %s%s, xrefs: 000000013FBD6E41
INFO, xrefs: 000000013FBD6DA3
TRACE, xrefs: 000000013FBD6D9A
- , xrefs: 000000013FBD6E2F
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\Common\Windows\WinUtils.cpp, xrefs: 000000013FBD6D17

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalFileSection$EnterLeave$BuffersCloseCreateCurrentDebugFlushHandleOutputPointerStringThreadWrite
String ID: - $ASSERT$D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\Common\Windows\WinUtils.cpp$ERROR$INFO$TRACE$[%s: 0x%X,%s %s] $[%s: 0x%X,%s %s] %s%s$heapSetInfoResult
API String ID: 3861094109-4140787627
Opcode ID: 651c027d74c65a6263f94b30e7d1a5bf29b675d3d7d8ae4fe32cc4dadeda3832
Instruction ID: 3388e8c6e632e2617820d5cc8708422dd0a0660564d58f4bac63a0edf8bc3d5e
Opcode Fuzzy Hash: 651c027d74c65a6263f94b30e7d1a5bf29b675d3d7d8ae4fe32cc4dadeda3832
Instruction Fuzzy Hash: 2781B1B2A04B8495F764DF24E8443D9B7A1F785754F84413AEA8D43AE8DF38C74AC702

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD3360 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 182registrysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 000000013FBD33AC
_mbsupr.LIBCMT ref: 000000013FBD3422
Process32Next.KERNEL32 ref: 000000013FBD345F
CloseHandle.KERNEL32 ref: 000000013FBD346C
RegOpenKeyExA.ADVAPI32 ref: 000000013FBD34B6
RegQueryValueExA.ADVAPI32 ref: 000000013FBD350B
RegCloseKey.ADVAPI32 ref: 000000013FBD3543
RegOpenKeyExA.ADVAPI32 ref: 000000013FBD357C
RegCloseKey.ADVAPI32 ref: 000000013FBD3591
RegQueryValueExA.ADVAPI32 ref: 000000013FBD35D8
RegCloseKey.ADVAPI32 ref: 000000013FBD3611
RegCloseKey.ADVAPI32 ref: 000000013FBD3627

Strings

CItunesHelperMsgListener::Launch_iTunes() - disable auto-sync pref is set., xrefs: 000000013FBD35F7
CItunesHelperMsgListener::Launch_iTunes() - iTunes is disabled., xrefs: 000000013FBD3529

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Close$OpenQueryValue$HandleNextObjectProcess32SingleWait_mbsupr
String ID: CItunesHelperMsgListener::Launch_iTunes() - disable auto-sync pref is set.$CItunesHelperMsgListener::Launch_iTunes() - iTunes is disabled.
API String ID: 1732688491-1434908751
Opcode ID: 88133a470000aa627b36eab0d58adf8d3e7a6985b0c3c93d42897e15bce4ab70
Instruction ID: 04abd51b5656504280c0080a5465da9bff813f00a866c9cc9931b16e135bfdee
Opcode Fuzzy Hash: 88133a470000aa627b36eab0d58adf8d3e7a6985b0c3c93d42897e15bce4ab70
Instruction Fuzzy Hash: 0F8170B2614B8086FB508F25E8407DAF3A4F785794F481239FA5947BE9DB3CC646CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD39E0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD65B0: GetCurrentThreadId.KERNEL32(000000013FBD305E), ref: 000000013FBD66A8
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD675A
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6771
Part of subcall function 000000013FBD65B0: CreateFileW.KERNEL32 ref: 000000013FBD679B

SysStringLen.OLEAUT32 ref: 000000013FBD3A2E
WideCharToMultiByte.KERNEL32 ref: 000000013FBD3AC3
_mbsupr.LIBCMT ref: 000000013FBD3AD8
SysFreeString.OLEAUT32 ref: 000000013FBD3B19
SysFreeString.OLEAUT32 ref: 000000013FBD3B27
MultiByteToWideChar.KERNEL32 ref: 000000013FBD3B48
SysAllocStringLen.OLEAUT32 ref: 000000013FBD3B56
MultiByteToWideChar.KERNEL32 ref: 000000013FBD3B80
SysFreeString.OLEAUT32 ref: 000000013FBD3C1D

Strings

CItunesHelperMsgListener::OnExtendedFunction() - Preparing to launch iTunes, xrefs: 000000013FBD3BBC
Launch_iTunes, xrefs: 000000013FBD3BD2
itunes, xrefs: 000000013FBD3B9C
CItunesHelperMsgListener::OnExtendedFunction(), xrefs: 000000013FBD3A1A
CItunesHelperMsgListener::OnExtendedFunction() - data = '%s', xrefs: 000000013FBD3AE0

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: String$ByteCharFreeMultiWide$CriticalEnterSection$AllocCreateCurrentFileThread_mbsupr
String ID: CItunesHelperMsgListener::OnExtendedFunction()$CItunesHelperMsgListener::OnExtendedFunction() - Preparing to launch iTunes$CItunesHelperMsgListener::OnExtendedFunction() - data = '%s'$Launch_iTunes$itunes
API String ID: 4203419553-3816678462
Opcode ID: 6603e43dbdbccae5bb97ff5f574226b50ca0722a13fd68f04a6a5da27b8198d7
Instruction ID: 61e57c8830b4f7afcbbf1983f6990a6b3085e5a859f8b4c309c3276be7e683f5
Opcode Fuzzy Hash: 6603e43dbdbccae5bb97ff5f574226b50ca0722a13fd68f04a6a5da27b8198d7
Instruction Fuzzy Hash: 796182B1A00B4486E714DF25E8403D8B3A5F744BA4F48863DEA6A437EDDF39C65AC352

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD7D70 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 110registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32 ref: 000000013FBD7DD0
RegOpenKeyW.ADVAPI32 ref: 000000013FBD7DFB
RegQueryValueExW.ADVAPI32 ref: 000000013FBD7E53
RegCloseKey.ADVAPI32 ref: 000000013FBD7E60
RegQueryValueExW.ADVAPI32 ref: 000000013FBD7F16
RegCloseKey.ADVAPI32 ref: 000000013FBD7F23
LoadLibraryW.KERNEL32 ref: 000000013FBD7F45
GetProcAddress.KERNEL32 ref: 000000013FBD7F66

Strings

Software\Apple Inc.\Apple Mobile Device Support, xrefs: 000000013FBD7DEB
MobileDeviceDLL, xrefs: 000000013FBD7ED8
%u.%u.%u.%u, xrefs: 000000013FBD7E94
Version, xrefs: 000000013FBD7E4C
Software\Apple Inc.\Apple Mobile Device Support\Shared, xrefs: 000000013FBD7DC9
iTunesMobileDeviceDLL, xrefs: 000000013FBD7EED

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CloseOpenQueryValue$AddressLibraryLoadProc
String ID: %u.%u.%u.%u$MobileDeviceDLL$Software\Apple Inc.\Apple Mobile Device Support$Software\Apple Inc.\Apple Mobile Device Support\Shared$Version$iTunesMobileDeviceDLL
API String ID: 2856088927-4137113213
Opcode ID: c9710c51cc260f4ee756a6e3364fe724c798afddd0a31a04343ddc03ef3ef026
Instruction ID: 3cdcd4932c841a10f45733f31eed643dffa37ae580df6247b2a691b80f8ad755
Opcode Fuzzy Hash: c9710c51cc260f4ee756a6e3364fe724c798afddd0a31a04343ddc03ef3ef026
Instruction Fuzzy Hash: 88516371A04B8586EB60CF65E4847DAB7A4F785754F50012AE68D03BACDF7CC24ACB05

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD65B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 139filethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD5EC0: InitializeCriticalSection.KERNEL32 ref: 000000013FBD5F39

GetCurrentThreadId.KERNEL32(000000013FBD305E), ref: 000000013FBD66A8

Part of subcall function 000000013FBE6DE0: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6E05

EnterCriticalSection.KERNEL32 ref: 000000013FBD675A
EnterCriticalSection.KERNEL32 ref: 000000013FBD6771
CreateFileW.KERNEL32 ref: 000000013FBD679B
SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD1469), ref: 000000013FBD67BC
WriteFile.KERNEL32 ref: 000000013FBD67F1
FlushFileBuffers.KERNEL32 ref: 000000013FBD67FA
CloseHandle.KERNEL32 ref: 000000013FBD6803
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD1469), ref: 000000013FBD6810
OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD1469), ref: 000000013FBD682C
LeaveCriticalSection.KERNEL32 ref: 000000013FBD6853

Part of subcall function 000000013FBE6E40: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6E68

Strings

[%s: 0x%X,%s %s] , xrefs: 000000013FBD66F4
INFO, xrefs: 000000013FBD66BD

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalSection$File$EnterLeave_invalid_parameter_noinfo$BuffersCloseCreateCurrentDebugFlushHandleInitializeOutputPointerStringThreadWrite
String ID: INFO$[%s: 0x%X,%s %s]
API String ID: 2962677655-4160259991
Opcode ID: a1615ec9b57dfa6a22961f30f6e983a334291a51d72d94be4403d2074437145f
Instruction ID: a30f80591e8c8cf7fab3e290774c47e5c09af33c142647df01ecb36bd686fb42
Opcode Fuzzy Hash: a1615ec9b57dfa6a22961f30f6e983a334291a51d72d94be4403d2074437145f
Instruction Fuzzy Hash: 8A712072908BC185E730DF25E4403EAB7A5F795794F44422AEACD07AADDF38C64ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD62D0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 137filethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD5EC0: InitializeCriticalSection.KERNEL32 ref: 000000013FBD5F39

GetCurrentThreadId.KERNEL32(000000013FBD2E4F), ref: 000000013FBD63B8

Part of subcall function 000000013FBE6DE0: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6E05

EnterCriticalSection.KERNEL32 ref: 000000013FBD6469
EnterCriticalSection.KERNEL32 ref: 000000013FBD6480
CreateFileW.KERNEL32 ref: 000000013FBD64AA
SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD1469), ref: 000000013FBD64CB
WriteFile.KERNEL32 ref: 000000013FBD6501
FlushFileBuffers.KERNEL32 ref: 000000013FBD650A
CloseHandle.KERNEL32 ref: 000000013FBD6513
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD1469), ref: 000000013FBD6520
OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD1469), ref: 000000013FBD653C
LeaveCriticalSection.KERNEL32 ref: 000000013FBD6563

Part of subcall function 000000013FBE6E40: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6E68

Strings

[%s: 0x%X,%s %s] , xrefs: 000000013FBD63F9
INFO, xrefs: 000000013FBD63CD

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalSection$File$EnterLeave_invalid_parameter_noinfo$BuffersCloseCreateCurrentDebugFlushHandleInitializeOutputPointerStringThreadWrite
String ID: INFO$[%s: 0x%X,%s %s]
API String ID: 2962677655-4160259991
Opcode ID: 1d852b3241893626fec8d0eaa7edd929a76c73f73bbdbd357384ef9149a24c25
Instruction ID: 1a73b8f5b7e0d030b9087f4413f835b5a144fb90a0cd87a1630603b15629f328
Opcode Fuzzy Hash: 1d852b3241893626fec8d0eaa7edd929a76c73f73bbdbd357384ef9149a24c25
Instruction Fuzzy Hash: F6713D72A08BC585E720DF21E4403EAB7A5F795794F444229EACD07AADDF38C74ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD7000 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 137filethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD5EC0: InitializeCriticalSection.KERNEL32 ref: 000000013FBD5F39

GetCurrentThreadId.KERNEL32(000000013FBD5CEF,?,?,?,000000013FBD5EAA,?,?,?,000000013FBD3986), ref: 000000013FBD70E8

Part of subcall function 000000013FBE6DE0: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6E05

EnterCriticalSection.KERNEL32(?,?,?,000000013FBD5EAA,?,?,?,000000013FBD3986), ref: 000000013FBD7199
EnterCriticalSection.KERNEL32(?,?,?,000000013FBD5EAA,?,?,?,000000013FBD3986), ref: 000000013FBD71B0
CreateFileW.KERNEL32 ref: 000000013FBD71DA
SetFilePointer.KERNEL32 ref: 000000013FBD71FB
WriteFile.KERNEL32 ref: 000000013FBD7231
FlushFileBuffers.KERNEL32 ref: 000000013FBD723A
CloseHandle.KERNEL32 ref: 000000013FBD7243
LeaveCriticalSection.KERNEL32 ref: 000000013FBD7250
OutputDebugStringA.KERNEL32(?,?,?,000000013FBD5EAA,?,?,?,000000013FBD3986), ref: 000000013FBD726C
LeaveCriticalSection.KERNEL32(?,?,?,000000013FBD5EAA,?,?,?,000000013FBD3986), ref: 000000013FBD7293

Part of subcall function 000000013FBE6E40: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6E68

Strings

ASSERT, xrefs: 000000013FBD70FD
[%s: 0x%X,%s %s] , xrefs: 000000013FBD7129

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalSection$File$EnterLeave_invalid_parameter_noinfo$BuffersCloseCreateCurrentDebugFlushHandleInitializeOutputPointerStringThreadWrite
String ID: ASSERT$[%s: 0x%X,%s %s]
API String ID: 2962677655-1579289482
Opcode ID: 79247e0e9bdd33d7744d59c28bcda40c9adeceb919d28564542434fe61ca4915
Instruction ID: b559f43743f23898e3014454ac69f6e561b870ecfa1f6e0474cfbb63ed4f3f38
Opcode Fuzzy Hash: 79247e0e9bdd33d7744d59c28bcda40c9adeceb919d28564542434fe61ca4915
Instruction Fuzzy Hash: 05713E72A08BC185E720DF21E4403DAB7A5F795794F44422AEACD07AADDF38C74ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD5FF0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 137filethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD5EC0: InitializeCriticalSection.KERNEL32 ref: 000000013FBD5F39

GetCurrentThreadId.KERNEL32(000000013FBD1165), ref: 000000013FBD60E1

Part of subcall function 000000013FBE6DE0: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6E05

EnterCriticalSection.KERNEL32 ref: 000000013FBD6193
EnterCriticalSection.KERNEL32 ref: 000000013FBD61AA
CreateFileW.KERNEL32 ref: 000000013FBD61D4
SetFilePointer.KERNEL32 ref: 000000013FBD61F5
WriteFile.KERNEL32 ref: 000000013FBD6224
FlushFileBuffers.KERNEL32 ref: 000000013FBD622D
CloseHandle.KERNEL32 ref: 000000013FBD6236
LeaveCriticalSection.KERNEL32 ref: 000000013FBD6243
OutputDebugStringA.KERNEL32 ref: 000000013FBD625F
LeaveCriticalSection.KERNEL32 ref: 000000013FBD6286

Part of subcall function 000000013FBE6E40: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6E68

Strings

ERROR, xrefs: 000000013FBD60F6
[%s: 0x%X,%s %s] , xrefs: 000000013FBD612D

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalSection$File$EnterLeave_invalid_parameter_noinfo$BuffersCloseCreateCurrentDebugFlushHandleInitializeOutputPointerStringThreadWrite
String ID: ERROR$[%s: 0x%X,%s %s]
API String ID: 2962677655-979556517
Opcode ID: 72351b7b738f35f619d7d8b77e340b29f5f0f0ea12358d9f842d04191ca863bf
Instruction ID: 37273084b0f7fb84e19bc793955189f87726ce576e2921ff9a28d3b11bb35b92
Opcode Fuzzy Hash: 72351b7b738f35f619d7d8b77e340b29f5f0f0ea12358d9f842d04191ca863bf
Instruction Fuzzy Hash: 7B711E72A08BC185E730EF21E4403DAB7A5F795794F444229EACD43AADDF78C64ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDA58C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000013FBDA5A2
GetModuleHandleW.KERNEL32 ref: 000000013FBDA5AF
GetModuleHandleW.KERNEL32 ref: 000000013FBDA5C4
GetProcAddress.KERNEL32 ref: 000000013FBDA5DC
GetProcAddress.KERNEL32 ref: 000000013FBDA5EF
CreateEventW.KERNEL32 ref: 000000013FBDA61B
DeleteCriticalSection.KERNEL32 ref: 000000013FBDA667
CloseHandle.KERNEL32 ref: 000000013FBDA679

Strings

kernel32.dll, xrefs: 000000013FBDA5BD
SleepConditionVariableCS, xrefs: 000000013FBDA5D2
api-ms-win-core-synch-l1-2-0.dll, xrefs: 000000013FBDA5A8
WakeAllConditionVariable, xrefs: 000000013FBDA5E2

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: fe3415c8bf738a4e4c9ac778db4eabba7e3f37f2aa2cc5fe04fbc3e409b7b6fd
Instruction ID: 720d179b952d8eda01e9b245da9bf8da0c842a8bd0418aaaa3d4608aeb2994b7
Opcode Fuzzy Hash: fe3415c8bf738a4e4c9ac778db4eabba7e3f37f2aa2cc5fe04fbc3e409b7b6fd
Instruction Fuzzy Hash: 632130B0E92B05C1FE549F25EC54BE8A3A5BB44B40F44143CD90E026EAEF2DD75B8302

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD68A0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 162registryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD5EC0: InitializeCriticalSection.KERNEL32 ref: 000000013FBD5F39

RegOpenKeyExW.ADVAPI32 ref: 000000013FBD6977
MultiByteToWideChar.KERNEL32 ref: 000000013FBD69AA
RegQueryValueExW.ADVAPI32 ref: 000000013FBD69E4
GetModuleHandleA.KERNEL32 ref: 000000013FBD6A24
GetModuleFileNameW.KERNEL32 ref: 000000013FBD6A36

Part of subcall function 000000013FBE6D78: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6D9E

Part of subcall function 000000013FBE0F18: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE0F41

CopyFileW.KERNEL32 ref: 000000013FBD6B03
CreateFileW.KERNEL32 ref: 000000013FBD6B28
CloseHandle.KERNEL32 ref: 000000013FBD6B3B

Strings

Backup, xrefs: 000000013FBD6ACB
.txt, xrefs: 000000013FBD6ABF
SOFTWARE\Apple Computer, Inc.\iPod, xrefs: 000000013FBD6969

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: File$HandleModule_invalid_parameter_noinfo$ByteCharCloseCopyCreateCriticalInitializeMultiNameOpenQuerySectionValueWide
String ID: .txt$Backup$SOFTWARE\Apple Computer, Inc.\iPod
API String ID: 3198330762-1913832090
Opcode ID: 63294a708f22918f9d9b27457cf3edf7a8df5472a22562dbbab116eb8406367b
Instruction ID: 5f6e31d0e78c00109c5f94e2bcd537e375bf7a3c75fa25c0e35bc990c1168864
Opcode Fuzzy Hash: 63294a708f22918f9d9b27457cf3edf7a8df5472a22562dbbab116eb8406367b
Instruction Fuzzy Hash: 497194B5A0478482FB60AF20E5513EAA362E7857A4F804239EA9907BDDDF7CC647C741

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD3F90 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 56memorywindowCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000013FBD3FB8
GetLastError.KERNEL32 ref: 000000013FBD3FC0
PathRemoveFileSpecW.SHLWAPI ref: 000000013FBD3FDB
SysAllocString.OLEAUT32 ref: 000000013FBD4041
PostMessageA.USER32 ref: 000000013FBD4055

Strings

GetLastError() == ERROR_SUCCESS && pathLen > 0, xrefs: 000000013FBD4063
CMobileDeviceListener::PostLaunchITunesEvent(), xrefs: 000000013FBD401B
Using iTunes path '%S', xrefs: 000000013FBD4014
\iTunes.exe, xrefs: 000000013FBD3FF4
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\MobileDeviceListener.cpp, xrefs: 000000013FBD406D
PathRemoveFileSpecW(launchPath), xrefs: 000000013FBD3FEB

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: File$AllocErrorLastMessageModuleNamePathPostRemoveSpecString
String ID: CMobileDeviceListener::PostLaunchITunesEvent()$D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\MobileDeviceListener.cpp$GetLastError() == ERROR_SUCCESS && pathLen > 0$PathRemoveFileSpecW(launchPath)$Using iTunes path '%S'$\iTunes.exe
API String ID: 2983141929-1673131733
Opcode ID: 0fd1d6136e30f57a45bf008f46a353fb61c9ff9db1bf0ec83d184ab939c14de3
Instruction ID: 50f4d5c352fb08df0c88c164437f4d3b2e3b6f675281d4e53e72e45885cc239c
Opcode Fuzzy Hash: 0fd1d6136e30f57a45bf008f46a353fb61c9ff9db1bf0ec83d184ab939c14de3
Instruction Fuzzy Hash: 39214FF1A1064182FA209F65E8557E99360BB48748F80003DA94D466E9EF3DC74FC742

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD2B00 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 79sleepthreadwindowCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 000000013FBD2B26
Sleep.KERNEL32 ref: 000000013FBD2B4C
CreateEventW.KERNEL32 ref: 000000013FBD2B76
WaitForMultipleObjects.KERNEL32 ref: 000000013FBD2BD1
PostThreadMessageA.USER32 ref: 000000013FBD2C10

Strings

CItunesHelperModule::MonitorExtShutdownRequest() - External client has signaled us to quit, shutting down!, xrefs: 000000013FBD2BF7
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\iTunesHelperModule.cpp, xrefs: 000000013FBD2B89
hWaitObjects[dwNumObjects] != NULL, xrefs: 000000013FBD2B96
d, xrefs: 000000013FBD2B40

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Sleep$CreateEventMessageMultipleObjectsPostThreadWait
String ID: CItunesHelperModule::MonitorExtShutdownRequest() - External client has signaled us to quit, shutting down!$D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\iTunesHelperModule.cpp$d$hWaitObjects[dwNumObjects] != NULL
API String ID: 2819705748-1895936456
Opcode ID: 2731c80e4cf147a7ede594f27b32c5e2ea5dddcdb9fc44dd579e8ef546c3a4de
Instruction ID: 7ad680ee537f6e713c13e5520abda916f780daa9259fe69a7294b9e7a3d7ad69
Opcode Fuzzy Hash: 2731c80e4cf147a7ede594f27b32c5e2ea5dddcdb9fc44dd579e8ef546c3a4de
Instruction Fuzzy Hash: 2131AFB9B01B8082FB249F24E4407A9B3A1FB48754F844539EB8847BD8EF7DCA478701

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD3CE0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD8AB0: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,000000013FBD3D99), ref: 000000013FBD8AC4

GetCurrentProcessId.KERNEL32 ref: 000000013FBD3D05
ProcessIdToSessionId.KERNEL32 ref: 000000013FBD3D12
GetLastError.KERNEL32 ref: 000000013FBD3D29

Strings

WTSGetActiveConsoleSessionId() returned invalid ID, xrefs: 000000013FBD3D47
ProcessIdToSessionId failed (0x%08X), xrefs: 000000013FBD3D32
true, xrefs: 000000013FBD3D5C
CMobileDeviceListener::IsActiveConsoleSession(), xrefs: 000000013FBD3D39, 000000013FBD3D4E
false, xrefs: 000000013FBD3D63
CMobileDeviceListener::IsActiveConsoleSession() - %s, xrefs: 000000013FBD3D6E

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Process$CurrentErrorLastLibraryLoadSession
String ID: CMobileDeviceListener::IsActiveConsoleSession()$CMobileDeviceListener::IsActiveConsoleSession() - %s$ProcessIdToSessionId failed (0x%08X)$WTSGetActiveConsoleSessionId() returned invalid ID$false$true
API String ID: 1564432939-462315266
Opcode ID: e019a0ddd608988e170e2baa2deb3ab99dbe2ef970688b6875ea16ecb7a65f33
Instruction ID: fee388bf597c588b6bed7f7d424d251a0b093caeeea9868f62955b82daf8d3c3
Opcode Fuzzy Hash: e019a0ddd608988e170e2baa2deb3ab99dbe2ef970688b6875ea16ecb7a65f33
Instruction Fuzzy Hash: AF1127F1A2060192EA509F64E8807E9B761A740351F84123AB45A4A5FDEF29C74FCB12

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD15D0 Relevance: 15.1, APIs: 10, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000013FBD15FB
MultiByteToWideChar.KERNEL32 ref: 000000013FBD1618
SysAllocStringLen.OLEAUT32 ref: 000000013FBD1626
MultiByteToWideChar.KERNEL32 ref: 000000013FBD164A
SysFreeString.OLEAUT32 ref: 000000013FBD1658

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: String$ByteCharFreeMultiWide$Alloc
String ID:
API String ID: 287317156-0
Opcode ID: da66a9582c990832fba3a9be41e58170a365c233234b9e359a76352001b55baa
Instruction ID: 58734e1cc8ac3300ee0474faa6d32d4cb6ad1794b5e2289e11393091c71ae2f9
Opcode Fuzzy Hash: da66a9582c990832fba3a9be41e58170a365c233234b9e359a76352001b55baa
Instruction Fuzzy Hash: A931BEB6A01B0182F7158F25F8003ADE7E5BB847D4F18453DAE8A427A8DF3DC69BC601

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE1C70 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE1CB0
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE2078
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE2317

Strings

f, xrefs: 000000013FBE1DB2
f, xrefs: 000000013FBE1D48
p, xrefs: 000000013FBE1D55
p, xrefs: 000000013FBE1DBA
f, xrefs: 000000013FBE1EFD

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 03605473cc651601549c3882160930f91464921065ef28aed4bf3c5cec386613
Instruction ID: 919c739b4bf681e05533c82907dbeb7a32b6578d6c3764242467d0d4e8838015
Opcode Fuzzy Hash: 03605473cc651601549c3882160930f91464921065ef28aed4bf3c5cec386613
Instruction Fuzzy Hash: 3F1272B2E0818186FB24AF14F0547EAF791F3B0750F984529E6DA47ACDDB78C682DB11

Uniqueness

Uniqueness Score: -1.00%

Function 6BE594D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 201librarymemoryloaderCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 6BE59555
GetProcAddress.KERNEL32 ref: 6BE59649
GetLastError.KERNEL32 ref: 6BE59656
RaiseException.KERNEL32 ref: 6BE59695
LoadLibraryA.KERNEL32 ref: 6BE59701
LocalAlloc.KERNEL32 ref: 6BE5972F
RaiseException.KERNEL32 ref: 6BE5979A

Strings

MZP, xrefs: 6BE594F6

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: ExceptionRaise$AddressAllocErrorLastLibraryLoadLocalProc
String ID: MZP
API String ID: 451163980-2889622443
Opcode ID: a4bc3d63512a7a069c767635dfcd7438a545cca15c9b33667003ba3d3265c9d9
Instruction ID: 47d137a4d5fe82dbe01b7a759bef821b41b88066e63e7c3dcb5e983f39303c40
Opcode Fuzzy Hash: a4bc3d63512a7a069c767635dfcd7438a545cca15c9b33667003ba3d3265c9d9
Instruction Fuzzy Hash: 8B71CEB7B11B208AEB05CFA1D84039D37B5BB48B88F64852ACE0D57B19DF7AC565C310

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD90D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 97registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000013FBD9115
RegQueryInfoKeyA.ADVAPI32 ref: 000000013FBD9162
RegEnumKeyExA.ADVAPI32 ref: 000000013FBD91E0
RegGetValueA.ADVAPI32 ref: 000000013FBD9244
GetFileAttributesA.KERNEL32 ref: 000000013FBD9252
RegCloseKey.ADVAPI32 ref: 000000013FBD9285

Strings

SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages, xrefs: 000000013FBD9109
Path, xrefs: 000000013FBD9210

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: AttributesCloseEnumFileInfoOpenQueryValue
String ID: Path$SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages
API String ID: 1903503675-1185977912
Opcode ID: c9608affb8bdac41f99f3a7f904c54c88693c617547d6688b92a7652dfb6a566
Instruction ID: a7a761b85ef32f6ecbdc596cfc26058aa5a11e39eed55554ecf71818088e4ae6
Opcode Fuzzy Hash: c9608affb8bdac41f99f3a7f904c54c88693c617547d6688b92a7652dfb6a566
Instruction Fuzzy Hash: 73410A72608B8186E7609F25F4847DAB7A5F789784F540229EBC943B6CDF3CC646CB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD8A00 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 40registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000013FBD8A25
RegQueryValueExW.ADVAPI32 ref: 000000013FBD8A52
RegCloseKey.ADVAPI32 ref: 000000013FBD8A62
HeapSetInformation.KERNEL32 ref: 000000013FBD8A7D

Strings

heapSetInfoResult, xrefs: 000000013FBD8A97
SOFTWARE\Apple Computer, Inc.\iTunes\, xrefs: 000000013FBD8A17
DisableTerminationOnHeapCorruption, xrefs: 000000013FBD8A34
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\Common\Windows\WinUtils.cpp, xrefs: 000000013FBD8A8A

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CloseHeapInformationOpenQueryValue
String ID: D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\Common\Windows\WinUtils.cpp$DisableTerminationOnHeapCorruption$SOFTWARE\Apple Computer, Inc.\iTunes\$heapSetInfoResult
API String ID: 2403383521-945231717
Opcode ID: 2641917932a5cc5d5fe2681169cae9d71adc60fc5d2d33be31cfcc89e031012d
Instruction ID: 11b335f1c37a8a64737d2856e97658890013177ce0a0d8ebccf5505abff5ae87
Opcode Fuzzy Hash: 2641917932a5cc5d5fe2681169cae9d71adc60fc5d2d33be31cfcc89e031012d
Instruction Fuzzy Hash: 7011A176B54B4182F7608F21F891F9AB364F785744F806138EA4A43EA8DF3DC20ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 020AB9F0 Relevance: 13.9, Strings: 11, Instructions: 154COMMON

Download Yara Rule

Strings

delimitador, xrefs: 020ABB25
c:\debugg, xrefs: 020ABA69, 020ABC0E
sqlite3.dll, xrefs: 020ABAEE
c:\temp, xrefs: 020ABBB7, 020ABBC9
c:\temp\Autoit3.exe, xrefs: 020ABBD5, 020ABC6D
c:\temp\test.txt, xrefs: 020ABBFB
debugg-- , xrefs: 020ABA7F
c:\temp\script.a3x, xrefs: 020ABBE8, 020ABC74
AU3_Script-- , xrefs: 020ABC40
c:\temp\, xrefs: 020ABC7B
eXAWVDek, xrefs: 020ABA5D

Memory Dump Source

Source File: 0000000A.00000002.510525766.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2080000_iTunesHelper.jbxd

Similarity

API ID:
String ID: AU3_Script-- $c:\debugg$c:\temp$c:\temp\$c:\temp\Autoit3.exe$c:\temp\script.a3x$c:\temp\test.txt$debugg-- $delimitador$eXAWVDek$sqlite3.dll
API String ID: 0-638518046
Opcode ID: 7fea2951cacfc32edf2d9fc53fe9c9ced2974819eb42b78929d81a8fd0d9395e
Instruction ID: e3d0d1512deed106f8a11531ebb69d3b3cac9e9cf08ea9cdf84d80cb8f31d985
Opcode Fuzzy Hash: 7fea2951cacfc32edf2d9fc53fe9c9ced2974819eb42b78929d81a8fd0d9395e
Instruction Fuzzy Hash: A3711971210B44D5EB00EFA4D8A83EA3766FB6478CFD05113DA4E43A6AEF78C58AD750

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDDDE8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000000013FBDDE45

Part of subcall function 000000013FBE013C: __GetUnwindTryBlock.LIBCMT ref: 000000013FBE017F
Part of subcall function 000000013FBE013C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000000013FBE01A4

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000000013FBDDF1D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000000013FBDE172
std::bad_alloc::bad_alloc.LIBCMT ref: 000000013FBDE27E

Strings

csm, xrefs: 000000013FBDDF40
csm, xrefs: 000000013FBDDEC6
csm, xrefs: 000000013FBDDE5F

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 8608fd567cae9e318018347791d12238181e8cf192c5249051c0c15c3896cf62
Instruction ID: 88d5fbd87cea18665d9b6cac03b162a9d287f3eb127f5937ccebb007b69ed450
Opcode Fuzzy Hash: 8608fd567cae9e318018347791d12238181e8cf192c5249051c0c15c3896cf62
Instruction Fuzzy Hash: 5AE18EB2A00B408AEB209F65D4413DDBBA4F759B98F104129FE8957BDDCB38D682C703

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBEFA2C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,000000013FBEFD1A), ref: 000000013FBEFBA8
GetProcAddress.KERNEL32(?,?,?,000000013FBEFD1A), ref: 000000013FBEFBB4

Strings

ext-ms-, xrefs: 000000013FBEFB05
api-ms-, xrefs: 000000013FBEFAF2

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: fa38cd8ad30813f5c93d02acb4ded0bda3e1c2d291c454aa6f6bd1f5d7635f98
Instruction ID: 0a4aee73ceb465c4429e545263dde037e7b0315dcf8fba181f5c0fbf21331902
Opcode Fuzzy Hash: fa38cd8ad30813f5c93d02acb4ded0bda3e1c2d291c454aa6f6bd1f5d7635f98
Instruction Fuzzy Hash: 9B41A0B6B11A0081FA168F26E8247E5B391F759BE0F49553D9E0D9B79CEA39C64B8300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD2360 Relevance: 12.3, APIs: 8, Instructions: 347COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000013FBD23C4
GetModuleFileNameA.KERNEL32 ref: 000000013FBD244D
MultiByteToWideChar.KERNEL32 ref: 000000013FBD252B
LoadTypeLib.OLEAUT32 ref: 000000013FBD2572
EnterCriticalSection.KERNEL32 ref: 000000013FBD2719
LeaveCriticalSection.KERNEL32 ref: 000000013FBD279C

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalSection$Enter$ByteCharFileLeaveLoadModuleMultiNameTypeWide
String ID:
API String ID: 1805655140-0
Opcode ID: 1201a0330a6309db4daf305e43ff131e78b39ca2755361be195bcb0cb46f826c
Instruction ID: 6f9b3156b8dc01bfc729808ceaa529bf404fa73969a21749b37644faf8d2b76b
Opcode Fuzzy Hash: 1201a0330a6309db4daf305e43ff131e78b39ca2755361be195bcb0cb46f826c
Instruction Fuzzy Hash: 3FE193B2B01B8586EF24CF25D8507E8A3A0FB54B98F444539EA9D477E8DF38C646C302

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD8AB0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,000000013FBD3D99), ref: 000000013FBD8AC4
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,000000013FBD3D99), ref: 000000013FBD8AFC
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,000000013FBD3D99), ref: 000000013FBD8B0E

Part of subcall function 000000013FBD5FF0: GetCurrentThreadId.KERNEL32(000000013FBD1165), ref: 000000013FBD60E1
Part of subcall function 000000013FBD5FF0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6193
Part of subcall function 000000013FBD5FF0: EnterCriticalSection.KERNEL32 ref: 000000013FBD61AA
Part of subcall function 000000013FBD5FF0: CreateFileW.KERNEL32 ref: 000000013FBD61D4
Part of subcall function 000000013FBD5FF0: SetFilePointer.KERNEL32 ref: 000000013FBD61F5

Strings

CWinUtils::GetCurrentSession(), xrefs: 000000013FBD8AD9
can't load Kernel32.dll, xrefs: 000000013FBD8AD2
Kernel32.dll, xrefs: 000000013FBD8ABD
WTSGetActiveConsoleSessionId, xrefs: 000000013FBD8AF2

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalEnterFileLibrarySection$AddressCreateCurrentFreeLoadPointerProcThread
String ID: CWinUtils::GetCurrentSession()$Kernel32.dll$WTSGetActiveConsoleSessionId$can't load Kernel32.dll
API String ID: 1624891417-2724044075
Opcode ID: 92a1e71d7fce590ec13e0af4c1435eac245061dd79d7d07349551f107abff737
Instruction ID: 0daa842ca4fffa05c132fae8fec6cde2181c497ec7a6d671660086650da5ab48
Opcode Fuzzy Hash: 92a1e71d7fce590ec13e0af4c1435eac245061dd79d7d07349551f107abff737
Instruction Fuzzy Hash: AFF062B1B9270581FF849F15F9807E56360E748781F496439A91E427A9EE3CC78BC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE5BF4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE5C37
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6024
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE62C0

Strings

p, xrefs: 000000013FBE5D61
f, xrefs: 000000013FBE5D59
p, xrefs: 000000013FBE5CE9

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: b6993eaef3af951837f3a108ed116dd4344ee2e449f7cb590c01326803456ce0
Instruction ID: da77f543de4909acf21702430dfeea1eec2ce62dedd705668c3667724f77a96c
Opcode Fuzzy Hash: b6993eaef3af951837f3a108ed116dd4344ee2e449f7cb590c01326803456ce0
Instruction Fuzzy Hash: 5C12E5B2E1414186FB60AF14F0547FAF7A2F370750F94403AEA8A87ACDD739C6828B50

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE6390 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 480COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE63D4
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE67B7
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6A5E

Strings

p, xrefs: 000000013FBE6486
p, xrefs: 000000013FBE64FE
f, xrefs: 000000013FBE64F6

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: c45c858df3806a22df62cf2325c7e9732651af64dfa0adf6bc79cc351efb8333
Instruction ID: 4b6d0778989e84830bf44e7d5832a5e1c4ed774f921ff50daec13214888441b6
Opcode Fuzzy Hash: c45c858df3806a22df62cf2325c7e9732651af64dfa0adf6bc79cc351efb8333
Instruction Fuzzy Hash: 2212B2B5F2424186FB249F15F0543EAF6A3F364760F84813EEA99476CCD778C6928B04

Uniqueness

Uniqueness Score: -1.00%

Function 6BE4C9D0 Relevance: 10.6, APIs: 7, Instructions: 146threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BE4D020: GetCurrentThreadId.KERNEL32(?,?,00000000,6BE4C9F6,?,?,00000000,00000000,?,?,?,?,6BE56859), ref: 6BE4D028

GetTickCount.KERNEL32(?,?,00000000,00000000,?,?,?,?,6BE56859,?,?,?,?,6BE56E27), ref: 6BE4CA16
GetTickCount.KERNEL32 ref: 6BE4CA2F
GetCurrentThreadId.KERNEL32 ref: 6BE4CA68
GetTickCount.KERNEL32 ref: 6BE4CA9B
GetTickCount.KERNEL32 ref: 6BE4CAD4
GetTickCount.KERNEL32(?,?,00000000,00000000,?,?,?,?,6BE56859,?,?,?,?,6BE56E27), ref: 6BE4CB02
GetCurrentThreadId.KERNEL32(?,?,00000000,00000000,?,?,?,?,6BE56859,?,?,?,?,6BE56E27), ref: 6BE4CB72

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 406a3f0cad7c77eff160662fcebbf7d82e92bd9465691234c52cc9ec7e4eab2e
Instruction ID: c55c7553b3bd0a7877a53414a9f3dd590f3738c4bc6250c63b5b328cadaaf30e
Opcode Fuzzy Hash: 406a3f0cad7c77eff160662fcebbf7d82e92bd9465691234c52cc9ec7e4eab2e
Instruction Fuzzy Hash: 4C41D3327016018ED7148E7AE98038A3B61E748BECB35562DDE0DC7758DB79C4DE8790

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD5A70 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

CM_Get_Device_IDW.SETUPAPI ref: 000000013FBD5B3B

Strings

D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DFUDeviceListener.cpp, xrefs: 000000013FBD5B48, 000000013FBD5BB5, 000000013FBD5BD1
::CM_Get_Device_IDW(deviceInfoData->DevInst, deviceInstanceID, sizeof(deviceInstanceID) / sizeof(WCHAR), 0) == CR_SUCCESS, xrefs: 000000013FBD5B55
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\LinkListUtilities.h, xrefs: 000000013FBD5C23
element->*PNEXT == nil, xrefs: 000000013FBD5C2A
dfuDevice != nil, xrefs: 000000013FBD5BC2, 000000013FBD5BDE

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Device_Get_
String ID: ::CM_Get_Device_IDW(deviceInfoData->DevInst, deviceInstanceID, sizeof(deviceInstanceID) / sizeof(WCHAR), 0) == CR_SUCCESS$D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\DFUDeviceListener.cpp$D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\Utilities\LinkListUtilities.h$dfuDevice != nil$element->*PNEXT == nil
API String ID: 3602455593-670496623
Opcode ID: 70ce0db422083a5583b78fc57538e17964396d24a4217040ad0e98011282e03d
Instruction ID: 556542387c78ab4863f4a45f132723554d0622393fc1ee5dc36ee6e17df89b96
Opcode Fuzzy Hash: 70ce0db422083a5583b78fc57538e17964396d24a4217040ad0e98011282e03d
Instruction Fuzzy Hash: BF5198B2B1464581EB649F11E4507EAA7A0F785B88F88503ABA8D076EDDF38C746C702

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE068C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,000000013FBE093E,?,?,?,000000013FBE0630,?,?,00000001,000000013FBDD2E9), ref: 000000013FBE0711
GetLastError.KERNEL32(?,?,?,000000013FBE093E,?,?,?,000000013FBE0630,?,?,00000001,000000013FBDD2E9), ref: 000000013FBE071F
LoadLibraryExW.KERNEL32(?,?,?,000000013FBE093E,?,?,?,000000013FBE0630,?,?,00000001,000000013FBDD2E9), ref: 000000013FBE0749
FreeLibrary.KERNEL32(?,?,?,000000013FBE093E,?,?,?,000000013FBE0630,?,?,00000001,000000013FBDD2E9), ref: 000000013FBE078F
GetProcAddress.KERNEL32(?,?,?,000000013FBE093E,?,?,?,000000013FBE0630,?,?,00000001,000000013FBDD2E9), ref: 000000013FBE079B

Strings

api-ms-, xrefs: 000000013FBE0731

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 90b869b0b52888882f07dc4bd89423715679e2e458fa04fec9e3662d3ff01ced
Instruction ID: 52f9a7f12f78dae4650a87915474502cf33bffc53a2604955d24deb98c5e56e2
Opcode Fuzzy Hash: 90b869b0b52888882f07dc4bd89423715679e2e458fa04fec9e3662d3ff01ced
Instruction Fuzzy Hash: 5F31AFB1B12B4091EE529F06F8007E9A394B758BE0F59463DDE1D0B3A8EF38C6568B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF0880 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000013FBF088F
FlsGetValue.KERNEL32 ref: 000000013FBF08A4
FlsSetValue.KERNEL32 ref: 000000013FBF08C5
FlsSetValue.KERNEL32 ref: 000000013FBF08F2
FlsSetValue.KERNEL32 ref: 000000013FBF0903
FlsSetValue.KERNEL32 ref: 000000013FBF0914
SetLastError.KERNEL32 ref: 000000013FBF092F

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 28fedf999cba9b3dd09498284d5df06bb2c7a8c29bfe3e1d76c56de08d264fe7
Instruction ID: 3946367e49cfc6091dc2e1225052bc46188382641629b147e63e398215c37093
Opcode Fuzzy Hash: 28fedf999cba9b3dd09498284d5df06bb2c7a8c29bfe3e1d76c56de08d264fe7
Instruction Fuzzy Hash: CB21C3B0F0134441FA586735E5553EDD2429B847F0F14973C997A07AFEEE29C64B8280

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD4530 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50timeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD30A0), ref: 000000013FBD4553
KillTimer.USER32 ref: 000000013FBD458B
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000013FBD30A0), ref: 000000013FBD45D1

Strings

CMobileDeviceListener::Stop() - not running XP SP2 or later, xrefs: 000000013FBD45D9
CMobileDeviceListener::UnsubscribeToMobileDeviceNotification(), xrefs: 000000013FBD45BE
AMDeviceNotificationUnsubscribe failed (0x%08X), xrefs: 000000013FBD45B7

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalSection$EnterKillLeaveTimer
String ID: AMDeviceNotificationUnsubscribe failed (0x%08X)$CMobileDeviceListener::Stop() - not running XP SP2 or later$CMobileDeviceListener::UnsubscribeToMobileDeviceNotification()
API String ID: 610966039-3597675763
Opcode ID: 09e0c924af41a0c9a48808c4a640370dc31621526d6d22467774291af0b35e1c
Instruction ID: 009b98479e3694620eadef63cd157974783766492e5cf404f3959f8f634542e3
Opcode Fuzzy Hash: 09e0c924af41a0c9a48808c4a640370dc31621526d6d22467774291af0b35e1c
Instruction Fuzzy Hash: 9F1190B1E0468481FB10AF25E5453EAE7A0EB50B88F484539FA49476DEDF29CB4BC353

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBFC1C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000000013FBFC1F1
GetLastError.KERNEL32 ref: 000000013FBFC1FD
CloseHandle.KERNEL32 ref: 000000013FBFC215
CreateFileW.KERNEL32 ref: 000000013FBFC240
WriteConsoleW.KERNEL32 ref: 000000013FBFC25F

Strings

CONOUT$, xrefs: 000000013FBFC221

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: aa910486bda6f7c32d477a22c8fb7a8c421507c476b2302b26e2714e07971deb
Instruction ID: 9d2b1ece1b873a4c74b26a74c904587d0f13d83f04696a0d9cafc16e8b227b2b
Opcode Fuzzy Hash: aa910486bda6f7c32d477a22c8fb7a8c421507c476b2302b26e2714e07971deb
Instruction Fuzzy Hash: A111B271B10B4082F7508B56F858799B3A0F389FE4F000238EA5987BA8CF3DC64AC740

Uniqueness

Uniqueness Score: -1.00%

Function 6BE4E890 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,?,?,6BE4E98B), ref: 6BE4E8C8
WriteFile.KERNEL32 ref: 6BE4E8EB
GetStdHandle.KERNEL32 ref: 6BE4E8F5
WriteFile.KERNEL32 ref: 6BE4E923

Strings

Runtime error at 0000000000000000, xrefs: 6BE4E8D0, 6BE4E935
Error, xrefs: 6BE4E93C

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 0000000000000000
API String ID: 3320372497-326393251
Opcode ID: 0f6f3ec3fdda10c397622d5c083ba61a9c9d3e98c2ffc35716c4027b71c72137
Instruction ID: c06258a914caf60d308739364970fb72828e7ffa345fe9e1ae1b368035b8aae3
Opcode Fuzzy Hash: 0f6f3ec3fdda10c397622d5c083ba61a9c9d3e98c2ffc35716c4027b71c72137
Instruction Fuzzy Hash: 861122A1A28A48D4FB18D730FC003963362A744758F6006AED96E827F5DF7D81E8C341

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD3DB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38memorywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD65B0: GetCurrentThreadId.KERNEL32(000000013FBD305E), ref: 000000013FBD66A8
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD675A
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6771
Part of subcall function 000000013FBD65B0: CreateFileW.KERNEL32 ref: 000000013FBD679B

GetModuleFileNameW.KERNEL32 ref: 000000013FBD3FB8
GetLastError.KERNEL32 ref: 000000013FBD3FC0
PathRemoveFileSpecW.SHLWAPI ref: 000000013FBD3FDB
SysAllocString.OLEAUT32 ref: 000000013FBD4041
PostMessageA.USER32 ref: 000000013FBD4055

Strings

CMobileDeviceListener::MobileDeviceDFUModeDeviceConnectedCallback(), xrefs: 000000013FBD3DC0
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\MobileDeviceListener.cpp, xrefs: 000000013FBD406D
PathRemoveFileSpecW(launchPath), xrefs: 000000013FBD3FEB

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: File$CriticalEnterSection$AllocCreateCurrentErrorLastMessageModuleNamePathPostRemoveSpecStringThread
String ID: CMobileDeviceListener::MobileDeviceDFUModeDeviceConnectedCallback()$D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\MobileDeviceListener.cpp$PathRemoveFileSpecW(launchPath)
API String ID: 212662739-1618578574
Opcode ID: 907af12e01ea5475187f25a54ff9265925a5df60f3a6fdb7f613083a229ad9a9
Instruction ID: 9fdeb106b0795e6cc6ebb9ee020d2f017cb522ccf926c29b43cc555963744835
Opcode Fuzzy Hash: 907af12e01ea5475187f25a54ff9265925a5df60f3a6fdb7f613083a229ad9a9
Instruction Fuzzy Hash: D5014CF1F1078492FA20AF25E8957E5A261EB59748F80003EA90D462E9EF2DC34FC702

Uniqueness

Uniqueness Score: -1.00%

Function 6BE88DC0 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32 ref: 6BE88E5B
SafeArrayGetUBound.OLEAUT32 ref: 6BE88E71
SafeArrayCreate.OLEAUT32 ref: 6BE88EAB
SafeArrayPtrOfIndex.OLEAUT32 ref: 6BE88F2A
SafeArrayPtrOfIndex.OLEAUT32 ref: 6BE88F44
VariantCopy.OLEAUT32 ref: 6BE88F75

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: fedbb2d7a1747011060dc486d1d00ccebcfc9b34e56b7bb6b3a7034112154f27
Instruction ID: 161da95b9d3d2a4295b89ff682689daed3a2828369c89155fd363291c68bfabd
Opcode Fuzzy Hash: fedbb2d7a1747011060dc486d1d00ccebcfc9b34e56b7bb6b3a7034112154f27
Instruction Fuzzy Hash: 00412837610E548ECB14DF75C9902DE2762F784B9CB245465EE0E9BB48EF39D892C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDE2C0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 316COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000000013FBDE45E
std::bad_alloc::bad_alloc.LIBCMT ref: 000000013FBDE781

Strings

csm, xrefs: 000000013FBDE3A5
csm, xrefs: 000000013FBDE485
csm, xrefs: 000000013FBDE407

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 06fbb35a787d042d80e9397f648e0fb2ecdfb7ab343b487120ed669a079a4c75
Instruction ID: 346b976f7a804e75de06de834349399657f8b30c5c34c56730bd9b09f9528d8e
Opcode Fuzzy Hash: 06fbb35a787d042d80e9397f648e0fb2ecdfb7ab343b487120ed669a079a4c75
Instruction Fuzzy Hash: 41E1A2B39047808AE7619F38D4803EDBBA4F354798F144129EE89577DADB38D682CB43

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF09F8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00002B992DDFA232,000000013FBEDCF9,?,?,?,?,000000013FBF3D32,?,?,00000000,000000013FBEE1F3,?,?,?), ref: 000000013FBF0A07
FlsSetValue.KERNEL32(?,?,00002B992DDFA232,000000013FBEDCF9,?,?,?,?,000000013FBF3D32,?,?,00000000,000000013FBEE1F3,?,?,?), ref: 000000013FBF0A3D
FlsSetValue.KERNEL32(?,?,00002B992DDFA232,000000013FBEDCF9,?,?,?,?,000000013FBF3D32,?,?,00000000,000000013FBEE1F3,?,?,?), ref: 000000013FBF0A6A
FlsSetValue.KERNEL32(?,?,00002B992DDFA232,000000013FBEDCF9,?,?,?,?,000000013FBF3D32,?,?,00000000,000000013FBEE1F3,?,?,?), ref: 000000013FBF0A7B
FlsSetValue.KERNEL32(?,?,00002B992DDFA232,000000013FBEDCF9,?,?,?,?,000000013FBF3D32,?,?,00000000,000000013FBEE1F3,?,?,?), ref: 000000013FBF0A8C
SetLastError.KERNEL32(?,?,00002B992DDFA232,000000013FBEDCF9,?,?,?,?,000000013FBF3D32,?,?,00000000,000000013FBEE1F3,?,?,?), ref: 000000013FBF0AA7

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 01a268636fbdeda739f22a670003d803f7de8d182125cab696239c8be3d0f118
Instruction ID: 5c9c74b6392235d7aa27506b22bd5226e2e26c59ebc4124079ae38be96a498fa
Opcode Fuzzy Hash: 01a268636fbdeda739f22a670003d803f7de8d182125cab696239c8be3d0f118
Instruction Fuzzy Hash: DF11AFB5F0030542FA546B31EA553E9E2829B887F0F14973CA87A067FEDE39C64B8240

Uniqueness

Uniqueness Score: -1.00%

Function 6BE481A0 Relevance: 9.1, APIs: 6, Instructions: 55fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 6BE481C3
WriteFile.KERNEL32 ref: 6BE481E9
GetStdHandle.KERNEL32 ref: 6BE481F3
WriteFile.KERNEL32 ref: 6BE48221
GetStdHandle.KERNEL32 ref: 6BE4822B
WriteFile.KERNEL32 ref: 6BE48251

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: FileHandleWrite
String ID:
API String ID: 3320372497-0
Opcode ID: 319ed979488f15241d6a635eaefc13e86de23c9428766b61921c3b10f7b15803
Instruction ID: 458e5ccb581a942e5e0e82a95b8b99a0cd1468963a546c9ff3e7b13f8830b058
Opcode Fuzzy Hash: 319ed979488f15241d6a635eaefc13e86de23c9428766b61921c3b10f7b15803
Instruction Fuzzy Hash: 5711ED1231596448E7189BB2BC1179A7251A789FD8F24837AAD6E47BE4DF3CC08283D0

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD3E00 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000013FBD3E19

Part of subcall function 000000013FBD65B0: GetCurrentThreadId.KERNEL32(000000013FBD305E), ref: 000000013FBD66A8
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD675A
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6771
Part of subcall function 000000013FBD65B0: CreateFileW.KERNEL32 ref: 000000013FBD679B

Strings

received kAMDeviceNotificationStopped action, xrefs: 000000013FBD3E52
received kAMDeviceDetached action, xrefs: 000000013FBD3E77
received kAMDeviceAttached action, xrefs: 000000013FBD3E85
CMobileDeviceListener::HandleMobileDeviceNotification(), xrefs: 000000013FBD3E23
received unknown action (%d), xrefs: 000000013FBD3E44

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalEnterSection$CreateCurrentFileThread
String ID: CMobileDeviceListener::HandleMobileDeviceNotification()$received kAMDeviceAttached action$received kAMDeviceDetached action$received kAMDeviceNotificationStopped action$received unknown action (%d)
API String ID: 4231907919-2832115663
Opcode ID: 11a2e075e34ed0d9d3f7579c63c71f0a3be8f9758189425526bf37571e2a08f6
Instruction ID: 72f740eb5e6e9e52280e1e098b000ba1736c9167df05c358149743d4c0f50354
Opcode Fuzzy Hash: 11a2e075e34ed0d9d3f7579c63c71f0a3be8f9758189425526bf37571e2a08f6
Instruction Fuzzy Hash: C2113AF1E1068491F624AF25E8057E9E320A744784F48513ABA86126EECF39C78BC767

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD8B30 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FBD8EA4
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FBD8EAA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FBD8EB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000013FBD8EBC

Strings

nzyj5cx40ttqa, xrefs: 000000013FBD8D4B, 000000013FBD8D6D

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: nzyj5cx40ttqa
API String ID: 3936042273-369995452
Opcode ID: 0a41fc59f1b62d7afdf9e9611e5cc5442c2ece647804f23b3a77e1e1928df277
Instruction ID: 41b1eb59c3549b2253e10110d9e03b851ba17d21b9a003ead3732e5d9cd29179
Opcode Fuzzy Hash: 0a41fc59f1b62d7afdf9e9611e5cc5442c2ece647804f23b3a77e1e1928df277
Instruction Fuzzy Hash: 17A1BEB2B15B8099FB00CF74D5403DCA362E749798F444629EE6D17BEADB78C686C342

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDD0E8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000013FBDD113
_IsNonwritableInCurrentImage.LIBCMT ref: 000000013FBDD1A8
RtlUnwindEx.KERNEL32 ref: 000000013FBDD1F7

Strings

f, xrefs: 000000013FBDD126
csm, xrefs: 000000013FBDD18E

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 29a62fd970dc32458c688bce9ad1de560091d2cb3cfb02250b2b7f494fa5ead3
Instruction ID: c2fd6d1447ce45359ed98912fb9218d64e763c1d4cc3eae943e89f66dce1eef0
Opcode Fuzzy Hash: 29a62fd970dc32458c688bce9ad1de560091d2cb3cfb02250b2b7f494fa5ead3
Instruction Fuzzy Hash: 0551D1B2B01600CAEB54EF25E444B99B7A5F348BC8F118238EE964778CDB74DA42C702

Uniqueness

Uniqueness Score: -1.00%

Function 6BE4C660 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,6BE4C7D2,?,?,?,?,6BE56127), ref: 6BE4C67A
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,6BE4C7D2,?,?,?,?,6BE56127), ref: 6BE4C689
GetLogicalProcessorInformation.KERNEL32(?,?,?,?,?,?,?,?,?,6BE4C7D2,?,?,?,?,6BE56127), ref: 6BE4C6C5

Strings

kernel32.dll, xrefs: 6BE4C673
GetLogicalProcessorInformation, xrefs: 6BE4C682

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: AddressHandleInformationLogicalModuleProcProcessor
String ID: GetLogicalProcessorInformation$kernel32.dll
API String ID: 4292003513-812649623
Opcode ID: 3b4b0924f19bb9e407b63a49b031a4330654d4ec17db5ebb9aec849a6b39ba72
Instruction ID: 8ca76bc2b8f583fdcd273d12990e17c702c93dceb5f679efdcfd3fb97134ec74
Opcode Fuzzy Hash: 3b4b0924f19bb9e407b63a49b031a4330654d4ec17db5ebb9aec849a6b39ba72
Instruction Fuzzy Hash: 382158326026148EDB44DF35E59929D3BA5EB44BCCF20216AF60E47B18DF79C8D9C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBEE680 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000000013FBEE6A5
GetProcAddress.KERNEL32 ref: 000000013FBEE6BB
FreeLibrary.KERNEL32 ref: 000000013FBEE6E2

Strings

CorExitProcess, xrefs: 000000013FBEE6B4
mscoree.dll, xrefs: 000000013FBEE69C

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fbfdb10de66448dbc241282a1ad3488d8ba21be0d24f4693b64693b8e6d8c624
Instruction ID: 2806cf304c8dae7a65af84e3cf8e37b65e95cda282fe1fc380baa09cae09a6b6
Opcode Fuzzy Hash: fbfdb10de66448dbc241282a1ad3488d8ba21be0d24f4693b64693b8e6d8c624
Instruction Fuzzy Hash: ADF062B1A1170581EB109B24E8547A99321BB997A1F94163DD66A452F8DF3DC24BC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD9930 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,00000000,000000013FBD308F), ref: 000000013FBD9943
GetProcAddress.KERNEL32(?,?,00000000,000000013FBD308F), ref: 000000013FBD995B
FreeLibrary.KERNEL32(?,?,00000000,000000013FBD308F), ref: 000000013FBD997C

Strings

GetCurrentPackagePath, xrefs: 000000013FBD9951
kernel32.dll, xrefs: 000000013FBD993A

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetCurrentPackagePath$kernel32.dll
API String ID: 145871493-1537745806
Opcode ID: 2fa8dacda9a2a5c93730cdbeb28ba2d7876c22e5f016b2438ffb50a8c886d06f
Instruction ID: 9abc31802e3d615dab34cc1b74af3cb06a5c6fd4c9940969e3cc756d1846ca34
Opcode Fuzzy Hash: 2fa8dacda9a2a5c93730cdbeb28ba2d7876c22e5f016b2438ffb50a8c886d06f
Instruction Fuzzy Hash: 20F05471F1174081EB44DF55F5847A9A361BB88780F48583DE91A42768EF3CC74A8600

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDD6B8 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 000000013FBDD7DB
__AdjustPointer.LIBCMT ref: 000000013FBDD826

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 93ff60b04d408f334fabc5721a47d3d5baa5d7c02017824e367b26aeeb6bf317
Instruction ID: e597af8174ac7ec91d207ada1177c0435b23cbf214d32a602e7fc46afb233914
Opcode Fuzzy Hash: 93ff60b04d408f334fabc5721a47d3d5baa5d7c02017824e367b26aeeb6bf317
Instruction Fuzzy Hash: 84B18EB2A06A44D1EA669F15D4803A9E790EB58BC4F09893DAEC9077DDDB39C6538303

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD38B0 Relevance: 7.6, APIs: 5, Instructions: 80threadwindowCOMMON

Download Yara Rule

APIs

GetPropA.USER32 ref: 000000013FBD38D6
DefWindowProcA.USER32 ref: 000000013FBD38F4
PostThreadMessageA.USER32 ref: 000000013FBD3940
DestroyWindow.USER32 ref: 000000013FBD394B
SetPropA.USER32 ref: 000000013FBD3965

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: PropWindow$DestroyMessagePostProcThread
String ID:
API String ID: 2227124644-0
Opcode ID: bd4f10650631a75663ead75c7bc6ec9d681bf6a5735d8700f3535a1bde8d7187
Instruction ID: 4700d78882147c53773af571f1a194d5a3bbc0d4f996915ac0753541d161ce67
Opcode Fuzzy Hash: bd4f10650631a75663ead75c7bc6ec9d681bf6a5735d8700f3535a1bde8d7187
Instruction Fuzzy Hash: B6317FB1E0470181FA649F56E9943E8E261A745BC4F0C043EFA46177EEDA6FCA478323

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE5AC8 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FBE5AF3
CreateThread.KERNEL32 ref: 000000013FBE5B34
GetLastError.KERNEL32(?,?,?,?,00000000,000000013FBD5124,?,?,?,?,00000000,000000013FBD2E86), ref: 000000013FBE5B42
CloseHandle.KERNEL32 ref: 000000013FBE5B58
FreeLibrary.KERNEL32(?,?,?,?,00000000,000000013FBD5124,?,?,?,?,00000000,000000013FBD2E86), ref: 000000013FBE5B67

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 5fcb5b378eb968763da44a80a56519326b06c4b6a072ebfe58107360d84148bb
Instruction ID: 04010b38dd3a43836283a0346417741333e6c5f34eccdde6cd57f7f1dcf80450
Opcode Fuzzy Hash: 5fcb5b378eb968763da44a80a56519326b06c4b6a072ebfe58107360d84148bb
Instruction Fuzzy Hash: 5B211AB9A05B4089EE14DF65F4503E9F3A1BB98BD0F084539EE5D87B59DE7CC6068600

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBFBBF8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000013FBFBC20
_set_statfp.LIBCMT ref: 000000013FBFBC3B
_set_statfp.LIBCMT ref: 000000013FBFBC57
_set_statfp.LIBCMT ref: 000000013FBFBC93

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 294b3f9744d026325944edce4feecdf3d22c0093d8c68ca8215e412a494e173a
Instruction ID: af89a81ba89785fa16ae6afaaeaedab37421af103c3caf435e6d66dff0ae1c70
Opcode Fuzzy Hash: 294b3f9744d026325944edce4feecdf3d22c0093d8c68ca8215e412a494e173a
Instruction Fuzzy Hash: 2611C6F2E54B0726F7581128E4563E79180AB587B4F08963CF96707BDECE2A8B8F9100

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD85F0 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,FFFFFFFF,00000000,000000013FBD627F), ref: 000000013FBD8607
EnterCriticalSection.KERNEL32 ref: 000000013FBD8626
_invalid_parameter_noinfo.LIBCMT ref: 000000013FBD8676
LeaveCriticalSection.KERNEL32 ref: 000000013FBD867F
LeaveCriticalSection.KERNEL32 ref: 000000013FBD8689

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalSection$EnterLeave$_invalid_parameter_noinfo
String ID:
API String ID: 2310279950-0
Opcode ID: ec9380e02f427a3e887e39069d41858fe792cc241cdab3d6eb553eb884881c93
Instruction ID: 43547b5b25ba18b9f7c142375482b696920db70956068727fb0497a174992f51
Opcode Fuzzy Hash: ec9380e02f427a3e887e39069d41858fe792cc241cdab3d6eb553eb884881c93
Instruction Fuzzy Hash: 6F1173B1A0478056FA055F66E9053EAE250AB5AFF1F044238EA1907ADEDF68C6478206

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF0AC0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000013FBED847,?,?,00000000,000000013FBEDAE2,?,?,?,?,?,000000013FBEDA6E), ref: 000000013FBF0ADF
FlsSetValue.KERNEL32(?,?,?,000000013FBED847,?,?,00000000,000000013FBEDAE2,?,?,?,?,?,000000013FBEDA6E), ref: 000000013FBF0AFE
FlsSetValue.KERNEL32(?,?,?,000000013FBED847,?,?,00000000,000000013FBEDAE2,?,?,?,?,?,000000013FBEDA6E), ref: 000000013FBF0B26
FlsSetValue.KERNEL32(?,?,?,000000013FBED847,?,?,00000000,000000013FBEDAE2,?,?,?,?,?,000000013FBEDA6E), ref: 000000013FBF0B37
FlsSetValue.KERNEL32(?,?,?,000000013FBED847,?,?,00000000,000000013FBEDAE2,?,?,?,?,?,000000013FBEDA6E), ref: 000000013FBF0B48

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: fd1d3b6c411fdf7a17c303d4863063fc1c155c4511383b150e60a08007bf8254
Instruction ID: 636eeca5ebe64e987088836bf979c2bee36e02f576a6984f90daee2879755088
Opcode Fuzzy Hash: fd1d3b6c411fdf7a17c303d4863063fc1c155c4511383b150e60a08007bf8254
Instruction Fuzzy Hash: 5711BFB0F0070541FA58AB35E9917E9E252AB947F4F58533CA93A067FFDE39C6478240

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF0954 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 000000013FBF0965
FlsSetValue.KERNEL32 ref: 000000013FBF0984
FlsSetValue.KERNEL32 ref: 000000013FBF09AC
FlsSetValue.KERNEL32 ref: 000000013FBF09BD
FlsSetValue.KERNEL32 ref: 000000013FBF09CE

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 785c0a99e285cefd74391223a65e3919330946fda276fa9c8b9794417d3e7ec7
Instruction ID: 9825145a0eeba04e933e767f0fa6503d8d4761204e91476d33b21dcb16e3df41
Opcode Fuzzy Hash: 785c0a99e285cefd74391223a65e3919330946fda276fa9c8b9794417d3e7ec7
Instruction Fuzzy Hash: C21161B0F4030941FA686B79D8127E991429BD53F4F14973C997A0A3FFEA39D74B8281

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDE9D8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000000013FBDEA48
_CallSETranslator.LIBVCRUNTIME ref: 000000013FBDEA93

Strings

MOC, xrefs: 000000013FBDEA5C
RCC, xrefs: 000000013FBDEA64

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 2b4d928047f35922730304493831ac4990864c9ff03719c8d85e12f30cdae734
Instruction ID: 93f5c7ca72d31088c08ad53faf6f24ea986b3e8742b21f0f9a7297fe1938375c
Opcode Fuzzy Hash: 2b4d928047f35922730304493831ac4990864c9ff03719c8d85e12f30cdae734
Instruction Fuzzy Hash: 719192B3A047948AE711CF65E8903DDBBB0F744788F144129EF8957B99DB38D296CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDEF4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000013FBDEF74
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000000013FBDF05C

Strings

csm, xrefs: 000000013FBDEF96
csm, xrefs: 000000013FBDF0AE

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 17154edcb995ee05828c9d9b51f4a5893df044ab9d2bfa73246452588fd6ace7
Instruction ID: 7254ee49c173358263b64d028e59b0fd124ed5258e27ab01e05aaf10249660bc
Opcode Fuzzy Hash: 17154edcb995ee05828c9d9b51f4a5893df044ab9d2bfa73246452588fd6ace7
Instruction Fuzzy Hash: 985191B290878086EB748F25D55439CBBA4F355B94F144129FB9847BDECB38D692CB03

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD3810 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD3360: WaitForSingleObject.KERNEL32 ref: 000000013FBD33AC
Part of subcall function 000000013FBD3360: _mbsupr.LIBCMT ref: 000000013FBD3422
Part of subcall function 000000013FBD3360: Process32Next.KERNEL32 ref: 000000013FBD345F
Part of subcall function 000000013FBD3360: CloseHandle.KERNEL32 ref: 000000013FBD346C
Part of subcall function 000000013FBD3360: RegOpenKeyExA.ADVAPI32 ref: 000000013FBD34B6
Part of subcall function 000000013FBD3360: RegQueryValueExA.ADVAPI32 ref: 000000013FBD350B

SysFreeString.OLEAUT32 ref: 000000013FBD386B
SysFreeString.OLEAUT32 ref: 000000013FBD3875

Part of subcall function 000000013FBD65B0: GetCurrentThreadId.KERNEL32(000000013FBD305E), ref: 000000013FBD66A8
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD675A
Part of subcall function 000000013FBD65B0: EnterCriticalSection.KERNEL32 ref: 000000013FBD6771
Part of subcall function 000000013FBD65B0: CreateFileW.KERNEL32 ref: 000000013FBD679B

Part of subcall function 000000013FBD1720: SysStringLen.OLEAUT32 ref: 000000013FBD179F
Part of subcall function 000000013FBD1720: SysFreeString.OLEAUT32 ref: 000000013FBD17AF
Part of subcall function 000000013FBD1720: MultiByteToWideChar.KERNEL32 ref: 000000013FBD17CE
Part of subcall function 000000013FBD1720: SysAllocStringLen.OLEAUT32 ref: 000000013FBD17DB
Part of subcall function 000000013FBD1720: MultiByteToWideChar.KERNEL32 ref: 000000013FBD1802
Part of subcall function 000000013FBD1720: SysStringLen.OLEAUT32 ref: 000000013FBD1824
Part of subcall function 000000013FBD1720: VarBstrCat.OLEAUT32 ref: 000000013FBD183C
Part of subcall function 000000013FBD1720: SysFreeString.OLEAUT32 ref: 000000013FBD1848
Part of subcall function 000000013FBD1720: SysStringLen.OLEAUT32 ref: 000000013FBD186D
Part of subcall function 000000013FBD1720: VarBstrCat.OLEAUT32 ref: 000000013FBD1889
Part of subcall function 000000013FBD1720: SysFreeString.OLEAUT32 ref: 000000013FBD1895
Part of subcall function 000000013FBD1720: SysStringLen.OLEAUT32 ref: 000000013FBD18AC
Part of subcall function 000000013FBD1720: SysFreeString.OLEAUT32 ref: 000000013FBD1A33
Part of subcall function 000000013FBD1720: SysFreeString.OLEAUT32 ref: 000000013FBD1A3D

Strings

CItunesHelperMsgListener::Launch_iTunes() - NOT ok to Launch!, xrefs: 000000013FBD384D
CItunesHelperMsgListener::Launch_iTunes() - OK to Launch!, xrefs: 000000013FBD3836

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: String$Free$BstrByteCharCriticalEnterMultiSectionWide$AllocCloseCreateCurrentFileHandleNextObjectOpenProcess32QuerySingleThreadValueWait_mbsupr
String ID: CItunesHelperMsgListener::Launch_iTunes() - NOT ok to Launch!$CItunesHelperMsgListener::Launch_iTunes() - OK to Launch!
API String ID: 2127640348-2365413097
Opcode ID: b7f4ce8b243426e40cd0049ebcc46229a115af31500903672e5d60eede6a9391
Instruction ID: ce079ce92f6ccfe8459feaae81d2ebf19234e426d5a4964a40c76dcaa26f455e
Opcode Fuzzy Hash: b7f4ce8b243426e40cd0049ebcc46229a115af31500903672e5d60eede6a9391
Instruction Fuzzy Hash: 40015EB4B1074081FA48AF25D5503E9A361E780B90F085439EA09076DECF2AC65B8352

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD3F10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 000000013FBD3F4B
EnterCriticalSection.KERNEL32 ref: 000000013FBD3F58

Strings

timerID == kMobileDeviceResubscribeTimerID, xrefs: 000000013FBD3F39
D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\MobileDeviceListener.cpp, xrefs: 000000013FBD3F2C

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalEnterKillSectionTimer
String ID: D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\iTunesHelper\MobileDeviceListener.cpp$timerID == kMobileDeviceResubscribeTimerID
API String ID: 3568000350-1376296042
Opcode ID: a3e3992318ef14403295c00c1aedcc3e80f365b3b2bcb317c9a8b6a66e89dd65
Instruction ID: 695f01a1460f8712cba39764d2c845cb471b3477b2646813b7bbee4cd77fc328
Opcode Fuzzy Hash: a3e3992318ef14403295c00c1aedcc3e80f365b3b2bcb317c9a8b6a66e89dd65
Instruction Fuzzy Hash: A9F082B1E54B45D1FA409F16F984BE5A320F7A4B84F845039E909076FD9E2DC79BC301

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF9EFC Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000000013FBF9F7B
WriteFile.KERNEL32 ref: 000000013FBFA243
WriteFile.KERNEL32 ref: 000000013FBFA289
GetLastError.KERNEL32 ref: 000000013FBFA33F

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 121267bb7df3aa258e1c85b07bf07d6216f6440df5c099c72d538968e5e771e9
Instruction ID: ea18340b33104dba684aa03400fe985f7ccc9cf572b5373711a0daeee46a4461
Opcode Fuzzy Hash: 121267bb7df3aa258e1c85b07bf07d6216f6440df5c099c72d538968e5e771e9
Instruction Fuzzy Hash: C6D19CB2B14B808AE715CF69D4403ECB7BAF344B98F148229DE5997B9DDA35C64BC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBFA824 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000000013FBFA940
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013FBFA80F,00000000), ref: 000000013FBFA9CB

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: f69f43bd3180882cedac2a279c4bd6430da6845056f4bb2ea38d39d8c77d23d3
Instruction ID: 15568dd8ac098188a571109ed2b58453afa2035ea22e65e96b5c02d307945668
Opcode Fuzzy Hash: f69f43bd3180882cedac2a279c4bd6430da6845056f4bb2ea38d39d8c77d23d3
Instruction Fuzzy Hash: A591A1B2F10790C5F758CF65D4803EDABA8A744F88F54412DDE4A57A89DB3AC68BC700

Uniqueness

Uniqueness Score: -1.00%

Function 6BE54300 Relevance: 6.1, APIs: 4, Instructions: 104threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32 ref: 6BE54319
SetThreadPreferredUILanguages.KERNEL32 ref: 6BE5438A
SetThreadPreferredUILanguages.KERNEL32 ref: 6BE543F6
SetThreadPreferredUILanguages.KERNEL32 ref: 6BE54435

Part of subcall function 6BE542A0: GetThreadPreferredUILanguages.KERNEL32 ref: 6BE542C4
Part of subcall function 6BE542A0: GetThreadPreferredUILanguages.KERNEL32 ref: 6BE542EC

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 1a6ca4b4bf74247a47c0fb09211f913226520dfc2c311b3e54c252bdeb4bbe4a
Instruction ID: b9b8b102ff58f1a91d1873900d2b018f497e81aaabfff3eb444c3eeb2e4da4f8
Opcode Fuzzy Hash: 1a6ca4b4bf74247a47c0fb09211f913226520dfc2c311b3e54c252bdeb4bbe4a
Instruction Fuzzy Hash: 0B31AF772115609ADB48DF35EA542EE2772EB447DCF902126FE0787B68DB7AC4A5C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDA8E0 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 000000013FBDA8EF

Part of subcall function 000000013FBD9DF8: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 000000013FBD9E1A

__scrt_acquire_startup_lock.LIBCMT ref: 000000013FBDA904
__scrt_release_startup_lock.LIBCMT ref: 000000013FBDA972
__scrt_get_show_window_mode.LIBCMT ref: 000000013FBDA9C5

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 61f16cc6ada6a60f1c142649b1bc40caf53e114f8a20a5f315308f1e3ce305eb
Instruction ID: 417449e71589c073f06cabfa0f4db83656130526d158e334f70c40c6d2130e4f
Opcode Fuzzy Hash: 61f16cc6ada6a60f1c142649b1bc40caf53e114f8a20a5f315308f1e3ce305eb
Instruction Fuzzy Hash: D631A2F1E41240C6FB54AF69E5613E9A2959B81384F45543CB649472EFDE2C8B4BC343

Uniqueness

Uniqueness Score: -1.00%

Function 6BE54460 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 6BE544C0
EnterCriticalSection.KERNEL32 ref: 6BE54595
LeaveCriticalSection.KERNEL32 ref: 6BE545CD

Memory Dump Source

Source File: 0000000A.00000002.510605183.000000006BE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6BE40000, based on PE: true

Associated: 0000000A.00000002.510602210.000000006BE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510605183.000000006BF88000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510627770.000000006BF8B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510630664.000000006BF8C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510633632.000000006BF8D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510636597.000000006BF8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510639528.000000006BF90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510642616.000000006BF92000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510645780.000000006BF93000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510648669.000000006BF95000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510652529.000000006BFAB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510655703.000000006BFB1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510658685.000000006BFB6000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFBA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.510662023.000000006BFCE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6be40000_iTunesHelper.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 9e80c20bab758db8cc8054d685c93522879ceb526ba6dea55be9d22b913360c8
Instruction ID: df1c6b027ba52e39a3c4d25d3afb5321781827a791d303ac905f7188de1f4457
Opcode Fuzzy Hash: 9e80c20bab758db8cc8054d685c93522879ceb526ba6dea55be9d22b913360c8
Instruction Fuzzy Hash: B7414162200A10C8DB54DF71E8913AD3772EB8479CF651126EA1ECBA68DF7EC5E5C390

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBE0AC0 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000000013FBE0B17
GetSystemInfo.KERNEL32 ref: 000000013FBE0B30
VirtualAlloc.KERNEL32 ref: 000000013FBE0B9E
VirtualProtect.KERNEL32 ref: 000000013FBE0BB9

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 97f41f8ce2a9f6a6696a39ee6abcffc46ef767a5258316586e69072ece0116ac
Instruction ID: 634259327d778e67d63a5ab3d53f6c293a434c297d7a0a9f4d85780827922354
Opcode Fuzzy Hash: 97f41f8ce2a9f6a6696a39ee6abcffc46ef767a5258316586e69072ece0116ac
Instruction Fuzzy Hash: 79317A72710B849EEB20CF35D8947D873A5F748B88F854429EA4E87B58DF39D64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD30D0 Relevance: 6.1, APIs: 4, Instructions: 80threadwindowCOMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,000000013FBD1C15), ref: 000000013FBD314D
CoReleaseServerProcess.OLE32 ref: 000000013FBD318D
SetEvent.KERNEL32(?,?,?,?,?,?,?,000000013FBD1C15), ref: 000000013FBD31A6
PostThreadMessageA.USER32 ref: 000000013FBD31C6

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CriticalDeleteEventMessagePostProcessReleaseSectionServerThread
String ID:
API String ID: 2992442974-0
Opcode ID: 8e4252f1b348df6c924ecf5ff6a85f565933e6bde9dec1b0310b915dbd3f5c20
Instruction ID: d63aa02fe3402bedaa2c509e43f5b7d0c588ebb390f1625ecd5ca3775f4fe3df
Opcode Fuzzy Hash: 8e4252f1b348df6c924ecf5ff6a85f565933e6bde9dec1b0310b915dbd3f5c20
Instruction Fuzzy Hash: 7231AD72B00B8186EB14DF26E44039EA3A4F784B84F1C4439EF5907B9ACF39CA96C751

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD8FE0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 000000013FBD9053
VerSetConditionMask.KERNEL32 ref: 000000013FBD9064
VerSetConditionMask.KERNEL32 ref: 000000013FBD9075
VerifyVersionInfoA.KERNEL32 ref: 000000013FBD9088

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 7f531c5ea5382b422b416a6cb1e51257c7bfd78ad4f283a59d68eda78c520b4e
Instruction ID: 7dc319afc7d7f24a244c4cd4dcc31f33643ccba1a8b48f19bda241c116d3af09
Opcode Fuzzy Hash: 7f531c5ea5382b422b416a6cb1e51257c7bfd78ad4f283a59d68eda78c520b4e
Instruction Fuzzy Hash: 59110D76D187C183E710CF21E4543AAB3A1F3E9704F11A329EA8D06715EB7DD6D68B44

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDF184 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000013FBDF1AE

Strings

csm, xrefs: 000000013FBDF1D3
csm, xrefs: 000000013FBDF342

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: e05f943ff51b347511aba1ffee117274e44ff8b8d777144ae57211cd662de935
Instruction ID: c6e35d455bc554e76dd0bbd0a5f3c15297af83559ed227312b5c5a62433d38f0
Opcode Fuzzy Hash: e05f943ff51b347511aba1ffee117274e44ff8b8d777144ae57211cd662de935
Instruction Fuzzy Hash: 657183B290968086DB618F25E4607ADFBA0F754FD4F158129EE884BBCDD738C652C743

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDE7BC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000000013FBDE808

Strings

MOC, xrefs: 000000013FBDE81C
RCC, xrefs: 000000013FBDE825

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 1435ffc62e8753ab977fa743d398f0d29982861df538086d1b7bf0f94791c234
Instruction ID: 287b261d56a1346a0f99d2af1e5a5485ede821a869d1c92686d3536282095150
Opcode Fuzzy Hash: 1435ffc62e8753ab977fa743d398f0d29982861df538086d1b7bf0f94791c234
Instruction Fuzzy Hash: 89616AB3A01B848AE720DF65D4803DDB7A1F358B9CF144229EF4917B99CB38C256C702

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF32D8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FBF34A0

Strings

JanFebMarAprMayJunJulAugSepOctNovDec, xrefs: 000000013FBF33D2
SunMonTueWedThuFriSat, xrefs: 000000013FBF33A4

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: JanFebMarAprMayJunJulAugSepOctNovDec$SunMonTueWedThuFriSat
API String ID: 3215553584-2143786750
Opcode ID: f985b59b386dc2b99b79ff982a4cb7ad7016e16c00ac25bcf35adc67a3f7a929
Instruction ID: 59b9d7fe6f5d67b9d6ca348e5682c28c91e86319a91f9688f40449b5e63ed210
Opcode Fuzzy Hash: f985b59b386dc2b99b79ff982a4cb7ad7016e16c00ac25bcf35adc67a3f7a929
Instruction Fuzzy Hash: 6E51CEB2A0138097EB1ACF18D5987ECB761A755744F88C03AC6058778BDB3ADA1AC761

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBF2BEC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBE0F90: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE0FC3

_get_daylight.LIBCMT ref: 000000013FBF2D04
_get_daylight.LIBCMT ref: 000000013FBF2D15

Strings

?, xrefs: 000000013FBF2C95

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8e4b223bb18fcd5f17b90937aec0d9c75f0234b8f735c28f00ccc4d8cf1b3474
Instruction ID: fd8f333a9e4d8678402586d15dc117fcf46c7d5ee192ec4b3789b8065027bda3
Opcode Fuzzy Hash: 8e4b223bb18fcd5f17b90937aec0d9c75f0234b8f735c28f00ccc4d8cf1b3474
Instruction Fuzzy Hash: FA4119B2B1478056FB249B25E4513EAE660E790BA4F14423DEED807EEDDB3AC647C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDF818 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000013FBDF8C2
_CreateFrameInfo.LIBVCRUNTIME ref: 000000013FBDF8EE

Strings

csm, xrefs: 000000013FBDF9EE

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: fca0483de9b0fa939f7b26b712f6193c396b5384a9adb9a24223d1f0755b63cd
Instruction ID: b0f16a2a9ec0b359986a5950cb3d2e50492fb102f8ea38b81f308ea996dcf261
Opcode Fuzzy Hash: fca0483de9b0fa939f7b26b712f6193c396b5384a9adb9a24223d1f0755b63cd
Instruction Fuzzy Hash: 21513EB761574086E660EF25E44039EBBF4F388BA0F145129EB8947B99CB38C562CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBFA594 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000013FBFA6AB
GetLastError.KERNEL32 ref: 000000013FBFA6CD

Strings

U, xrefs: 000000013FBFA657

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0b5a7e79469549b242472dd014f1ebaa24882eb94c0cedeb932111a1d3df3415
Instruction ID: 1b3eb5dcdaa97051789b96ffbf94d176627ecf520d47f58ba3f7e2fb38bc3dc6
Opcode Fuzzy Hash: 0b5a7e79469549b242472dd014f1ebaa24882eb94c0cedeb932111a1d3df3415
Instruction Fuzzy Hash: 1041B272B14B44D1DB208F25E8443E9A7A5F798B94F814039EE4D87798DB3DC646C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBDBFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FBDAADB), ref: 000000013FBDBFF4
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FBDAADB), ref: 000000013FBDC03A

Strings

csm, xrefs: 000000013FBDC027

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: f67719db860f5f84d74875cfcfc983da18b19b4b8c4f86296ed4e5ed49dc3f0d
Instruction ID: a21e7bfce4f0bbbda58ca53b513e7aed048cb0d0c071862f1bed93fc2ae1e40e
Opcode Fuzzy Hash: f67719db860f5f84d74875cfcfc983da18b19b4b8c4f86296ed4e5ed49dc3f0d
Instruction Fuzzy Hash: E9112E72614B8082EB618F15F440399B7A5F788B94F184225EF8D07799DF3DC656CB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD6C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD5EC0: InitializeCriticalSection.KERNEL32 ref: 000000013FBD5F39

GetModuleHandleA.KERNEL32 ref: 000000013FBD6C79
GetModuleFileNameA.KERNEL32 ref: 000000013FBD6C8D

Part of subcall function 000000013FBE6EAC: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6EE4

Strings

Started %s (%s), xrefs: 000000013FBD6CDA

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Module$CriticalFileHandleInitializeNameSection_invalid_parameter_noinfo
String ID: Started %s (%s)
API String ID: 3725157555-3984459306
Opcode ID: c61f5a16bf8027e920478a51313bced64caa3594db5f583a95780fb3cabf27c8
Instruction ID: f082e870d032f0640841d6ba839b4521e3bb90ffe628286cc50b94cb2463d23a
Opcode Fuzzy Hash: c61f5a16bf8027e920478a51313bced64caa3594db5f583a95780fb3cabf27c8
Instruction Fuzzy Hash: 51112175A1578482EA51EF20F4517EEA361F786740FC01039B64D42BD9DF3DC60AC742

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD6B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FBD5EC0: InitializeCriticalSection.KERNEL32 ref: 000000013FBD5F39

GetModuleHandleA.KERNEL32 ref: 000000013FBD6BB9
GetModuleFileNameA.KERNEL32 ref: 000000013FBD6BCD

Part of subcall function 000000013FBE6EAC: _invalid_parameter_noinfo.LIBCMT ref: 000000013FBE6EE4

Strings

Stopped %s (%s), xrefs: 000000013FBD6C1A

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: Module$CriticalFileHandleInitializeNameSection_invalid_parameter_noinfo
String ID: Stopped %s (%s)
API String ID: 3725157555-1266345863
Opcode ID: c333885c6cad1c558b64e30484895d0202c60523ea27ceda5659a018fd8b8999
Instruction ID: e55c9720281ecb809ebd1bacbcebeb619ed93caf2e41fc5f5f31c2888ccd1813
Opcode Fuzzy Hash: c333885c6cad1c558b64e30484895d0202c60523ea27ceda5659a018fd8b8999
Instruction Fuzzy Hash: 71112E71A1578482EA51EF20E4517EEA361FB8A740FC01039BA4D42ADADF3DC60ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FBD3C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(?,?,00000000,000000013FBD2E93), ref: 000000013FBD3C56
Sleep.KERNEL32(?,?,00000000,000000013FBD2E93), ref: 000000013FBD3C9C

Strings

DoMsgPump, xrefs: 000000013FBD3C5C

Memory Dump Source

Source File: 0000000A.00000002.510674284.000000013FBD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000000013FBD0000, based on PE: true

Associated: 0000000A.00000002.510671270.000000013FBD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510679359.000000013FBFE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510683405.000000013FC0F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510686501.000000013FC10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.510689610.000000013FC12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13fbd0000_iTunesHelper.jbxd

Similarity

API ID: CreateEventSleep
String ID: DoMsgPump
API String ID: 3100162736-4138071542
Opcode ID: 2d7793d109980c7dbfb0a621cef23f39ab30e487b54f1aab22f7992a423727f4
Instruction ID: 474594af97566ead23120ecbf6045bbf0b5fb8312db7998465b369f6216a9e49
Opcode Fuzzy Hash: 2d7793d109980c7dbfb0a621cef23f39ab30e487b54f1aab22f7992a423727f4
Instruction Fuzzy Hash: 21F044B1F1474082F7545F61F5807E99252F744780F495138EA0647FC9DB79C6968316

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Autoit3.exePID: 3468, Parent PID: 3456COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	17.8%
Signature Coverage:	2.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	117

Executed Functions

Function 04C15C08 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 04C15C23
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04C15C41
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04C15C5F
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 04C15C7D
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,04C15D0C,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 04C15CC6
RegQueryValueExA.ADVAPI32(?,04C15E88,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,04C15D0C,?,80000001), ref: 04C15CE4
RegCloseKey.ADVAPI32(?,04C15D13,00000000,00000000,00000005,00000000,04C15D0C,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04C15D06
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 04C15D23
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 04C15D30
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 04C15D36
lstrlen.KERNEL32(00000000), ref: 04C15D61
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 04C15DB6
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04C15DC6
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 04C15DF2
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04C15E02
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04C15E2C
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04C15E3C

Strings

Software\Borland\Locales, xrefs: 04C15C37, 04C15C55
Software\Borland\Delphi\Locales, xrefs: 04C15C73

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 548ff9e1b4aeffb6376a1cf5c1ae29b0ae2b1ab45e361d8f52e38d555762f552
Instruction ID: 5be77b12f09d26f1009f2feebff60e480545d7849c5a492c0f03067816b89b15
Opcode Fuzzy Hash: 548ff9e1b4aeffb6376a1cf5c1ae29b0ae2b1ab45e361d8f52e38d555762f552
Instruction Fuzzy Hash: D8615371E042497EEB11DAE4CC85FEF77FE9F4E304F4440A1A604E6191DBB8AB54AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F95240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F9526C
IsDebuggerPresent.KERNEL32 ref: 00F9527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00F952E6

Part of subcall function 00F91821: _memmove.LIBCMT ref: 00F9185B

Part of subcall function 00F8BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F8BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00F95366
MessageBoxA.USER32 ref: 00FD0B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00FD0B66
GetForegroundWindow.USER32 ref: 00FD0BE9
ShellExecuteW.SHELL32(00000000), ref: 00FD0BF0

Part of subcall function 00F9514C: GetSysColorBrush.USER32 ref: 00F95156
Part of subcall function 00F9514C: LoadCursorW.USER32 ref: 00F95165
Part of subcall function 00F9514C: LoadIconW.USER32 ref: 00F9517C
Part of subcall function 00F9514C: LoadIconW.USER32 ref: 00F9518E
Part of subcall function 00F9514C: LoadIconW.USER32 ref: 00F951A0
Part of subcall function 00F9514C: LoadImageW.USER32 ref: 00F951C6
Part of subcall function 00F9514C: RegisterClassExW.USER32(?), ref: 00F9521C

Part of subcall function 00F950DB: CreateWindowExW.USER32 ref: 00F95109
Part of subcall function 00F950DB: CreateWindowExW.USER32 ref: 00F9512A
Part of subcall function 00F950DB: ShowWindow.USER32(00000000), ref: 00F9513E
Part of subcall function 00F950DB: ShowWindow.USER32(00000000), ref: 00F95147

Part of subcall function 00F959D3: _memset.LIBCMT ref: 00F959F9
Part of subcall function 00F959D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F95A9E

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00FD0B28
AutoIt, xrefs: 00FD0B23
runas, xrefs: 00FD0BE4

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 98c68ab50b322c257bccdc472a7ecfeebd3c2e38a3710759db8baf4c169b6ee3
Instruction ID: 11feb68cddf6eeec4cf8ecc5bf99c01df55b1bd85a00e0b146c198ee0d512f7d
Opcode Fuzzy Hash: 98c68ab50b322c257bccdc472a7ecfeebd3c2e38a3710759db8baf4c169b6ee3
Instruction Fuzzy Hash: 965148B1E04248ABEF22ABF0DD86EED7B39BB45740F00406AF4C1A6156CB7E4545EB20

Uniqueness

Uniqueness Score: -1.00%

Function 04C15D12 Relevance: 15.1, APIs: 10, Instructions: 102
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 04C15D23
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 04C15D30
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 04C15D36
lstrlen.KERNEL32(00000000), ref: 04C15D61
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 04C15DB6
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04C15DC6
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 04C15DF2
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04C15E02
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04C15E2C
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04C15E3C

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID:
API String ID: 1599918012-0
Opcode ID: 4b89cfe6d2ad99b3820c8892dd5a81aca17e3f0bdab2e43b01d0f32107218ad3
Instruction ID: 1d28acadc63b233bd6b9066bfc30b5514996b06e3c99f1758138641e3314b215
Opcode Fuzzy Hash: 4b89cfe6d2ad99b3820c8892dd5a81aca17e3f0bdab2e43b01d0f32107218ad3
Instruction Fuzzy Hash: BA312171E042497EEF15DAE8C888BEF77BE9F4D304F044191A245E2190DBB8AB559B50

Uniqueness

Uniqueness Score: -1.00%

Function 00F81663 Relevance: 7.9, APIs: 5, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F829E2: GetWindowLongW.USER32(?,000000EB), ref: 00F829F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F81DD6
GetSysColor.USER32 ref: 00F81E2A
SetBkColor.GDI32(?,00000000), ref: 00F81E3D

Part of subcall function 00F8166C: DefDlgProcW.USER32(?,00000020,?), ref: 00F816B4

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 8257176442fd6518b9f5f540b81dd774b85faae356349ef33b6f112171636b20
Instruction ID: 286866e4b09aa2f038098964faeb3356979442beff4d749015c73791055bc6e4
Opcode Fuzzy Hash: 8257176442fd6518b9f5f540b81dd774b85faae356349ef33b6f112171636b20
Instruction Fuzzy Hash: 9AA126B6505409BBE639BAAA8C88FFB3A5DFB45321F14030AF442C5185CB699D03F776

Uniqueness

Uniqueness Score: -1.00%

Function 00FE494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00FCFC86), ref: 00FE495A
FindFirstFileW.KERNELBASE(?,?), ref: 00FE496B
FindClose.KERNEL32(00000000), ref: 00FE497B

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 555ee79ca257e049acf239366d235aebbf5e85dff374d6175cd2e8a585e1f7cf
Instruction ID: 835745c749db2fd619a2b4c5343747e42e6467ed850e4380e514838b625240bc
Opcode Fuzzy Hash: 555ee79ca257e049acf239366d235aebbf5e85dff374d6175cd2e8a585e1f7cf
Instruction Fuzzy Hash: 2FE02632810516AB8220663CEC0D8EF775C9E0A339F100709F8B5D20C8EB7CAD88A7D6

Uniqueness

Uniqueness Score: -1.00%

Function 00F894E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ed2dfb469cf4db7b85b95f860dda0963af055de7e62bc70e55c4922dee5aea
Instruction ID: 35c2ac58c5b4a0d4a46b91c320f5770751fb047d6018807af4f18f13d835bd93
Opcode Fuzzy Hash: c1ed2dfb469cf4db7b85b95f860dda0963af055de7e62bc70e55c4922dee5aea
Instruction Fuzzy Hash: 44228B75E082068FDB14EF54C881BFEB7B0FF45310F188169E856AB351E7B4A981EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F8BF57

Part of subcall function 00F852B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F852E6

Sleep.KERNEL32(0000000A,?,?), ref: 00FC36B5

Strings

CALL, xrefs: 00F8C277
@GUI_CTRLHANDLE, xrefs: 00FC3816
@TRAY_ID, xrefs: 00FC3FCD
@GUI_CTRLID, xrefs: 00FC376C
@COM_EVENTOBJ, xrefs: 00FC3D2E
@GUI_WINHANDLE, xrefs: 00FC37C1

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: 19bf3c7619ea2f205f9befaa84ae95563a12b9e6a4dcda0c3467259e4ada7225
Instruction ID: de0279a28d983e50c18a79fec39f444e53913bebad0f7f8df2ecda7343b2807d
Opcode Fuzzy Hash: 19bf3c7619ea2f205f9befaa84ae95563a12b9e6a4dcda0c3467259e4ada7225
Instruction Fuzzy Hash: 4EC2E470A08342DFD728EF14C995FAAB7E5BF84310F14891DF48A87291CB79E944EB52

Uniqueness

Uniqueness Score: -1.00%

Function 04C6CAA9 Relevance: 35.3, APIs: 3, Strings: 17, Instructions: 280
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000007D0,00000000,04C6CEB6,?,00000000,00000000), ref: 04C6CC08
Sleep.KERNEL32(00000064,00000000,04C6CEB6,?,00000000,00000000), ref: 04C6CC3D
GetCurrentThreadId.KERNEL32(00000064,00000000,04C6CEB6,?,00000000,00000000), ref: 04C6CDD9

Part of subcall function 04C408BC: CloseHandle.KERNEL32(00000000), ref: 04C409C9

Part of subcall function 04C408BC: GetCurrentProcessId.KERNEL32 ref: 04C40986
Part of subcall function 04C408BC: OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 04C409A0

Part of subcall function 04C40B2C: Sleep.KERNEL32(00000002,00000000,04C40B9D,?,00000001), ref: 04C40B7D

Strings

uu.txt, xrefs: 04C6CCF6, 04C6CE0C, 04C6CE2D
test, xrefs: 04C6CB56
u.txt, xrefs: 04C6CC89, 04C6CCC8
script.a3x, xrefs: 04C6CE67
autoit3.exe, xrefs: 04C6CE4A
vbc.exe, xrefs: 04C6CCA1
c:\temp\just_test.txt, xrefs: 04C6CB48
c.txt, xrefs: 04C6CBE7
mutex1, xrefs: 04C6CD36
debug 0 , xrefs: 04C6CC26
cc.txt, xrefs: 04C6CB7E, 04C6CBAC
c:\temp\test_ok, xrefs: 04C6CB5B
Yes, xrefs: 04C6CC6E, 04C6CDF1
mutex0, xrefs: 04C6CD14
6.2.1, xrefs: 04C6CB10
c:\debugg, xrefs: 04C6CC0D
.a3x, xrefs: 04C6CD6F

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: Sleep$CurrentProcess$CloseHandleOpenThread
String ID: .a3x$6.2.1$Yes$autoit3.exe$c.txt$c:\debugg$c:\temp\just_test.txt$c:\temp\test_ok$cc.txt$debug 0 $mutex0$mutex1$script.a3x$test$u.txt$uu.txt$vbc.exe
API String ID: 2094150352-1200978658
Opcode ID: 186a7a3d0b35dcab69922cdefb3d2dc18d361f04a0faf1cf9975983a696863ab
Instruction ID: bfd60b58c1145a68aaa1f420da5894b0b6dbbb89d5a7652925e46e8357689179
Opcode Fuzzy Hash: 186a7a3d0b35dcab69922cdefb3d2dc18d361f04a0faf1cf9975983a696863ab
Instruction Fuzzy Hash: 27B14178A001488FFB01FBA4D580ACDB7B7EF86358F148155D491AB2A5DB34FD05EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04C6CAE4 Relevance: 35.3, APIs: 3, Strings: 17, Instructions: 258
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000007D0,00000000,04C6CEB6,?,00000000,00000000), ref: 04C6CC08
Sleep.KERNEL32(00000064,00000000,04C6CEB6,?,00000000,00000000), ref: 04C6CC3D
GetCurrentThreadId.KERNEL32(00000064,00000000,04C6CEB6,?,00000000,00000000), ref: 04C6CDD9

Part of subcall function 04C408BC: CloseHandle.KERNEL32(00000000), ref: 04C409C9

Part of subcall function 04C408BC: GetCurrentProcessId.KERNEL32 ref: 04C40986
Part of subcall function 04C408BC: OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 04C409A0

Part of subcall function 04C40B2C: Sleep.KERNEL32(00000002,00000000,04C40B9D,?,00000001), ref: 04C40B7D

Strings

uu.txt, xrefs: 04C6CCF6, 04C6CE0C, 04C6CE2D
test, xrefs: 04C6CB56
u.txt, xrefs: 04C6CC89, 04C6CCC8
script.a3x, xrefs: 04C6CE67
autoit3.exe, xrefs: 04C6CE4A
vbc.exe, xrefs: 04C6CCA1
c:\temp\just_test.txt, xrefs: 04C6CB48
c.txt, xrefs: 04C6CBE7
mutex1, xrefs: 04C6CD36
debug 0 , xrefs: 04C6CC26
cc.txt, xrefs: 04C6CB7E, 04C6CBAC
c:\temp\test_ok, xrefs: 04C6CB5B
Yes, xrefs: 04C6CC6E, 04C6CDF1
mutex0, xrefs: 04C6CD14
6.2.1, xrefs: 04C6CB10
c:\debugg, xrefs: 04C6CC0D
.a3x, xrefs: 04C6CD6F

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: Sleep$CurrentProcess$CloseHandleOpenThread
String ID: .a3x$6.2.1$Yes$autoit3.exe$c.txt$c:\debugg$c:\temp\just_test.txt$c:\temp\test_ok$cc.txt$debug 0 $mutex0$mutex1$script.a3x$test$u.txt$uu.txt$vbc.exe
API String ID: 2094150352-1200978658
Opcode ID: f0e429d7d2c64f52057639f721f40d60b102ce9094cd12bef494a957d1b0788d
Instruction ID: 2f11f181509cc2c23e2390bf8d1af777e3ab8241657d07cd94150299617998d0
Opcode Fuzzy Hash: f0e429d7d2c64f52057639f721f40d60b102ce9094cd12bef494a957d1b0788d
Instruction Fuzzy Hash: 5EA10D78A002488BFB04FBA4D580ACDB7B7EF8534CF148065E451AB255DB34FD45EBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00F82BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32 ref: 00F82C8C
GetSystemMetrics.USER32 ref: 00F82C94
SystemParametersInfoW.USER32 ref: 00F82CBF
GetSystemMetrics.USER32 ref: 00F82CC7
GetSystemMetrics.USER32 ref: 00F82CEC
SetRect.USER32 ref: 00F82D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F82D19
CreateWindowExW.USER32 ref: 00F82D4C
SetWindowLongW.USER32 ref: 00F82D60
GetClientRect.USER32 ref: 00F82D7E
GetStockObject.GDI32(00000011), ref: 00F82D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F82DA5

Part of subcall function 00F82714: GetCursorPos.USER32(?), ref: 00F82727
Part of subcall function 00F82714: ScreenToClient.USER32(010477B0,?), ref: 00F82744
Part of subcall function 00F82714: GetAsyncKeyState.USER32 ref: 00F82769
Part of subcall function 00F82714: GetAsyncKeyState.USER32 ref: 00F82777

SetTimer.USER32(00000000,00000000,00000028,00F813C7), ref: 00F82DCC

Strings

AutoIt v3 GUI, xrefs: 00F82D44

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f308356b34e0ad4204296fcea531d7c5e3af2a847869faed706db38f6175879c
Instruction ID: 1213755a587b6f02dfe8dc85a44789440611f11500e82607a5afb7234891bc99
Opcode Fuzzy Hash: f308356b34e0ad4204296fcea531d7c5e3af2a847869faed706db38f6175879c
Instruction Fuzzy Hash: FDB17075A0020ADFDB24DF68D985BEE7BB4FB08320F104129FA55E7284DB79A941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F92FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FA00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00F93094), ref: 00FA00ED

Part of subcall function 00FA08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F9309F), ref: 00FA08E3

RegOpenKeyExW.KERNEL32 ref: 00F930E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FD01BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 00FD01FB
RegCloseKey.ADVAPI32(?), ref: 00FD0239
_wcscat.LIBCMT ref: 00FD0292

Strings

Software\AutoIt v3\AutoIt, xrefs: 00F930D8
Include, xrefs: 00FD01B1, 00FD01F2
\, xrefs: 00FD02B5
\Include\, xrefs: 00F9309F

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: f06dd75144e22323c7af71c9e1441503c23216da9b3a2bd4583e5de7f1a014f0
Instruction ID: 3d0d23f61a550ea54c793b09606c8e58a80c347111d98d4d6e700b4008cee71e
Opcode Fuzzy Hash: f06dd75144e22323c7af71c9e1441503c23216da9b3a2bd4583e5de7f1a014f0
Instruction Fuzzy Hash: 3971EFB15053019FD720EFA5EE8196BBBE8FF44310F40892FF484872A4EB399944DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00F95156
LoadCursorW.USER32 ref: 00F95165
LoadIconW.USER32 ref: 00F9517C
LoadIconW.USER32 ref: 00F9518E
LoadIconW.USER32 ref: 00F951A0
LoadImageW.USER32 ref: 00F951C6
RegisterClassExW.USER32(?), ref: 00F9521C

Part of subcall function 00F83411: GetSysColorBrush.USER32 ref: 00F83444
Part of subcall function 00F83411: RegisterClassExW.USER32(00000030), ref: 00F8346E
Part of subcall function 00F83411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F8347F
Part of subcall function 00F83411: InitCommonControlsEx.COMCTL32(?), ref: 00F8349C
Part of subcall function 00F83411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F834AC
Part of subcall function 00F83411: LoadIconW.USER32 ref: 00F834C2
Part of subcall function 00F83411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F834D1

Strings

AutoIt v3, xrefs: 00F9520B
#, xrefs: 00F95201
0, xrefs: 00F951FA

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: aa293240495fcaa1a08a0dc04fed4025941ca38d4812c05512f24e655c8e0842
Instruction ID: 9bb9a2653d472509d65606e3c462edd95dd1856a2629e45415d0a0f0e9ec6537
Opcode Fuzzy Hash: aa293240495fcaa1a08a0dc04fed4025941ca38d4812c05512f24e655c8e0842
Instruction Fuzzy Hash: 472168B9D00308AFEB219FA4EF89B9D7BB4FB08710F00011AF584A6298C7BB55409F80

Uniqueness

Uniqueness Score: -1.00%

Function 00F94D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F94E22
KillTimer.USER32 ref: 00F94E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F94E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F94E7A
CreatePopupMenu.USER32 ref: 00F94E8E
PostQuitMessage.USER32 ref: 00F94EAF

Strings

TaskbarCreated, xrefs: 00F94E75

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a0300cf5617056b9b46de76ad091957c0916bf5735887a17917e86f603de0e61
Instruction ID: 1a5ca69c347b91a8ec55ccb6984f44d1450e2a112dfe4ed702bec9084c60b12b
Opcode Fuzzy Hash: a0300cf5617056b9b46de76ad091957c0916bf5735887a17917e86f603de0e61
Instruction Fuzzy Hash: 7E4159B2A40209ABFF317F24DD89F7E3655F764310F04061AF58191289CB7EAC42B762

Uniqueness

Uniqueness Score: -1.00%

Function 04C44D14 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 29
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,04C6CB40,00000000,04C6CEB6,?,00000000,00000000), ref: 04C44D1F
LoadLibraryA.KERNEL32(Urlmon.dll,?,04C6CB40,00000000,04C6CEB6,?,00000000,00000000), ref: 04C44D4B

Strings

Shell32.dll, xrefs: 04C44D6A
user32.dll, xrefs: 04C44D52
Advapi32.dll, xrefs: 04C44D5E
LoadLibraryA, xrefs: 04C44D33
Urlmon.dll, xrefs: 04C44D46
ntdll.dll, xrefs: 04C44D76
kernel32.dll, xrefs: 04C44D1A

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: Advapi32.dll$LoadLibraryA$Shell32.dll$Urlmon.dll$kernel32.dll$ntdll.dll$user32.dll
API String ID: 4133054770-1140356178
Opcode ID: 36942063a2ccd7f22c4b142434cf900b3e0eadb0de46b3a3497418f37352bec3
Instruction ID: b96fa9e01c0d4ea1843cf7907211e11f97f624dbe59bafc3ff472e2c33978374
Opcode Fuzzy Hash: 36942063a2ccd7f22c4b142434cf900b3e0eadb0de46b3a3497418f37352bec3
Instruction Fuzzy Hash: 07F0BDB86807A0BFA7059FA4DA8A7243EB5FB45B013204265FD01CA264DB755820EF16

Uniqueness

Uniqueness Score: -1.00%

Function 00F950DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 00F95109
CreateWindowExW.USER32 ref: 00F9512A
ShowWindow.USER32(00000000), ref: 00F9513E
ShowWindow.USER32(00000000), ref: 00F95147

Strings

AutoIt v3, xrefs: 00F95101, 00F95106, 00F95107
edit, xrefs: 00F95124

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a86ed17e958a94dda0b4f38166ba903e56d5cb052d49cb29e84beb4cdbe2e334
Instruction ID: aa971f491d55a9a0785063190189e06daf99c496b1d1b1e6693dadcf10e25a7e
Opcode Fuzzy Hash: a86ed17e958a94dda0b4f38166ba903e56d5cb052d49cb29e84beb4cdbe2e334
Instruction Fuzzy Hash: F2F0FEB59412947FEA311627AE8CE373E7DE7C6F50F00011EB980A6158C77E1891DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F94A8C: _fseek.LIBCMT ref: 00F94AA4

Part of subcall function 00FE9CF1: _wcscmp.LIBCMT ref: 00FE9DE1
Part of subcall function 00FE9CF1: _wcscmp.LIBCMT ref: 00FE9DF4

_free.LIBCMT ref: 00FE9C5F
_free.LIBCMT ref: 00FE9C66
_free.LIBCMT ref: 00FE9CD1

Part of subcall function 00FA2F85: HeapFree.KERNEL32(00000000,00000000), ref: 00FA2F99
Part of subcall function 00FA2F85: GetLastError.KERNEL32(00000000,?,00FA9C54,00000000,00FA8D5D,00FA59C3), ref: 00FA2FAB

_free.LIBCMT ref: 00FE9CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00FE9B8F

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: ca51d0826612d8b729ab54a3d6d6b1d4699378c3dbc7ee4d7a4b93d00429a4e0
Instruction ID: 64612c0f1d0c6cffec56ff036b2a542e32ff1860a4c6a9c0ea83f2cc0be57c89
Opcode Fuzzy Hash: ca51d0826612d8b729ab54a3d6d6b1d4699378c3dbc7ee4d7a4b93d00429a4e0
Instruction Fuzzy Hash: 70514CB1E04259AFDF24DF65DC41AAEBBB9FF48304F10009EB649A3341DB755A809F58

Uniqueness

Uniqueness Score: -1.00%

Function 00FA563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA569B
_memcpy_s.LIBCMT ref: 00FA570D
__read_nolock.LIBCMT ref: 00FA576B
__filbuf.LIBCMT ref: 00FA578E
_memset.LIBCMT ref: 00FA57D2

Part of subcall function 00FA8D58: __getptd_noexit.LIBCMT ref: 00FA8D58

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: b5ff16a7b1390fa6ba3fcc66730c62015f4fb9c236b9de8f4b61d6cd8d9ae233
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: 8551B3B1E00B09DBDB248FA9D88066E77B5AF42B30F648729F835A62D0D7749D50AB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F81284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00F812A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00F812C9
RegCloseKey.ADVAPI32(00000000), ref: 00F812EB

Strings

Control Panel\Mouse, xrefs: 00F812A6

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2085299fd290091559d7b04c892a05b5953b0f04d2bb8af3fe93fdbc8e7831c2
Instruction ID: 261f69db8cf98f0119e33db8f746501cb243d02e6f9193872ba440c21a5f9340
Opcode Fuzzy Hash: 2085299fd290091559d7b04c892a05b5953b0f04d2bb8af3fe93fdbc8e7831c2
Instruction Fuzzy Hash: 37115A71910208BFDB219FA5D884EEFBBBCFF04750F004659F845D7104D2319E81A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F94B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00F94B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,00F927AF,?,00000001), ref: 00F94B97

Strings

kernel32.dll, xrefs: 00F94B80
Wow64DisableWow64FsRedirection, xrefs: 00F94B91

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 61a8afb20c2a54d3fbd1733bb8ded787779f7487b588aae8924732300bab0a20
Instruction ID: 128ded8baf278425451aec9fe0b32875ea1ec19d118b743afb35bae678b3b385
Opcode Fuzzy Hash: 61a8afb20c2a54d3fbd1733bb8ded787779f7487b588aae8924732300bab0a20
Instruction Fuzzy Hash: 5BD01270910716CFE7305F31D818B0676D4AF54355F11882DE4C5D6508D67CE4C0D710

Uniqueness

Uniqueness Score: -1.00%

Function 00F9278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00F949C2: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00F927AF,?,00000001), ref: 00F949F4

_free.LIBCMT ref: 00FCFB04
_free.LIBCMT ref: 00FCFB4B

Part of subcall function 00F929BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F92ADF

Strings

Bad directive syntax error, xrefs: 00FCFB33

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 8397e06de5501b15366f901692c5175d434543330a585d3dbca5091563795967
Instruction ID: c862a476604a102c62567542a26bdf7b3b65883f4ee1241a1edc087d50da7af1
Opcode Fuzzy Hash: 8397e06de5501b15366f901692c5175d434543330a585d3dbca5091563795967
Instruction Fuzzy Hash: 57915E7190021AAFDF14EFA4CD52EEDB7B5BF05310F14452EF416AB291DB38AA09EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F94AB2: __fread_nolock.LIBCMT ref: 00F94AD0

_wcscmp.LIBCMT ref: 00FE9DE1
_wcscmp.LIBCMT ref: 00FE9DF4

Strings

FILE, xrefs: 00FE9D2D

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: c8b2c4d37eaf5d6b3ecef47a5c0ce99b62a866c7111fcc28e88a483a1b873f22
Instruction ID: 24d1466bba5667ba6e34cddda1a8871df6327f6b2bd78b70e8bfd20b26f9f0f0
Opcode Fuzzy Hash: c8b2c4d37eaf5d6b3ecef47a5c0ce99b62a866c7111fcc28e88a483a1b873f22
Instruction Fuzzy Hash: C6412972A04249BADF20DEA1CC45FEF77FDDF45710F00406AFA00A7280D6B9A9059775

Uniqueness

Uniqueness Score: -1.00%

Function 00F931BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD032B
GetOpenFileNameW.COMDLG32(?), ref: 00FD0375

Part of subcall function 00FA0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F92A58,?,00008000), ref: 00FA02A4

Part of subcall function 00FA09C5: GetLongPathNameW.KERNELBASE ref: 00FA09E4

Strings

X, xrefs: 00FD0343

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 398d2c738d4c950d4ea39c79ecdad039e2171f9fcd989bc9b069b5bcc04bf2b9
Instruction ID: 5fff0bb39be450801ec4cb24f504bc512b6077a036f3235e545eabdfb70cc547
Opcode Fuzzy Hash: 398d2c738d4c950d4ea39c79ecdad039e2171f9fcd989bc9b069b5bcc04bf2b9
Instruction Fuzzy Hash: 9A218E71A00288ABDF55DF94DC45BEE7BFCAF49314F00405AE444A7241DBB95A88AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2909fd95c901343248958fe80133b4098e6cee443327c94ecfe8f4d3219780
Instruction ID: 4ca468a2dd024ece618d198aaf6a93004d3ec28e33cfa8e0a2e73d4c7c01fd89
Opcode Fuzzy Hash: aa2909fd95c901343248958fe80133b4098e6cee443327c94ecfe8f4d3219780
Instruction Fuzzy Hash: E8F15B71A083059FC714DF28C880A6ABBE5FF88314F14896EF9999B361D734E945DF82

Uniqueness

Uniqueness Score: -1.00%

Function 00F91680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F916DB
_memmove.LIBCMT ref: 00F9174C
_memmove.LIBCMT ref: 00F917B9

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3e4ef987079a1db2f14741667d86f14ab5ceeff7a22adc2afef66eb28d75443c
Instruction ID: f4856e57c897046cc2a4fc5ca8947d994a682ab86c2cfc325fd3cb644a06b67c
Opcode Fuzzy Hash: 3e4ef987079a1db2f14741667d86f14ab5ceeff7a22adc2afef66eb28d75443c
Instruction Fuzzy Hash: AA61DE71A0020AEBEF048F25D981BAA7BB5FF44310F15C169EC59CF298EB35D960EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F8AAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA07BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FA07EC
Part of subcall function 00FA07BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FA07F4
Part of subcall function 00FA07BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FA07FF
Part of subcall function 00FA07BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FA080A
Part of subcall function 00FA07BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FA0812
Part of subcall function 00FA07BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FA081A

Part of subcall function 00F9FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F8AC6B), ref: 00F9FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F8AD08
OleInitialize.OLE32(00000000), ref: 00F8AD85
CloseHandle.KERNEL32(00000000), ref: 00FC2F56

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1b537386923b040a25e4f3664813f2ca8cd0cc790617d2cb8829e61f901202e5
Instruction ID: 944160752e32a7b82efddac3181d58bb973ff2056aa3cb63a477a9eee82a7d02
Opcode Fuzzy Hash: 1b537386923b040a25e4f3664813f2ca8cd0cc790617d2cb8829e61f901202e5
Instruction Fuzzy Hash: F881DFF89012808FD3A8EF39EAC56257FE4FB88314350896AD5C8C7259EB3E5408CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00FA5953

Part of subcall function 00FAA39B: __NMSG_WRITE.LIBCMT ref: 00FAA3C2
Part of subcall function 00FAA39B: __NMSG_WRITE.LIBCMT ref: 00FAA3CC

__NMSG_WRITE.LIBCMT ref: 00FA595A

Part of subcall function 00FAA3F8: GetModuleFileNameW.KERNEL32(00000000,010453BA,00000104,00000004,00000001,00FA1003), ref: 00FAA48A
Part of subcall function 00FAA3F8: ___crtMessageBoxW.LIBCMT ref: 00FAA538

Part of subcall function 00FA32CF: ___crtCorExitProcess.LIBCMT ref: 00FA32D5
Part of subcall function 00FA32CF: ExitProcess.KERNEL32 ref: 00FA32DE

Part of subcall function 00FA8D58: __getptd_noexit.LIBCMT ref: 00FA8D58

RtlAllocateHeap.NTDLL(00810000,00000000,00000001,?,00000004,?,?,00FA1003,?), ref: 00FA597F

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 7e32db691f33be780b8ea3ebf5667c0bf7d2af73665e9ab7ceec1cc9d825e31f
Instruction ID: 4f1ddaf89e3e672fb0b3a4dbbbfc87dcd40271c8ce3478b09712e6882a2d5175
Opcode Fuzzy Hash: 7e32db691f33be780b8ea3ebf5667c0bf7d2af73665e9ab7ceec1cc9d825e31f
Instruction Fuzzy Hash: 0901D2F6601B06DFE62526649C42B6F32588F47BB0F110026F954AE1C1DEB98D41A761

Uniqueness

Uniqueness Score: -1.00%

Function 00F948B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F948FA

Strings

EA06, xrefs: 00FD08A1

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 156bd1ac9003e494aa819fbe59f075bbc13d255daa9d187ddc1b98a1e39984fe
Instruction ID: cbc868a43d99988540c6935a16dbf777e5a2ac09404814d647cb1baa662e9feb
Opcode Fuzzy Hash: 156bd1ac9003e494aa819fbe59f075bbc13d255daa9d187ddc1b98a1e39984fe
Instruction Fuzzy Hash: AC417D32E041585BFF219B648C51FBF7BA28B66310F584075E882EB386C525AD86B3E1

Uniqueness

Uniqueness Score: -1.00%

Function 04C444F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000,?,?,?,?,04C414D2,?,04C3740F,00000000,04C37470,?,00000000,00000000,00000000,00000000,00000000), ref: 04C4453A

Strings

GetFileAttributesA, xrefs: 04C4451E

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: GetFileAttributesA
API String ID: 3188754299-811605020
Opcode ID: 2cf51bd3d925b0aad2ece4a6ad78bfd3055152e9afc09b5bf9e0db700c7f5cac
Instruction ID: b903c30cd6fa94a119bf99280de3da77bb2fd9d4ddd81b6218a2be444219f4fb
Opcode Fuzzy Hash: 2cf51bd3d925b0aad2ece4a6ad78bfd3055152e9afc09b5bf9e0db700c7f5cac
Instruction Fuzzy Hash: 69F0C230640304AFEF08DBB9DE96B6977ADEB85314B710574F400D3160D674BE10FA18

Uniqueness

Uniqueness Score: -1.00%

Function 04C43F10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,04C43FAE,00000000,04C43FC6,?,?,?,?,04C414DD,?,04C3740F), ref: 04C43F4C

Strings

CreateDirectoryA, xrefs: 04C43F2E

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID: CreateDirectoryA
API String ID: 4241100979-2169353901
Opcode ID: 44a4b9cb0f352a44d273e61032dea90cd03118cdd0d7df722977cf5c61999f90
Instruction ID: bdef9cacc7a32e4ecf037ef93d54fd175bdb7ef13e947b460ef8fee2a4310ea5
Opcode Fuzzy Hash: 44a4b9cb0f352a44d273e61032dea90cd03118cdd0d7df722977cf5c61999f90
Instruction Fuzzy Hash: C3F08270754384BFF705DBA9DD52919B7FDE789710B9104B0F800C3620D675BE10EA24

Uniqueness

Uniqueness Score: -1.00%

Function 04C43D9C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(00000000,00000000,?,?,04C4388E,04C3CC91,00000000,00000000,00000002,00000000,00000000,04C3CCA7,?,00000000), ref: 04C43DB5

Strings

TerminateProcess, xrefs: 04C43DA2

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: TerminateProcess
API String ID: 560597551-2873147277
Opcode ID: c9e05715f58a147fae003d01d7fd072c52f4a3259df274845c70d745f98f0659
Instruction ID: 8c3417f2b34e265cbc532bdfda44c29a3d749aac5057de8c3fb07fcd8bf9f9de
Opcode Fuzzy Hash: c9e05715f58a147fae003d01d7fd072c52f4a3259df274845c70d745f98f0659
Instruction Fuzzy Hash: 54C08CB23112B03BA70092E9AC88CE32E9CEA881A13000121BA24C3220C9688C1097E0

Uniqueness

Uniqueness Score: -1.00%

Function 04C4156C Relevance: 3.1, APIs: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,?,00000000,00000000,00020119,?), ref: 04C415D9
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,?,00000100,?,00000000,00000000,00020119,?), ref: 04C415FE

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: bbecdcead5a17d38fc9b6fd7c59932135343a28e35962e4c140357568adfc206
Instruction ID: b704fecf19a7e4a85216a911af2a5585d83f6e832a8bd2c2352cfdee329ff6a9
Opcode Fuzzy Hash: bbecdcead5a17d38fc9b6fd7c59932135343a28e35962e4c140357568adfc206
Instruction Fuzzy Hash: F4115671A0021CABEB14DA98CC41FDFB3BDEF49314F004165E619D7250DB70AA44ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F942F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F94327
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 00FD0717

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3e1f97c74ec4bfacfa2277888681eaaebb4aeefcbb938c2efb086661fdd8c97
Instruction ID: 2158fedffd30157b30c2aa3c75b18b6c8e927d184f4309e51e38c000262b53af
Opcode Fuzzy Hash: b3e1f97c74ec4bfacfa2277888681eaaebb4aeefcbb938c2efb086661fdd8c97
Instruction Fuzzy Hash: 5A019670184309BEF7201E24CC86F667A9CEB11778F50C315FAE45A1D0C6B56C86AB14

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FA593C: __FF_MSGBANNER.LIBCMT ref: 00FA5953
Part of subcall function 00FA593C: __NMSG_WRITE.LIBCMT ref: 00FA595A
Part of subcall function 00FA593C: RtlAllocateHeap.NTDLL(00810000,00000000,00000001,?,00000004,?,?,00FA1003,?), ref: 00FA597F

std::exception::exception.LIBCMT ref: 00FA101C
__CxxThrowException@8.LIBCMT ref: 00FA1031

Part of subcall function 00FA87CB: RaiseException.KERNEL32(?,?,?,0103CAF8,?,?,?,?,?,00FA1036,?,0103CAF8,?,00000001), ref: 00FA8820

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: ebc4790d7b167f886017afb3bb6a603d057e3732e1cd95b807e48bf394d0f917
Instruction ID: 6a94b7850c0e0c746f1b371a8782b838e875cfd83e4120ee9d17d38599fa3171
Opcode Fuzzy Hash: ebc4790d7b167f886017afb3bb6a603d057e3732e1cd95b807e48bf394d0f917
Instruction Fuzzy Hash: 45F0CDF590421DA6C724BA58EC169DE77ACAF03370F504459F854E6191DF758A41E2E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA584C
__lock_file.LIBCMT ref: 00FA586D

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: ef3827cc3cb34ae1b178109b7832d2e05113807e71f4cda6b2ff9b89905809c8
Instruction ID: b5c077db9d6b0b118abdcc9879e18f6a13d8b99d26b09363064e76eb0efcfc9e
Opcode Fuzzy Hash: ef3827cc3cb34ae1b178109b7832d2e05113807e71f4cda6b2ff9b89905809c8
Instruction Fuzzy Hash: CA0144F1C01649EBCF11AF668C0199E7B61AF82BA0F188115F8246B161D7798A22FF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FA8D58: __getptd_noexit.LIBCMT ref: 00FA8D58

__lock_file.LIBCMT ref: 00FA560B

Part of subcall function 00FA6E3E: __lock.LIBCMT ref: 00FA6E61

__fclose_nolock.LIBCMT ref: 00FA5616

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 1f661b5c2760fe837f85fe7d4cb9f55f7fb1738b1c3c206deac579ba0cfd6b23
Instruction ID: 9dafeaafe99bc6d842d0258e173d50e0b335683c705133270314a0d6706f8d28
Opcode Fuzzy Hash: 1f661b5c2760fe837f85fe7d4cb9f55f7fb1738b1c3c206deac579ba0cfd6b23
Instruction Fuzzy Hash: 9AF0B4F2C01B059ED710AB798C0276E77A16F837B4F198209E424AB1C1CFBC8902BF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA05B Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNELBASE(00FA1003,?,?,?,00FA9F3B,00000000,00000FA0,00000000,0103CE28,00000008,00FA9E52,00FA1003,00FA1003,?,00FA9CAC,0000000D), ref: 00FAA074
InitializeCriticalSectionAndSpinCount.KERNEL32(00FA1003,?,?,00FA9F3B,00000000,00000FA0,00000000,0103CE28,00000008,00FA9E52,00FA1003,00FA1003,?,00FA9CAC,0000000D), ref: 00FAA07E

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: CriticalInitializeSection$CountSpin
String ID:
API String ID: 4156364057-0
Opcode ID: 09bdb2995f41c5f2f48d59284ff5c89f1554462717d89c1a0c3df1b67e11998c
Instruction ID: a2eb7769cd91ad10f3b588321c2dba3fce19498cfd0ac3467e0b2eb603da1da1
Opcode Fuzzy Hash: 09bdb2995f41c5f2f48d59284ff5c89f1554462717d89c1a0c3df1b67e11998c
Instruction Fuzzy Hash: E3D06776054148BFCF129FA4ED448AA3BAAFB49625B448420F99C89024D737A565AB40

Uniqueness

Uniqueness Score: -1.00%

Function 04C115D8 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000001,?,?,?,04C1196B), ref: 04C11607
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,04C1196B), ref: 04C1162E

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 03ef1aa8a137d35345f9ffab434c919246b30922a1f460d755134f724fe9ef98
Instruction ID: d7b1bf78506161c3216c6ac65ef3a0f23fad023b9f700a3cb6e6709209a51b7d
Opcode Fuzzy Hash: 03ef1aa8a137d35345f9ffab434c919246b30922a1f460d755134f724fe9ef98
Instruction Fuzzy Hash: FFF0E972B0062017E72059690C80B525586CB4F790F1C4070FB4DEF2DCD9569C01B291

Uniqueness

Uniqueness Score: -1.00%

Function 00F8A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3176a5c7a709d5fe656d431487d0204af59b89193d8033162ab05aa9da4ce8de
Instruction ID: 3e4024e45d965c94064918427d80ecdf42bd9b834bf0f1dde04ddc6fec7949db
Opcode Fuzzy Hash: 3176a5c7a709d5fe656d431487d0204af59b89193d8033162ab05aa9da4ce8de
Instruction Fuzzy Hash: A561CF71A04206DFEB10EF54C981FBAB7E5EF44310F11806EE9169B291E774ED81EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F8D679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b111838eadede47fd666715e1fe4fade75d1c31453159e46848eb59f6294c06c
Instruction ID: 204e649a585da9b54ce2043181d1226233d452cdefb37692b5f91bc893c9808e
Opcode Fuzzy Hash: b111838eadede47fd666715e1fe4fade75d1c31453159e46848eb59f6294c06c
Instruction Fuzzy Hash: 205191316006059BDF14FB68CD92FAE77A6AF85710F148168F806AB392DB34FD05EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F9410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000000), ref: 00F941B2

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d821d3c15067d42824cd1bd909b563056c0cfd9af69e9e676b8a6fc509f844d4
Instruction ID: fb389e1c948313c70867ede2279d63d71d61c8fc92bce0e18d09f0718c9a358a
Opcode Fuzzy Hash: d821d3c15067d42824cd1bd909b563056c0cfd9af69e9e676b8a6fc509f844d4
Instruction Fuzzy Hash: 83316D71A00616AFDF19CF6CC880A5DB7B1FF64320F148629E81593714D770BDE19B90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0E38 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FA0EE7

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 43483e0d1aa23de5ea41c992fd024f6bad7d9f260e6a3450d2efbbe4734ceb4c
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0831D5B1A001099FC718DF18E4C0A69F7B6FF4A310B648AA5E409DB251EB31EDC1EBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00FBE2EA

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: dadf8f43cdada64298a3000cb958b0b98be56e0cdb92613cde0bf49dfe09801f
Instruction ID: 362ab0cbddb60b572e5146fbeb3ff5ea717e24ba5e24fbc9da1982c95e070c6f
Opcode Fuzzy Hash: dadf8f43cdada64298a3000cb958b0b98be56e0cdb92613cde0bf49dfe09801f
Instruction Fuzzy Hash: F7411A74904341CFDB14DF14C898B5ABBE1BF45358F0989ACE8898B362C336EC85DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F949C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94B29: FreeLibrary.KERNEL32(00000000,?), ref: 00F94B63

Part of subcall function 00FA547B: __wfsopen.LIBCMT ref: 00FA5486

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00F927AF,?,00000001), ref: 00F949F4

Part of subcall function 00F94ADE: FreeLibrary.KERNEL32(00000000), ref: 00F94B18

Part of subcall function 00F948B0: _memmove.LIBCMT ref: 00F948FA

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: dcd6778232eaa57e27b467af51adcbf9fcdfd7ba65acd6c81c406db9088b5424
Instruction ID: a48650b81ae7a242a74f93f9f9bd6fdf77d311fb5a86d6e7f1c283ff9f9ed409
Opcode Fuzzy Hash: dcd6778232eaa57e27b467af51adcbf9fcdfd7ba65acd6c81c406db9088b5424
Instruction Fuzzy Hash: 4411E732650205ABEF10FF70CC12FAE77A99F60711F10442DF581A6181EE7DAE16B7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00FBE3CE

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2bee598b4b5a45be84cfcde0aeb12fb8172f03fe8d281f49b2da4252e0e97af2
Instruction ID: 18924d975037676749ceb8b2af9a8b0b236cd226ab930c4c59bb699bcfe44cb9
Opcode Fuzzy Hash: 2bee598b4b5a45be84cfcde0aeb12fb8172f03fe8d281f49b2da4252e0e97af2
Instruction Fuzzy Hash: 4D2157B4908341CFCB14EF10C844B5ABBE4BF84314F05896CF88A97322C335E845EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F94220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000), ref: 00F94276

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 28f5fb346bcb966aa61661f540988c0e1268c49a50bad6210aa515d06056b5fb
Instruction ID: 6cbfcae3ce1e06b66fa9bf1b8a14e0e0aed8de594fb7da78b7a3105c22592347
Opcode Fuzzy Hash: 28f5fb346bcb966aa61661f540988c0e1268c49a50bad6210aa515d06056b5fb
Instruction Fuzzy Hash: EF112B316007019FEB20CF55C480F62B7E5FB54720F10892DE9AA86640D775F8469B60

Uniqueness

Uniqueness Score: -1.00%

Function 00F94A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00F94AA4

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 509ca678fcb11e352ca30edc566164f6be2c1d7579124fa489e22f91e62bad87
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 8AF08CB6500208BFDF108F54DC00DEB7B7EEB85720F044198F9045A210D232EA219BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00F94A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00F927AF,?,00000001), ref: 00F94A63

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 71bdcc8de72f3c4bff1c7e4cae30ef743abde014b4436324e21a5902ce5ee440
Instruction ID: 00d30a88fec916780e7e7b6fb724fd389466d513ee9c13245a4153a726e7005f
Opcode Fuzzy Hash: 71bdcc8de72f3c4bff1c7e4cae30ef743abde014b4436324e21a5902ce5ee440
Instruction Fuzzy Hash: 65F01C72545701CFDB349F64D490C16BBF0AF64329314892EE1D683614C73AA984EB44

Uniqueness

Uniqueness Score: -1.00%

Function 00F94AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F94AD0

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 924745f4bcdb3d1d70f33833a35d93bd576cf9d25e3a74c917ddb7e1666675b9
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: 03F0F87240020DFFDF05CF90C941EAABB79FB15324F208589F9198A252D736EA21EB91

Uniqueness

Uniqueness Score: -1.00%

Function 04C15974 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02820408,?,00000105), ref: 04C15992

Part of subcall function 04C15C08: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 04C15C23
Part of subcall function 04C15C08: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04C15C41
Part of subcall function 04C15C08: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04C15C5F
Part of subcall function 04C15C08: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 04C15C7D
Part of subcall function 04C15C08: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,04C15D0C,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 04C15CC6
Part of subcall function 04C15C08: RegQueryValueExA.ADVAPI32(?,04C15E88,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,04C15D0C,?,80000001), ref: 04C15CE4
Part of subcall function 04C15C08: RegCloseKey.ADVAPI32(?,04C15D13,00000000,00000000,00000005,00000000,04C15D0C,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04C15D06

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: aca5e066b41eed28f3f5e6cb050fd2c26d221325605f938b2c0a29fe1b907219
Instruction ID: 1191787f1253f89e95922f83b24d511a161bcb797b77a8e2a70b7ea396d99905
Opcode Fuzzy Hash: aca5e066b41eed28f3f5e6cb050fd2c26d221325605f938b2c0a29fe1b907219
Instruction Fuzzy Hash: D2E09279A003109FDB10EE5CC8C0A4737D9AF49764F044551ED64CF38AD370EA20A7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00FA09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE ref: 00FA09E4

Part of subcall function 00F91821: _memmove.LIBCMT ref: 00F9185B

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 09455233de6966aa0d7f914cf5e6dea0d484c703b6eeb30861004c17835c63d5
Instruction ID: de68ba63177005f0662ec13c187f7a7f7bac066abd3b5f3294e2dff987c550ab
Opcode Fuzzy Hash: 09455233de6966aa0d7f914cf5e6dea0d484c703b6eeb30861004c17835c63d5
Instruction Fuzzy Hash: 91E0863290012857CB2195989C15FEA77DDEB89690F0441B6FC49D7208D9699C819691

Uniqueness

Uniqueness Score: -1.00%

Function 00F942AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000001), ref: 00F942BF

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: df796d50d7b32afa1620a8631a582268b1db0dd8e674b1744f3b225a8dfacfaf
Instruction ID: 65adb589d3be808e7a27334e5c6eb6642943d848f6880d0ce5089015001f9ac5
Opcode Fuzzy Hash: df796d50d7b32afa1620a8631a582268b1db0dd8e674b1744f3b225a8dfacfaf
Instruction Fuzzy Hash: 4DD0C77464020CBFE710CB80DC46FA9777CE705710F100194FD4466294D6B67D508795

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2E74 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FA3447: __lock.LIBCMT ref: 00FA3449

__onexit_nolock.LIBCMT ref: 00FA2E90

Part of subcall function 00FA2EB8: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,00FA2E95,00FBB7EA,0103CB50), ref: 00FA2ECB
Part of subcall function 00FA2EB8: DecodePointer.KERNEL32(?,?,00FA2E95,00FBB7EA,0103CB50), ref: 00FA2ED6
Part of subcall function 00FA2EB8: __realloc_crt.LIBCMT ref: 00FA2F17
Part of subcall function 00FA2EB8: __realloc_crt.LIBCMT ref: 00FA2F2B
Part of subcall function 00FA2EB8: EncodePointer.KERNEL32(00000000,?,?,00FA2E95,00FBB7EA,0103CB50), ref: 00FA2F3D
Part of subcall function 00FA2EB8: EncodePointer.KERNEL32(00FBB7EA,?,?,00FA2E95,00FBB7EA,0103CB50), ref: 00FA2F4B
Part of subcall function 00FA2EB8: EncodePointer.KERNEL32(00000004,?,?,00FA2E95,00FBB7EA,0103CB50), ref: 00FA2F57

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: bc27270d14a2dd2acda1d4184bd920be62b888d0e8a8a80efaa30ac88bdf63a4
Instruction ID: 9c510292e6b94605ceafe5105658f84bb706e59d746c27684363c4799feba436
Opcode Fuzzy Hash: bc27270d14a2dd2acda1d4184bd920be62b888d0e8a8a80efaa30ac88bdf63a4
Instruction Fuzzy Hash: DFD012F1D11209ABDB50FBA8CD0275D76706F467A2F508145F414A6292CBBC0A427B91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00FA5486

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: ecb25863353c257ef2f5256f7bbbba63acae7a5e8e2053e31f01ed0505059652
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 71B092BA44020CB7CE012A82EC03A593F299B45A68F408020FF0C1C162A677A6A0A689

Uniqueness

Uniqueness Score: -1.00%

Function 04C1177C Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 04C11815

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0231151bf38f8bef7f8fe188f5e3c452f2a8227aaf336e2768ddf5cc5785c6f7
Instruction ID: a340304d51ebeeb72496ac93ad6342847c68ffc5646135ba8808d1c0626a2e07
Opcode Fuzzy Hash: 0231151bf38f8bef7f8fe188f5e3c452f2a8227aaf336e2768ddf5cc5785c6f7
Instruction Fuzzy Hash: BB21CEB4604246DFD750CF2CC880A5AB7E5FF89350B188969FA98CB364E734E944DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04C40A98 Relevance: 1.3, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 04C40B01

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a228e4d5ec545dc3f51101f77d45d1133f32f9fe8ca6f64929c6fb44c8b24628
Instruction ID: 0b900ce6b3f29721f4ccc19f51ffb64561cdb446128f73e5b1fa151b1acd75eb
Opcode Fuzzy Hash: a228e4d5ec545dc3f51101f77d45d1133f32f9fe8ca6f64929c6fb44c8b24628
Instruction Fuzzy Hash: 5E018471A803047FF721EAA98C82FAE77ADDB86B18F610175F610E61E0D6707E00B659

Uniqueness

Uniqueness Score: -1.00%

Function 04C40B2C Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 04C40A98: CloseHandle.KERNEL32(00000000), ref: 04C40B01

Sleep.KERNEL32(00000002,00000000,04C40B9D,?,00000001), ref: 04C40B7D

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 34abaa3013cd14e0257cb6f50663f895546a6d4d122833e1824075ad521af683
Instruction ID: 891e27d75c194d646467b60439264d4ebb97d72c840728aa989d59873d00b13c
Opcode Fuzzy Hash: 34abaa3013cd14e0257cb6f50663f895546a6d4d122833e1824075ad521af683
Instruction Fuzzy Hash: BBF0A430A40608AFE704EBA5D941A9DB7FAEF46318F9144B1D504E36A0DB30BF00FA18

Uniqueness

Uniqueness Score: -1.00%

Function 00F942CF Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00F942EF

Memory Dump Source

Source File: 0000000B.00000002.413534380.0000000000F81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00F80000, based on PE: true

Associated: 0000000B.00000002.413530160.0000000000F80000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413551396.0000000001036000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413562101.0000000001040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.413566992.0000000001049000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f80000_Autoit3.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1ac064dab53d6690fc97a85fa01cea1232acc0baee8f97d2ac3f73ed91a086e9
Instruction ID: 8d569898a99cc13a8e78340b9b16f255b8b8d21b4359bb8074257aed5c50a9c4
Opcode Fuzzy Hash: 1ac064dab53d6690fc97a85fa01cea1232acc0baee8f97d2ac3f73ed91a086e9
Instruction Fuzzy Hash: 5FE0B675804B01CFD7314F1AE804812FBF8FFE13713214A2EE0E692664E3B0689ADB60

Uniqueness

Uniqueness Score: -1.00%

Function 04C437D8 Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000002,04C44265,00000000,04C44280), ref: 04C437D9

Memory Dump Source

Source File: 0000000B.00000002.414101277.0000000004C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c11000_Autoit3.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a6e43d64add5d8e39e435505db0193cf2a06b70e52d0dcf0324c1b46c5e6b6a6
Instruction ID: 272ba4273d5394084ed0c50012c00bdbb2b49db9d334c834902587b3e7e24467
Opcode Fuzzy Hash: a6e43d64add5d8e39e435505db0193cf2a06b70e52d0dcf0324c1b46c5e6b6a6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03825DDD Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.414017443.0000000003823000.00000040.00000020.00020000.00000000.sdmp, Offset: 03823000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3823000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction ID: 68ab1bed45d92fce699f8254b79d51630e84826072105574927b0c0050e52b82
Opcode Fuzzy Hash: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction Fuzzy Hash: 0A31083A1446A5ABDF20CAE88C04BA7FF58BF07278F5802D5E4A6D68C0DB3095D0C769

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\System Volume Information\SPP\OnlineMetadataCache\{7d5179c7-4762-4530-acc6-35e44f91e313}_OnDiskSnapshotProp

C:\System Volume Information\SPP\metadata-2

C:\System Volume Information\SPP\snapshot-2

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files.cab

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\4cd6e0f52e7043469984c6056cd7318a.tmp

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\642bddc38bf301459161108c3729c2ed.tmp

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\$dpx$.tmp\7435303a8a57ec42bc473d49b21b1a7e.tmp

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\CoreFoundation.dll (copy)

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\iTunesHelper.exe (copy)

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\files\sqlite3.dll (copy)

C:\Users\user\AppData\Local\Temp\MW-c4073f3e-f9c7-437a-a291-ddb95c099068\msiwrapper.ini

C:\Users\user\AppData\Local\Temp\~DF14CF158985C82578.TMP

C:\Users\user\AppData\Local\Temp\~DFC498C58ABD293963.TMP

C:\Users\user\AppData\Local\Temp\~DFF9711021A423063A.TMP

C:\Users\user\AppData\Roaming\cBDKKEc

Windows Analysis Report
test.msi

Function 6BE54890 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 153
registryCOMMON

Function 0208ED60 Relevance: 5.2, Strings: 4, Instructions: 153
COMMON

Function 6BE54F80 Relevance: 3.1, APIs: 2, Instructions: 58
COMMON

Function 6BE54DD0 Relevance: 3.0, APIs: 2, Instructions: 27
fileCOMMON

Function 6BF6C010 Relevance: 9236.6, APIs: 5267, Strings: 2, Instructions: 15891
COMMON

Function 6BE475A0 Relevance: 4.6, APIs: 3, Instructions: 65
COMMON

Function 6BE47BC0 Relevance: 3.9, APIs: 3, Instructions: 144
sleepCOMMON

Function 6BE477F0 Relevance: 2.7, APIs: 2, Instructions: 243
sleepCOMMON

Function 6BE550A0 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre